certificate.create

Create a new Certificate

Certificates are classified under following types and the necessary keywords to be passed for create_type attribute to create the respective type of certificate

  1. Imported Certificate - CERTIFICATE_CREATE_IMPORTED

  2. Certificate Signing Request - CERTIFICATE_CREATE_CSR

  3. Imported Certificate Signing Request - CERTIFICATE_CREATE_IMPORTED_CSR

  4. ACME Certificate - CERTIFICATE_CREATE_ACME

By default, created CSRs use RSA keys. If an Elliptic Curve Key is desired, it can be specified with the key_type attribute. If the ec_curve attribute is not specified for the Elliptic Curve Key, then default to using “SECP384R1” curve.

A type is selected by the Certificate Service based on create_type. The rest of the values in data are validated accordingly and finally a certificate is made based on the selected type.

cert_extensions can be specified to set X509v3 extensions.

Type: object

Type: array
No Additional Items

Tuple Validation

Parameter 1: certificate_create

certificate_create

Type: object

CertificateCreateArgs parameters.

 No Additional Properties

Name

Type: string

Certificate name.

Must be at least 1 characters long

Must be at most 120 characters long

Create Type

Type: enum (of string)

Type of certificate creation operation.

Must be one of:
  • "CERTIFICATE_CREATE_IMPORTED"
  • "CERTIFICATE_CREATE_CSR"
  • "CERTIFICATE_CREATE_IMPORTED_CSR"
  • "CERTIFICATE_CREATE_ACME"

Add To Trusted Store

Type: boolean Default: false

Whether to add this certificate to the trusted certificate store.

Certificate

Default: null

PEM-encoded certificate to import or null.

Type: string

Must be at least 1 characters long

Type: null

Privatekey

Default: null

PEM-encoded private key to import or null.

Type: string

Must be at least 1 characters long

Type: null

Csr

Default: null

PEM-encoded certificate signing request to import or null.

Type: string

Must be at least 1 characters long

Type: null

Key Length

Default: null

RSA key length in bits or null.

Type: enum (of integer)
Must be one of:
  • 2048
  • 4096
Type: null

Key Type

Type: enum (of string) Default: "RSA"

Type of cryptographic key to generate.

Must be one of:
  • "RSA"
  • "EC"

Ec Curve

Type: enum (of string) Default: "SECP384R1"

Elliptic curve to use for EC keys.

Must be one of:
  • "SECP256R1"
  • "SECP384R1"
  • "SECP521R1"
  • "ed25519"

Passphrase

Default: null

Passphrase to protect the private key or null.

Type: string

Must be at least 1 characters long

Type: null

City

Default: null

City or locality name for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

Common

Default: null

Common name for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

Country

Default: null

Country name for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

Email

Default: null

Email address for certificate subject or null.

Type: stringFormat: email
Type: null

Organization

Default: null

Organization name for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

Organizational Unit

Default: null

Organizational unit for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

State

Default: null

State or province name for certificate subject or null.

Type: string

Must be at least 1 characters long

Type: null

Digest Algorithm

Type: enum (of string) Default: "SHA256"

Hash algorithm for certificate signing.

Must be one of:
  • "SHA224"
  • "SHA256"
  • "SHA384"
  • "SHA512"

San

Type: array of string

Subject alternative names for the certificate.

 No Additional Items
Each item of this array must be:
Type: string

Must be at least 1 characters long

CertificateExtensions

Type: object

Certificate extensions configuration.

 No Additional Properties

BasicConstraintsModel

Type: object
Default:
{ "ca": false, "enabled": false, "path_length": null, "extension_critical": false }

Basic Constraints extension configuration for certificate authority capabilities.

 No Additional Properties

Ca

Type: boolean Default: false

Whether this certificate is authorized to sign other certificates as a Certificate Authority (CA).

Enabled

Type: boolean Default: false

Whether the Basic Constraints X.509 extension is present in the certificate.

Path Length

Default: null

Maximum number of intermediate CA certificates that may follow this certificate in a valid certificate chain. null indicates no path length constraint.

Type: integer
Type: null

Extension Critical

Type: boolean Default: false

Whether the Basic Constraints extension is marked as critical. If true, applications that do not understand this extension must reject the certificate.

