|
| 1 | +# Certificate Management API for OCSP Server |
| 2 | + |
| 3 | +This API allows you to add, revoke, and query certificates in the database used by the OCSP server. |
| 4 | + |
| 5 | +## Configuration |
| 6 | + |
| 7 | +To enable the API, add the following parameters to your `config.toml` file: |
| 8 | + |
| 9 | +```toml |
| 10 | +# API Configuration |
| 11 | +enable_api = true # Enable the API |
| 12 | +api_keys = ["your-secure-api-key"] # List of valid API keys |
| 13 | +``` |
| 14 | + |
| 15 | +## Generating Secure API Keys |
| 16 | + |
| 17 | +API keys should be random, hard to guess, and unique. Here are different methods to generate secure API keys: |
| 18 | + |
| 19 | +### Using OpenSSL |
| 20 | + |
| 21 | +The simplest way to generate a secure API key is using OpenSSL: |
| 22 | + |
| 23 | +```bash |
| 24 | +# Generate a 32-byte random hexadecimal string |
| 25 | +openssl rand -hex 32 |
| 26 | +``` |
| 27 | + |
| 28 | +Example output: `a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6` |
| 29 | + |
| 30 | +After generating an API key, add it to the `api_keys` array in your `config.toml` file. |
| 31 | + |
| 32 | +## Authentication |
| 33 | + |
| 34 | +All API requests must include an `X-API-Key` header with a valid API key. |
| 35 | + |
| 36 | +## Finding Certificate Numbers |
| 37 | + |
| 38 | +To use this API, you need the certificate number in the correct format (with `0x` prefix and lowercase hexadecimal digits). You can extract a certificate's serial number and format it properly using this command: |
| 39 | + |
| 40 | +```bash |
| 41 | +openssl x509 -in your_certificate.pem -serial -noout | awk -F= '{print "0x" tolower($2)}' |
| 42 | +``` |
| 43 | + |
| 44 | +This will output the certificate number in the exact format required by the API endpoints (e.g., `0x3b6ea97e1bf7699397e2109846e4f356be982542`). |
| 45 | + |
| 46 | +## Endpoints |
| 47 | + |
| 48 | +### Health Check |
| 49 | +``` |
| 50 | +GET /api/health |
| 51 | +``` |
| 52 | +Returns "OK" if the service is available. |
| 53 | + |
| 54 | +### Add a Certificate |
| 55 | +``` |
| 56 | +POST /api/certificates |
| 57 | +``` |
| 58 | + |
| 59 | +**Request Body:** |
| 60 | +```json |
| 61 | +{ |
| 62 | + "cert_num": "0x123456789ABCDEF" |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +**Example Response:** |
| 67 | +```json |
| 68 | +{ |
| 69 | + "cert_num": "0x123456789ABCDEF", |
| 70 | + "status": "Valid", |
| 71 | + "message": "Certificate added successfully" |
| 72 | +} |
| 73 | +``` |
| 74 | + |
| 75 | +### Revoke a Certificate |
| 76 | +``` |
| 77 | +POST /api/certificates/revoke |
| 78 | +``` |
| 79 | + |
| 80 | +**Request Body:** |
| 81 | +```json |
| 82 | +{ |
| 83 | + "cert_num": "0x123456789ABCDEF", |
| 84 | + "reason": "key_compromise", |
| 85 | + "revocation_time": "2025-03-18T12:00:00" // Optional, uses the current time if not provided |
| 86 | +} |
| 87 | +``` |
| 88 | + |
| 89 | +Valid revocation reasons are: |
| 90 | +- `unspecified` |
| 91 | +- `key_compromise` |
| 92 | +- `ca_compromise` |
| 93 | +- `affiliation_changed` |
| 94 | +- `superseded` |
| 95 | +- `cessation_of_operation` |
| 96 | +- `certificate_hold` |
| 97 | +- `privilege_withdrawn` |
| 98 | +- `aa_compromise` |
| 99 | + |
| 100 | +**Example Response:** |
| 101 | +```json |
| 102 | +{ |
| 103 | + "cert_num": "0x123456789ABCDEF", |
| 104 | + "status": "Revoked", |
| 105 | + "message": "Certificate revoked successfully" |
| 106 | +} |
| 107 | +``` |
| 108 | + |
| 109 | +### Get a Certificate's Status |
| 110 | +``` |
| 111 | +GET /api/certificates/{cert_num} |
| 112 | +``` |
| 113 | + |
| 114 | +**Example Response:** |
| 115 | +```json |
| 116 | +{ |
| 117 | + "cert_num": "0x123456789ABCDEF", |
| 118 | + "status": "Valid", |
| 119 | + "message": "Certificate status retrieved: Valid" |
| 120 | +} |
| 121 | +``` |
| 122 | + |
| 123 | +### List All Certificates |
| 124 | +``` |
| 125 | +GET /api/certificates |
| 126 | +``` |
| 127 | + |
| 128 | +Optional parameters: |
| 129 | +- `status`: Filter by status (`Valid`, `Revoked`, or `all`) |
| 130 | + - If no `status` parameter is provided or `status=all` is used, all certificates will be returned |
| 131 | + - Use `status=Valid` to return only valid certificates |
| 132 | + - Use `status=Revoked` to return only revoked certificates |
| 133 | + |
| 134 | +**Example Response:** |
| 135 | +```json |
| 136 | +[ |
| 137 | + { |
| 138 | + "cert_num": "0x123456789ABCDEF", |
| 139 | + "status": "Valid", |
| 140 | + "message": "" |
| 141 | + }, |
| 142 | + { |
| 143 | + "cert_num": "0x987654321FEDCBA", |
| 144 | + "status": "Revoked", |
| 145 | + "message": "" |
| 146 | + } |
| 147 | +] |
| 148 | +``` |
| 149 | + |
| 150 | +## Usage Examples with cURL |
| 151 | + |
| 152 | +### Add a Certificate |
| 153 | +```bash |
| 154 | +curl -X POST http://localhost:9000/api/certificates \ |
| 155 | + -H "Content-Type: application/json" \ |
| 156 | + -H "X-API-Key: your-api-key" \ |
| 157 | + -d '{"cert_num": "0x123456789ABCDEF"}' |
| 158 | +``` |
| 159 | + |
| 160 | +### Revoke a Certificate |
| 161 | +```bash |
| 162 | +curl -X POST http://localhost:9000/api/certificates/revoke \ |
| 163 | + -H "Content-Type: application/json" \ |
| 164 | + -H "X-API-Key: your-api-key" \ |
| 165 | + -d '{"cert_num": "0x123456789ABCDEF", "reason": "key_compromise"}' |
| 166 | +``` |
| 167 | + |
| 168 | +### Get a Certificate's Status |
| 169 | +```bash |
| 170 | +curl -X GET http://localhost:9000/api/certificates/0x123456789ABCDEF \ |
| 171 | + -H "X-API-Key: your-api-key" |
| 172 | +``` |
| 173 | + |
| 174 | +### List All Valid Certificates |
| 175 | +```bash |
| 176 | +curl -X GET "http://localhost:9000/api/certificates?status=Valid" \ |
| 177 | + -H "X-API-Key: your-api-key" |
| 178 | +``` |
| 179 | + |
| 180 | +### List All Certificates (Explicitly) |
| 181 | +```bash |
| 182 | +curl -X GET "http://localhost:9000/api/certificates?status=all" \ |
| 183 | + -H "X-API-Key: your-api-key" |
| 184 | +``` |
0 commit comments