POST Certificates Download

The POST /Certificates/Download method is used to download a certificate from Keyfactor Command. This method returns HTTP 200 OK on a success with the base-64-encoded certificate without private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., including optional certificate chain, in DERClosed A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt., PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. of P7BClosed A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. format. For certificates with private keys in PEM or PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format, use the POST /Certificates/Recover method (see POST Certificates Recover).

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
/certificates/collections/read/
OR
/certificates/collections/read/#/ (where # is a reference to a specific certificate collection ID—see CollectionID, below)
OR
/certificate_stores/read/
OR
/certificate_stores/read/#/ (where # is a reference to a specific certificate store container ID—see ContainerID, below)

Permissions for certificates can be configured at multiple levels. You can apply them system-wide—for all certificates or all certificate stores—or use fine-grained control by assigning permissions at the certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). or certificate store container level. The appropriate level depends on how the certificates are accessed. See Certificate Collection Permissions and Container Permissions for more information about system-wide versus more targeted permission models.

Table 309: POST Certificates Download Input Parameters

Name In

Description

CertID Body

Required*. An integer indicating the Keyfactor Command reference ID of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

ChainOrder Body A string indicating the order in which the certificate chain should be returned if IncludeChain is set to true. Supported values are EndEntityFirst or RootFirst.
CollectionId Query

An optional integer that specifies the certificate collection (CollectionId) to validate whether the user has sufficient permissions to perform the action. If a CollectionId is not provided, the user must have appropriate permissions granted system-wide or via certificate store containers.

Providing a CollectionId allows the system to check the user's permissions at the certificate collection level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. Granular certificate permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Certificate Collection Permissions for more information.

ContainerId Query

An optional integer that specifies the certificate store container (ContainerId) to validate whether the user has sufficient permissions to perform the action. If a ContainerId is not provided, the user must have appropriate permissions granted system-wide or via certificate collections.

Providing a ContainerId allows the system to check the user's permissions at the container level. Permissions are evaluated in the following order:

  1. System-wide certificate store container permissions
  2. Granular certificate store container permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Container Permissions for more information.

File Extension Body

A string indicating the desired file extension to use for the certificate. See also x-CertificateFormat for the desired file type. Supported values are:

  • CER: Compatible with certificate format CER, DER or PEM.
  • CRT: Compatible with certificate format CRT, DER or PEM.
  • PEM: Compatible with certificate format PEM.
  • P7B: Compatible with certificate format P7B.

The default value is based on the specified certificate format as follows:

  • Certificate format CER = File extension CER
  • Certificate format CRT = File extension CRT
  • Certificate format DER = File extension CER
  • Certificate format P7B = File extension P7B
  • Certificate format PEM = File extension PEM
IncludeChain Body

A Boolean indicating whether to include the certificate chain with the certificate (true) or not (false). If you select true, you must select a certificate format of PEM or P7B. When running the endpoint POST/Certificates/Download for either a CER or CRT certificate format the IncludeChain property is ignored and proceeds with the download as if IncludeChain is set to false.

Note:  In order to include the certificate chain in downloads, all certificates in the chain of trust must be available in the Keyfactor Command database.
IssuerDN Body

Required*. A string indicating the distinguished name of the issuer of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

Include Subject Header Body

A Boolean that sets whether to include the subject header in the response (true) or not (false). The default is true if not included in the request. Only applicable when PEM format is selected. When set to false, the first line in the PEM file that contains the certificates subject information is removed. When set to true, the first line in the PEM file that contains the certificates subject information is included.

Works with Include Chain option where it will remove the subject header, when set to false, for each of the certificates returned in the chain. It also works with Include Private Key option enabled.

 

Microsoft Target CSP Body A string indicating the optional cryptographic service provider (CSP) to associate with the certificate in the Public Key Cryptography Standard #12 (PKCS #12) key provider name attribute (OID 1.3.6.1.4.1.311.17.1). A value should only be provided here if the Allow Cryptographic Service Providers (CSPs) application setting has been enabled and only values included in the Cryptographic Service Providers (CSPs) application setting list are valid for this value (see Application Settings: Enrollment Tab).
SerialNumber Body

Required*. A string indicating the serial number of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

Thumbprint Body

Required*. A string indicating the thumbprint of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

x-certificateformat Header

The desired output format for the certificate. Supported options are:

  • CER

    Output the certificate in base-64 encoded PEM format along with any optional chain certificates in a single file.

  • CRT

    Output the certificate in base-64 encoded PEM format along with any optional chain certificates in a single file.

  • DER

    Output the certificate in DER-encoded format. DER is not supported if IncludeChain is set to true.

  • PEM

    Output the certificate in base-64 encoded PEM format along with any optional chain certificates in a single file.

  • P7B

    This option is only supported if IncludeChain is set to true

Table 310: POST Certificates Download Response Data

Name

In

Description
Content Content The base-64-encoded certificate in DER, PEM or P7B format with the optional certificate chain.
X-CertificateFile Headers A string containing the file name assigned for the certificate. The filename is constructed from the Subject CN and the FileExtension or default extension based on the specified x-CertificateFormat and is affected by the Allow Periods in Certificate Filenames application setting (see Application Settings: Enrollment Tab).
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.