ExtendedKeyUsageModel

Type: object
Default:
{ "usages": [], "enabled": false, "extension_critical": false }

Extended Key Usage extension configuration specifying certificate purposes.

 No Additional Properties

Usages

Type: array of enum (of string)

Array of Extended Key Usage (EKU) purposes that define what the certificate may be used for (e.g., 'SERVERAUTH', 'CLIENTAUTH', 'CODE_SIGNING').

 No Additional Items
Each item of this array must be:
Type: enum (of string)
Must be one of:
  • "ANY_EXTENDED_KEY_USAGE"
  • "CERTIFICATE_TRANSPARENCY"
  • "CLIENT_AUTH"
  • "CODE_SIGNING"
  • "EMAIL_PROTECTION"
  • "IPSEC_IKE"
  • "KERBEROS_PKINIT_KDC"
  • "OCSP_SIGNING"
  • "SERVER_AUTH"
  • "SMARTCARD_LOGON"
  • "TIME_STAMPING"

Enabled

Type: boolean Default: false

Whether the Extended Key Usage X.509 extension is present in the certificate.

Extension Critical

Type: boolean Default: false

Whether the Extended Key Usage extension is marked as critical. If true, applications that do not understand this extension must reject the certificate.

KeyUsageModel

Type: object
Default:
{ "enabled": false, "digital_signature": false, "content_commitment": false, "key_encipherment": false, "data_encipherment": false, "key_agreement": false, "key_cert_sign": false, "crl_sign": false, "encipher_only": false, "decipher_only": false, "extension_critical": false }

Key Usage extension configuration defining permitted cryptographic operations.

 No Additional Properties

Enabled

Type: boolean Default: false

Whether the Key Usage X.509 extension is present in the certificate.

Digital Signature

Type: boolean Default: false

Whether the certificate may be used for digital signatures to verify identity or integrity.

Content Commitment

Type: boolean Default: false

Whether the certificate may be used for non-repudiation (proving content commitment).

Key Encipherment

Type: boolean Default: false

Whether the certificate's public key may be used for encrypting symmetric keys.

Data Encipherment

Type: boolean Default: false

Whether the certificate's public key may be used for directly encrypting raw data.

Key Agreement

Type: boolean Default: false

Whether the certificate's public key may be used for key agreement protocols (e.g., Diffie-Hellman).

Key Cert Sign

Type: boolean Default: false

Whether the certificate may be used to sign other certificates (CA functionality).

Crl Sign

Type: boolean Default: false

Whether the certificate may be used to sign Certificate Revocation Lists (CRLs).

Encipher Only

Type: boolean Default: false

Whether the public key may only be used for encryption when key_agreement is also set.

Decipher Only

Type: boolean Default: false

Whether the public key may only be used for decryption when key_agreement is also set.

Extension Critical

Type: boolean Default: false

Whether the Key Usage extension is marked as critical. If true, applications that do not understand this extension must reject the certificate.

Acme Directory Uri

Default: null

ACME directory URI to be used for ACME certificate creation.

Type: string

Must be at least 1 characters long

Type: null

Csr Id

Default: null

CSR to be used for ACME certificate creation.

Type: integer
Type: null

Tos

Default: null

Set this when creating an ACME certificate to accept terms of service of the ACME service.

Type: boolean
Type: null

Dns Mapping

Type: object

A mapping of domain to ACME DNS Authenticator ID for each domain listed in SAN or common name of the CSR.

Each additional property must conform to the following schema

Type: integer

Renew Days

Type: integer Default: 10

Number of days before the certificate expiration date to attempt certificate renewal. If certificate renewal fails, renewal will be reattempted every day until expiration.

Value must be greater or equal to 1 and lesser or equal to 30

CertificateEntry

Type: object

The created certificate configuration.

 No Additional Properties

Id

Type: integer

Unique identifier for this certificate entry.

Type

Type: integer

Internal certificate type identifier used to determine certificate capabilities.

Name

Type: string

Human-readable name for this certificate. Must be unique and contain only alphanumeric characters, dashes, and underscores.

Must be at least 1 characters long

Certificate


PEM-encoded X.509 certificate data. null for certificate signing requests (CSR) that have not yet been signed.

Type: string
Type: null

Privatekey


PEM-encoded private key corresponding to the certificate. null if no private key is available or for imported certificates without keys.

