POST Certificates Recover

The POST /Certificates/Recover method is used to recover or download a certificate with private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. For certificates that are available for key recovery from the Microsoft CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., the certificate is recovered from the CA. For certificates with a private key stored in Keyfactor Command, the certificate is downloaded from Keyfactor Command. This method returns HTTP 200 OK on a success with a base-64-encoded representation of the certificate and private key, including optional certificate chain, in JKSClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. or PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format. For certificates without private keys in DERClosed A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt., PEM or P7BClosed A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. format, use the POST /Certificates/Download method (see POST Certificates Download).

Tip:  CA-level key recovery is supported for Microsoft CAs (either directly or with a CA ConnectorClosed The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client) to allow recovery of private keys for certificates enrolled outside of Keyfactor Command. CA-level key archiving is not supported for enrollments done through Keyfactor Command. CA-level key recovery is not supported for Microsoft CAs when using Keyfactor Command installed in containers under Kubernetes or for EJBCA CAs. For enrollments done through Keyfactor Command for either Microsoft or EJBCA CAs, use Keyfactor Command private key retention (see Private Key Retention).
Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:
/certificates/collections/private_key/read/
OR
/certificates/collections/private_key/read/#/ (where # is a reference to a specific certificate collection ID—see CollectionID, below)
OR
/certificate_stores/private_key/read/
OR
/certificate_stores/private_key/read/#/ (where # is a reference to a specific certificate store container ID—see ContainerID, below)

Permissions for certificates can be configured at multiple levels. You can apply them system-wide—for all certificates or all certificate stores—or use fine-grained control by assigning permissions at the certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). or certificate store container level. The appropriate level depends on how the certificates are accessed. See Certificate Collection Permissions and Container Permissions for more information about system-wide versus more targeted permission models.

Table 307: POST Certificates Recover Input Parameters

Name In

Description

CertID Body

Required*. An integer indicating the Keyfactor Command reference ID of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

ChainOrder Body A string indicating the order in which the certificate chain should be returned if IncludeChain is set to true. Supported values are EndEntityFirst or RootFirst.
CollectionId Query

An optional integer that specifies the certificate collection (CollectionId) to validate whether the user has sufficient permissions to perform the action. If a CollectionId is not provided, the user must have appropriate permissions granted system-wide or via certificate store containers.

Providing a CollectionId allows the system to check the user's permissions at the certificate collection level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. Granular certificate permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Certificate Collection Permissions for more information.

ContainerId Query

An optional integer that specifies the certificate store container (ContainerId) to validate whether the user has sufficient permissions to perform the action. If a ContainerId is not provided, the user must have appropriate permissions granted system-wide or via certificate collections.

Providing a ContainerId allows the system to check the user's permissions at the container level. Permissions are evaluated in the following order:

  1. System-wide certificate permissions
  2. System-wide certificate store container permissions
  3. Granular certificate store container permissions

Use either ContainerId or CollectionId, not both. If both are specified, CollectionId takes precedence, and the ContainerId is ignored (defaults to 0).

See Container Permissions for more information.

File Extension Body

A string indicating the desired file extension to use for the certificate. See also x-CertificateFormat for the desired file type. Supported values are:

  • CER: Compatible with certificate format PEM.
  • CRT: Compatible with certificate format PEM.
  • PEM: Compatible with certificate format PEM.
  • JKS: Compatible with certificate format JKS.
  • P12: Compatible with certificate format PFX.
  • PFX: Compatible with certificate format PFX.
  • ZIP: Compatible with certificate format ZIP.

The default value is based on the specified certificate format as follows:

  • Certificate format JKS = File extension JKS
  • Certificate format PEM = File extension PEM
  • Certificate format PFX = File extension PFX
  • Certificate format ZIP = File extension ZIP
IncludeChain Body

A Boolean indicating whether to include the certificate chain with the certificate (true) or not (false). If you select true, you must select a certificate format of PEM or P7B. When running the endpoint POST/Certificates/Download for either a CER or CRT certificate format the IncludeChain property is ignored and proceeds with the download as if IncludeChain is set to false.

