POST Certificates Recover

Documentation Suite v10.1

The POST /Certificates/Recover method is used to recover or download a certificate with private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure.. For certificates that are available for key recovery from the Microsoft CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., the certificate is recovered from the CA. For certificates with a private key stored in Keyfactor Command, the certificate is downloaded from Keyfactor Command. This method returns HTTP 200 OK on a success with a base-64-encoded representation of the certificate and private key, including optional certificate chain, in PEM A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. or PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format. For certificates without private keys in DER A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt., PEM or P7B A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. format, use the POST /Certificates/Download method (see POST Certificates Download).

Tip: CA-level key recovery is supported for Microsoft CAs to allow recovery of private keys for certificates enrolled outside of Keyfactor Command. CA-level key archiving is not supported for enrollments done through Keyfactor Command. CA-level key recovery is not supported for EJBCA CAs. For enrollments done through Keyfactor Command for either Microsoft or EJBCA CAs, use Keyfactor Command private key retention (see Details Tab).

Tip: The following permissions (see Security Overview) are required to use this feature:

Certificates: Recover

Certificate permission can be granted at either the global or collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). level. See note under CollectionId, below.

Table 213: POST Certificates Recover Input Parameters

Name	In	Description
Password	Body	Required. The password to set on the certificate.
CertID	Body	Required^*. The Keyfactor Command reference ID of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
SerialNumber	Body	Required^*. The serial number of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
IssuerDN	Body	Required^*. The distinguished name of the issuer of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
Thumbprint	Body	Required^*. The thumbprint of the certificate to retrieve. One of the following is required: CertID Thumbprint SerialNumber and IssuerDN
IncludeChain	Body	A Boolean indicating whether to include the certificate chain with the certificate (true) or not (false). If you select true, you must select a certificate format of PEM or P7B.
CollectionId	Query	An integer specifying an optional certificate collection identifier to validate that the user executing the request has sufficient permissions to do so. If a certificate collection ID is not supplied, the user must have global permissions to complete the action. Supplying a certificate collection ID allows for a check of the user's certificate collection-level permissions to determine whether the user has sufficient permissions at a collection level to complete the action. See Certificate Permissions in the Keyfactor Command Reference Guide for more information.
x-certificateformat	Header	The desired output format for the certificate. Supported options are: PEM PFX

Table 214: POST Certificates Recover Response Data

Name	Description
PFX	The base-64-encoded representation of the certificate in PEM or PFX format with the optional certificate chain. The string will need to be base-64 decoded for both PEM and PFX. This can be accomplished in a number of ways. For example, using PowerShell and a manually generated file containing just the base-64 string returned in the response (not the full response): $b64 = Get-Content 'C:\path\to\source\file' $targetFile = 'C:\path\to\target\file' $bytes = [Convert]::FromBase64String($b64) [IO.File]::WriteAllBytes($targetFile, $bytes) Using PowerShell within the script where the full response (including two key/value pairs) is returned and placed in the variable $response: $ResponseContent = $response.Content \| ConvertFrom-Json $targetFile = 'C:\path_to_target_file\'+$ResponseContent.FileName $bytes = [Convert]::FromBase64String($ResponseContent.PFX) [IO.File]::WriteAllBytes($targetFile, $bytes) In the second case, the name provided in FileName is used for the PFX output file.
FileName	The CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the certificate presented as a file name (e.g. mycertificatekeyexamplecom.pfx).

Name

Description

PFX

The base-64-encoded representation of the certificate in PEM or PFX format with the optional certificate chain. The string will need to be base-64 decoded for both PEM and PFX. This can be accomplished in a number of ways. For example, using PowerShell and a manually generated file containing just the base-64 string returned in the response (not the full response):

$b64 = Get-Content 'C:\path\to\source\file'
$targetFile = 'C:\path\to\target\file'

$bytes = [Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes($targetFile, $bytes)

Using PowerShell within the script where the full response (including two key/value pairs) is returned and placed in the variable $response:

$ResponseContent = $response.Content | ConvertFrom-Json

$targetFile = 'C:\path_to_target_file\'+$ResponseContent.FileName

$bytes = [Convert]::FromBase64String($ResponseContent.PFX)
[IO.File]::WriteAllBytes($targetFile, $bytes)

In the second case, the name provided in FileName is used for the PFX output file.

FileName

The CN

A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the certificate presented as a file name (e.g. mycertificatekeyexamplecom.pfx).

POST Certificates Recover

Products

Solutions

Resources

Company