Type: string
Type: null

Csr


PEM-encoded Certificate Signing Request (CSR) data. null for imported certificates or completed ACME certificates.

Type: string
Type: null

Acme Uri


ACME directory server URI used for automated certificate management. null for non-ACME certificates.

Type: string
Type: null

Domains Authenticators


Mapping of domain names to ACME DNS authenticator IDs for domain validation. null for non-ACME certificates.

Type: object
Type: null

Renew Days


Number of days before expiration to attempt automatic renewal. Only applicable for ACME certificates. null for non-renewable certificates.

Type: integer
Type: null

Acme


ACME registration and account information used for certificate lifecycle management. null for non-ACME certificates.

Type: object
Type: null

Add To Trusted Store

Type: boolean

Whether this certificate should be added to the system's trusted certificate store.

Root Path

Type: string

Filesystem path where certificate-related files are stored.

Must be at least 1 characters long

Certificate Path


Filesystem path to the certificate file (.crt). null if no certificate is available.

Type: string

Must be at least 1 characters long

Type: null

Privatekey Path


Filesystem path to the private key file (.key). null if no private key is available.

Type: string

Must be at least 1 characters long

Type: null

Csr Path


Filesystem path to the certificate signing request file (.csr). null if no CSR is available.

Type: string

Must be at least 1 characters long

Type: null

Cert Type

Type: string

Human-readable certificate type, typically 'CERTIFICATE' for standard certificates.

Must be at least 1 characters long

Cert Type Existing

Type: boolean

Whether this is an existing certificate (imported or generated).

Cert Type Csr

Type: boolean

Whether this entry represents a Certificate Signing Request (CSR) rather than a signed certificate.

Cert Type Ca

Type: boolean

Whether this certificate is a Certificate Authority (CA) certificate.

Chain List

Type: array of string

Array of PEM-encoded certificates in the certificate chain, starting with the leaf certificate.

 No Additional Items
Each item of this array must be:
Type: string

Key Length


Size of the cryptographic key in bits. null if key information is unavailable.

Type: integer
Type: null

Key Type


Type of cryptographic key algorithm (e.g., 'RSA', 'EC', 'DSA'). null if key information is unavailable.

Type: string

Must be at least 1 characters long

Type: null

Country


ISO 3166-1 alpha-2 country code from the certificate subject. null if not specified.

Type: string
Type: null

State


State or province name from the certificate subject. null if not specified.

Type: string
Type: null

City


City or locality name from the certificate subject. null if not specified.

Type: string
Type: null

Organization


Organization name from the certificate subject. null if not specified.

Type: string
Type: null

Organizational Unit


Organizational unit from the certificate subject. null if not specified.

Type: string
Type: null

Common


Common name (CN) from the certificate subject. null if not specified.

Type: string
Type: null

San


Subject Alternative Names (SAN) from the certificate extension. null if no SAN extension is present.

Type: array of string
No Additional Items
Each item of this array must be:
Type: string
Type: null

Email


Email address from the certificate subject. null if not specified.

Type: string
Type: null

Dn


Distinguished Name (DN) of the certificate subject in RFC 2253 format. null if certificate parsing failed.

Type: string
Type: null

Subject Name Hash


Hash of the certificate subject name. null if certificate parsing failed.

Type: integer
Type: null

Extensions

Type: object

X.509 certificate extensions parsed into a dictionary structure.

Digest Algorithm


Cryptographic hash algorithm used for certificate signing (e.g., 'SHA256'). null if unavailable.

Type: string
Type: null

Lifetime


Certificate validity period in seconds. null if certificate parsing failed.

Type: integer
Type: null

From


Certificate validity start date in ISO 8601 format. null if certificate parsing failed.

Type: string
Type: null

Until


Certificate validity end date in ISO 8601 format. null if certificate parsing failed.

Type: string
Type: null

Serial


Certificate serial number. null if certificate parsing failed.

Type: integer
Type: null

Chain


Whether this certificate has an associated certificate chain. null if unavailable.

Type: boolean
Type: null

Fingerprint


SHA-256 fingerprint of the certificate in hexadecimal format. null if certificate parsing failed.

Type: string
Type: null

Expired


Whether the certificate has expired. null if certificate parsing failed.

Type: boolean
Type: null

Parsed

Type: boolean

Whether the certificate data was successfully parsed and validated.


Required roles: CERTIFICATE_WRITE