API - CA Management

This section details the API endpoints for advanced Certificate Authority (CA) management, focusing on multi-tenancy, smart CA selection, and hierarchical views. These endpoints are primarily consumed by client applications or other services for programmatic interaction with the PKI system.

Key Functionalities

Get Available CAs

  • Endpoint: GET /api/v1/ca-management/available-cas
  • Description: Retrieves a list of Certificate Authorities accessible to a specific tenant or user, based on provided criteria.
  • Parameters:
    • tenant_id (optional): Filters CAs by tenant.
    • user_email (optional): Filters CAs based on user permissions (defaults to authenticated user's email).
  • Response: Returns a list of accessible CAs with their IDs and names.

Get CA Tenant Hierarchy

  • Endpoint: GET /api/v1/ca-management/hierarchy
  • Description: Provides a hierarchical view of all Certificate Authorities across all tenants, primarily for administrative oversight.
  • Response: Returns a nested JSON structure representing the CA hierarchy, including CA ID, name, type, and level.

Get Purpose Categories

  • Endpoint: GET /api/v1/ca-management/purpose-categories
  • Description: Retrieves a list of predefined purpose categories for CAs (e.g., web_servers, openvpn, acme_letsencrypt).
  • Response: Returns an array of available purpose categories.

Select Best CA

  • Endpoint: POST /api/v1/ca-management/select-best-ca
  • Description: Intelligently selects the most suitable Certificate Authority based on a set of criteria, adhering to multi-tenant and policy rules.
  • Parameters:
    • purpose_category (optional): The intended use case for the certificate.
    • tenant_id (optional): The tenant for which the CA is being selected.
    • user_email (optional): The email of the user requesting the certificate (defaults to authenticated user).
    • client_ip (optional): The IP address of the client making the request (defaults to request IP).
  • Response: Returns details of the selected CA, including its ID, name, type, purpose, approval mode, and whether it can auto-approve for the given request.

Get CA Details with Tenant Context

  • Endpoint: GET /api/v1/ca-management/ca/{caId}/details
  • Description: Retrieves detailed information about a specific Certificate Authority, considering tenant-based access controls.
  • Parameters:
    • caId (path parameter): The ID of the Certificate Authority.
    • tenant_id (query parameter, optional): Used to verify tenant ownership/access.
    • user_email (query parameter, optional): Used for permission checks (defaults to authenticated user's email).
  • Response: Returns comprehensive CA details, including its hierarchy path, purpose configuration, approval configuration, and OpenVPN template (if applicable).

Get CAs by Purpose Category

  • Endpoint: GET /api/v1/ca-management/by-purpose/{purpose}
  • Description: Retrieves a list of active Certificate Authorities filtered by a specific purpose category.
  • Parameters:
    • purpose (path parameter): The purpose category (e.g., web_servers).
    • tenant_id (query parameter, optional): Filters CAs by tenant.
    • user_email (query parameter, optional): Filters CAs based on user permissions.
  • Response: Returns a list of CAs matching the purpose, including their approval mode and issuance capabilities.

Get Tenant Statistics

  • Endpoint: GET /api/v1/ca-management/tenant-stats
  • Description: Provides aggregated statistics for a specific tenant's PKI resources.
  • Parameters:
    • tenant_id (query parameter): The ID of the tenant.
  • Response: Returns statistics such as total CAs, active CAs, root/intermediate CA counts, total certificates, certificates issued this month, and a breakdown by purpose category.

Inferred Specifications

  • Multi-Tenant PKI Management: The API is designed to support a multi-tenant architecture, allowing for isolated management of CAs and certificates for different clients or departments.
  • Smart CA Selection Algorithm: The selectBestCA endpoint implements a sophisticated algorithm (CASelectionService) to automatically choose the most appropriate CA based on various criteria (tenant, purpose, user, IP), ensuring policy adherence and operational efficiency.
  • Hierarchical CA Views: Provides programmatic access to the CA hierarchy, which is crucial for understanding the trust chain and for administrative tools.
  • Granular Access Control: Access to CA details and selection is controlled by user permissions and tenant context, preventing unauthorized operations.
  • Purpose-Driven CA Configuration: CAs are categorized by purpose, enabling clients to easily find CAs suitable for specific use cases (e.g., web servers, OpenVPN).
  • Comprehensive Tenant Metrics: Offers API access to tenant-specific PKI statistics, facilitating monitoring and reporting for multi-tenant deployments.
  • API-First Design: These endpoints are built for programmatic consumption, providing a flexible interface for integrating the PKI system with other enterprise applications and automation tools.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service