POST Certificates Recover

The POST /Certificates/Recover method is used to recover or download a certificate with private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. For certificates that are available for key recovery from the Microsoft CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., the certificate is recovered from the CA. For certificates with a private key stored in Keyfactor Command, the certificate is downloaded from Keyfactor Command. This method returns HTTP 200 OK on a success with a base-64-encoded representation of the certificate and private key, including optional certificate chain, in JKS A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption., PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. In general, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. or PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format. For certificates without private keys in DER A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt., PEM or P7B A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. format, use the POST /Certificates/Download method (see POST Certificates Download).

Tip: CA-level key recovery is supported for Microsoft CAs (either directly or with a CA Connector

The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client) to allow recovery of private keys for certificates enrolled outside of Keyfactor Command. CA-level key archiving is not supported for enrollments done through Keyfactor Command. CA-level key recovery is not supported for Microsoft CAs when using Keyfactor Command installed in containers under Kubernetes or for EJBCA CAs. For enrollments done through Keyfactor Command for either Microsoft or EJBCA CAs, use Keyfactor Command private key retention (see Details Tab).

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/certificates/collections/private_key/read/

/certificates/collections/private_key/read/#/ (where # is a reference to a specific certificate collection ID)

Permissions for certificates can be set at either the global or certificate collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). level. See Certificate Collection Permissions for more information about global vs collection permissions. See also the CollectionId input parameter A parameter or argument is a value that is passed into a function in an application., below.

Table 287: POST Certificates Recover Input Parameters

Name	In	Description
Password	Body	Required. The password to set on the certificate.
Use Legacy Encryption	Body	A Boolean that sets whether legacy encryption should be used when downloading a certificate in PKCS #12 format (true) or not (false). Legacy encryption algorithms include PBE-SHA1-RC2-40 and PBE-SHA1-3DES. When legacy is not selected, encryption algorithms include AES-256-CBC, PBES2 with PBKDF2, and PBE-SHA1-3DES. The default is false.
Microsoft Target CSP	Body	A string indicating the optional cryptographic service provider (CSP) to associate with the certificate in the Public Key Cryptography Standard #12 (PKCS #12) key provider name attribute (OID 1.3.6.1.4.1.311.17.1). A value should only be provided here if the Allow Cryptographic Service Providers (CSPs) application setting has been enabled and only values included in the Cryptographic Service Providers (CSPs) application setting list are valid for this value (see Application Settings: Enrollment Tab).
CertID	Body	Required^*. An integer indicating the Keyfactor Command reference ID of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
SerialNumber	Body	Required^*. A string indicating the serial number of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
IssuerDN	Body	Required^*. A string indicating the distinguished name of the issuer of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
Thumbprint	Body	Required^*. A string indicating the thumbprint of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
IncludeChain	Body	A Boolean indicating whether to include the certificate chain with the certificate (true) or not (false). If you select true, you must select a certificate format of PEM or P7B. When running the endpoint POST/Certificates/Download for either a CER or CRT certificate format the IncludeChain property is ignored and proceeds with the download as if IncludeChain is set to false. Note: In order to include the certificate chain in downloads, all certificates in the chain of trust must be available in the Keyfactor Command database.
Include Subject Header	Body	A Boolean that sets whether to include the subject header in the response (true) or not (false). The default is true if not included in the request. Only applicable when PEM format is selected. When set to false, the first line in the PEM file that contains the certificates subject information is removed. When set to true, the first line in the PEM file that contains the certificates subject information is included. Works with Include Chain option where it will remove the subject header, when set to false, for each of the certificates returned in the chain. It also works with Include Private Key option enabled.
ChainOrder	Body	A string indicating the order in which the certificate chain should be returned if IncludeChain is set to true. Supported values are EndEntityFirst or RootFirst.
CollectionId	Query	An integer specifying an optional certificate collection identifier to validate that the user executing the request has sufficient permissions to do so. If a certificate collection ID is not supplied, the user must have global permissions to complete the action. Supplying a certificate collection ID allows for a check of the user's certificate collection-level permissions to determine whether the user has sufficient permissions at a collection level to complete the action. See Certificate Collection Permissions for more information.
x-certificateformat	Header	The desired output format for the certificate. Supported options are: JKS Selecting the JKS option allows you to create a Java keystore with the returned PFX value. PEM Output the certificate in base-64 encoded PEM format along with the private key and any optional chain certificates in a single file. PFX Selecting the PFX option allows you to create a PKCS#12 (PFX/P12) file with the returned PFX value.

Table 288: POST Certificates Recover Response Data

Name	Description
PFX	The base-64-encoded representation of the certificate in PEM or PFX format with the optional certificate chain. The string will need to be base-64 decoded for both PEM and PFX. This can be accomplished in a number of ways. For example, using PowerShell and a manually generated file containing just the base-64 string returned in the response (not the full response): $b64 = Get-Content 'C:\path\to\source\file' $targetFile = 'C:\path\to\target\file' $bytes = [Convert]::FromBase64String($b64) [IO.File]::WriteAllBytes($targetFile, $bytes) Using PowerShell within the script where the full response (including two key/value pairs) is returned and placed in the variable $response: $ResponseContent = $response.Content \| ConvertFrom-Json $targetFile = 'C:\path_to_target_file\'+$ResponseContent.FileName $bytes = [Convert]::FromBase64String($ResponseContent.PFX) [IO.File]::WriteAllBytes($targetFile, $bytes) In the second case, the name provided in FileName is used for the PFX output file.
FileName	The CN of the certificate presented as a file name (e.g. mycertificatekeyexamplecom.pfx).

Name

Description

PFX

The base-64-encoded representation of the certificate in PEM or PFX format with the optional certificate chain. The string will need to be base-64 decoded for both PEM and PFX. This can be accomplished in a number of ways. For example, using PowerShell and a manually generated file containing just the base-64 string returned in the response (not the full response):

$b64 = Get-Content 'C:\path\to\source\file'
$targetFile = 'C:\path\to\target\file'

$bytes = [Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes($targetFile, $bytes)

Using PowerShell within the script where the full response (including two key/value pairs) is returned and placed in the variable $response:

$ResponseContent = $response.Content | ConvertFrom-Json

$targetFile = 'C:\path_to_target_file\'+$ResponseContent.FileName

$bytes = [Convert]::FromBase64String($ResponseContent.PFX)
[IO.File]::WriteAllBytes($targetFile, $bytes)

In the second case, the name provided in FileName is used for the PFX output file.

FileName

The CN of the certificate presented as a file name (e.g. mycertificatekeyexamplecom.pfx).

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: