POST Certificates Download

The POST /Certificates/Download method is used to download a certificate from Keyfactor Command. This method returns HTTP 200 OK on a success with the base-64-encoded certificate without private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure., including optional certificate chain, in DERClosed A DER format certificate file is a DER-encoded binary certificate. It contains a single certificate and does not support storage of private keys. It sometimes has an extension of .der but is often seen with .cer or .crt., PEMClosed A PEM format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PEM certificates always begin and end with entries like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. PEM certificates can contain a single certificate or a full certifiate chain and may contain a private key. Usually, extensions of .cer and .crt are certificate files with no private key, .key is a separate private key file, and .pem is both a certificate and private key. of P7BClosed A PKCS #7 format certificate file is a base64-encoded certificate. Since it's presented in ASCII, you can open it in any text editor. PKCS #7 certificates always begin and end with entries that look something like ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE----. Unlike PEM files, PKCS #7 files can contain only a certificate and its certifiate chain but NOT its private key. Extensions of .p7b or .p7c are usually seen on certificate files of this format. format. For certificates with private keys in PEM or PFXClosed A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. format, use the POST /Certificates/Recover method (see POST Certificates Recover).

Tip:  The following permissions (see Security Overview) are required to use this feature:

Certificates: Read

Certificate permission can be granted at either the global or collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). level. See note under CollectionId, below.

Table 217: POST Certificates Download Input Parameters

Name In Description
CertID Body

Required*. An integer indicating the Keyfactor Command reference ID of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN
SerialNumber Body

Required*. A string indicating the serial number of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN
IssuerDN Body

Required*. A string indicating the distinguished name of the issuer of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN
Thumbprint Body

Required*. A string indicating the thumbprint of the certificate to retrieve.

One of the following is required:

  • CertID

  • Thumbprint

  • SerialNumber and IssuerDN
IncludeChain Body A Boolean indicating whether to include the certificate chain with the certificate (true) or not (false). If you select true, you must select a certificate format of PEM or P7B.
ChainOrder Body A string indicating the order in which the certificate chain should be returned if IncludeChain is set to true. Supported values are EndEntityFirst or RootFirst.
CollectionId Query

An integer specifying an optional certificate collection identifier to validate that the user executing the request has sufficient permissions to do so. If a certificate collection ID is not supplied, the user must have global permissions to complete the action. Supplying a certificate collection ID allows for a check of the user's certificate collection-level permissions to determine whether the user has sufficient permissions at a collection level to complete the action. See Certificate Permissions in the Keyfactor Command Reference Guide for more information.

x-certificateformat Header

The desired output format for the certificate. Supported options are:

  • DER
    DER is not supported if IncludeChain is set to true.

  • PEM

    Output the certificate in base-64 encoded PEM format along with any optional chain certificates in a single file.

  • P7B
    This option is only supported if IncludeChain is set to true

Table 218: POST Certificates Download Response Data

Name Description
Content The base-64-encoded certificate in DER, PEM or P7B format with the optional certificate chain.
Tip:  For code examples, see the Keyfactor API Endpoint Utility. To find the embedded web copy of this utility, click the help icon () at the top of the Keyfactor Command Management Portal page next to the Log Out button.