Note:  In order to include the certificate chain in downloads, all certificates in the chain of trust must be available in the Keyfactor Command database.
IssuerDN Body

Required*. A string indicating the distinguished name of the issuer of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

Include Subject Header Body

A Boolean that sets whether to include the subject header in the response (true) or not (false). The default is true if not included in the request. Only applicable when PEM format is selected. When set to false, the first line in the PEM file that contains the certificates subject information is removed. When set to true, the first line in the PEM file that contains the certificates subject information is included.

Works with Include Chain option where it will remove the subject header, when set to false, for each of the certificates returned in the chain. It also works with Include Private Key option enabled.

 

Microsoft Target CSP Body A string indicating the optional cryptographic service provider (CSP) to associate with the certificate in the Public Key Cryptography Standard #12 (PKCS #12) key provider name attribute (OID 1.3.6.1.4.1.311.17.1). A value should only be provided here if the Allow Cryptographic Service Providers (CSPs) application setting has been enabled and only values included in the Cryptographic Service Providers (CSPs) application setting list are valid for this value (see Application Settings: Enrollment Tab).
Password Body Required. The password to set on the certificate.
SerialNumber Body

Required*. A string indicating the serial number of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

Thumbprint Body

Required*. A string indicating the thumbprint of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN

Use Legacy Encryption Body

A Boolean that sets whether legacy encryption should be used when downloading a certificate (true) or not (false). Legacy encryption algorithms include PBE-SHA1-RC2-40 and PBE-SHA1-3DES. When legacy is not selected, encryption algorithms include AES-256-CBC, PBES2 with PBKDF2, and PBE-SHA1-3DES. The default is false.

This applies when the x-certificateformat is PEM, PFX or Zip.

x-certificateformat Header

The desired output format for the certificate. Supported options are:

  • JKS

    Selecting the JKS option allows you to create a Java keystore with the returned value.

  • PEM

    Output the certificate in base-64 encoded PEM format along with the private key and any optional chain certificates in a single file.

  • PFX

    Selecting the PFX option allows you to create a PKCS#12 (PFX/P12) file with the returned PKCS12Blob.

  • ZIP

    Select the Zip option when you intend to output the returned PKCS12Blob as separate PEM-encoded certificate, private key, and optional chain certificate files wrapped together in a zip file.

Table 308: POST Certificates Recover Response Data

Name

In

Description
PFX Content The base-64-encoded representation of the certificate in PEM or PFX format with the optional certificate chain. The string will need to be base-64 decoded for both PEM and PFX. This can be accomplished in a number of ways. For example, using PowerShell and a manually generated file containing just the base-64 string returned in the response (not the full response):
$b64 = Get-Content 'C:\path\to\source\file'
$targetFile = 'C:\path\to\target\file'

$bytes = [Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes($targetFile, $bytes)

Using PowerShell within the script where the full response (including two key/value pairs) is returned and placed in the variable $response:

$ResponseContent = $response.Content | ConvertFrom-Json

$targetFile = 'C:\path_to_target_file\'+$ResponseContent.FileName

$bytes = [Convert]::FromBase64String($ResponseContent.PFX)
[IO.File]::WriteAllBytes($targetFile, $bytes)

In the second case, the name provided in FileName is used for the PFX output file.

FileName Content A string containing the file name assigned for the certificate. The filename is constructed from the Subject CN and the FileExtension or default extension based on the specified x-CertificateFormat and is affected by the Allow Periods in Certificate Filenames application setting (see Application Settings: Enrollment Tab).
X-CertificateFile Headers A string containing the file name assigned for the certificate. The filename is constructed from the Subject CN and the FileExtension or default extension based on the specified x-CertificateFormat and is affected by the Allow Periods in Certificate Filenames application setting (see Application Settings: Enrollment Tab).
Tip:  See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor APIClosed An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon () at the top of the Management Portal page next to the Log Out button.