Certificate Authority Management API Reference

Note: Sign in to the developer console to build or publish your skill.

Use the Certificate Authority Management API to connect your Alexa devices to WPA2 Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) networks and let Alexa Smart Properties (ASP) manage issuing and rotating certificates to your devices.

Before you can use the Certificate Authority Management API, visit the Alexa Smart Properties Console and request the WPA2 Enterprise Wi-Fi add-on package. An Alexa Smart Properties Solution Architect grants you access to the WPA2 Enterprise Wi-Fi feature after you confirm on-boarding and billing information. For more details about getting started, see WPA2 Enterprise Wi-Fi.

API endpoint

The endpoint of the Certificate Authority Management API is https://api.amazonalexa.com.

Authentication

Each API request must have an authorization header whose value is the access token retrieved from Login with Amazon (LWA). The token must have the following scopes:

credential_locker::wifi_management
alexa::enterprise:management

Operations

The Certificate Authority Management API includes the following operations.

Operation	HTTP Method and URI
Create certificate authority	`POST /v1/enterprise/certificateAuthorities/`
Get certificate authority details	`GET /v1/enterprise/certificateAuthorities/{certificateAuthorityId}?expand=all`
Get all certificate authorities	`GET /v1/enterprise/certificateAuthorities?nextToken={nextToken}&maxResults={maxResults}&expand=all`
Import certificates	`POST /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate`
Update certificate authority	`PUT /v1/enterprise/certificateAuthorities/{certificateAuthorityId}`
Delete certificate authority	`DELETE /v1/enterprise/certificateAuthorities/{certificateAuthorityId}`

Create certificate authority

Create an ASP-hosted certificate authority to create a chain between the authentication server for your network (the RADIUS server) and ASP devices. After you create the certificate authority and get a certificate from the RADIUS server, the Private Certificate Authority (PCA) can issue certificates for ASP devices and authenticate them to the Wi-Fi network.

Request

Make a POST request to the /v1/enterprise/certificateAuthorities/ resource.

Request header example

POST /v1/enterprise/certificateAuthorities/ HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Note: The create certificate authority API only supports 1 transaction per second (TPS). Please implement logic to support 2 to 3 second gaps for retries of certificate creation if you are throttled.

Parameter	Located in	Description	Type	Required
`LWA token`	Header	LWA token.	String	Yes

Request body example

{
   "friendlyName": { 
       "type": "PLAIN",
       "value": { 
           "text": "Customer Network #1" 
       }
   },
   "rotationPeriod": {
       "value": 6,
       "interval": "MONTHS"
   }
}

Request body parameters

Parameter	Description	Type	Required
`friendlyName`	Provides a friendly name to the certificate authority.	Object	Yes
`friendlyName.type`	The name value type. Supported value is `"PLAIN"`, indicating that the `value` property contains the plain text value for this property.	String	Yes
`friendlyName.value`	The name value, as a `Value` object.	Object	Yes
`friendlyName.value.text`	String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters.	String	Yes
`rotationPeriod`	An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the `value` property.	Object	Yes
`rotationPeriod.value`	Numeric value of rotation interval. Accepted values: `6` or `12`.	Integer	Yes
`rotationPeriod.interval`	String enumeration of rotation interval. Accepted value: `MONTHS`.	Enum	Yes

Response

A successful response returns HTTP 201 with the ID of the new certificate authority.

Response body example

{
   "id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE"
}

Response body parameters

Parameter	Description	Type	Required
`id`	Unique ID of the created PCA	String	Yes

HTTP status codes

Status	Description
`201 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 NAME_ALREADY_EXISTS`	User has already a certificate authority with the provided `friendlyName`.
`400 INVALID_FRIENDLY_NAME`	The provided friendly name is invalid. The friendly name must be between 1–100 characters.
`400 INVALID_ROTATION_PERIOD`	The provided rotation period is invalid. The rotation period must be `6 MONTHS` or `12 MONTHS`.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise Wi-Fi Add-on enabled.
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side occurred when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Example error payload

{
    "type": "NAME_ALREADY_EXISTS",
    "message": "User has already a certificate authority with the provided friendlyName."
}

Get certificate authority details

Get the details, including the status and the Certificate Signing Request (CSR) of a certificate authority. The CSR is the prerequisite for a root CA to sign a certificate for the certificate authority. You use this output to import certificates to the ASP Certificate Authority later on.

Request

Make a GET request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId} resource.

Request header example

GET /v1/enterprise/certificateAuthorities/{certificateAuthorityId}?expand=all HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Parameter Located in Description Type Required

LWA token

Header

LWA token.

String

Yes

certificateAuthorityId

Path

Directed id of the certificate authority

String

Yes

expand

Query

Specify whether to display all metadata for a certificate authority.
Accepted values: all.

When this parameter contains a value, the response object includes the csr, certificateMetadata.certificate, and certificateMetadata.certificateChain fields, provided that these fields and the certificateMetadata field wouldn't be absent for other reasons.
See description of these fields and the certificateMetadata field for details.

String

Request body

The request has no request body.

Response

A successful response returns HTTP 200 with certificate details in the response body.

Response body example

{
  "id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE",
  "friendlyName": {
    "type": "PLAIN",
    "value": {
      "text": "Customer Network #1"
    }
  },
  "status": "ACTIVE",
  "createdAt": "1970-01-01T00:00:00Z",
  "updatedAt": "1970-01-01T00:00:00Z",
  "csr": "-----BEGIN CERTIFICATE REQUEST-----CERTIFICATE_REQUEST_CONTENT-----END CERTIFICATE REQUEST-----",
  "certificateMetadata": {
    "certificate": "-----BEGIN CERTIFICATE-----CERTIFICATE_CONTENT-----END CERTIFICATE-----",
    "certificateChain": "-----BEGIN CERTIFICATE-----CERTIFICATE_CHAIN_CONTENT-----END CERTIFICATE-----",
    "expiresAt": "1970-01-01T00:00:00Z",
    "activeFrom": "1970-01-01T00:00:00Z"
  },
  "rotationPeriod": {
    "value": 6,
    "interval": "MONTHS"
  }
}

Response body properties

Property	Description	Type
`id`	Id of the certificate authority	String
`friendlyName`	Friendly name of the certificate authority. The field supports UTF-8 encoding with a maximum length of 100 characters.	Object
`friendlyName.type`	The name value type. Supported value is `"PLAIN"`, indicating that the `value` property contains the plain text value for this property.	String
`friendlyName.value`	The name value, as a `Value` object.
`friendlyName.value.text`	String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters.	String
`status`	Current status of the certificate authority. For the list of possible statuses, see Certificate authority status.	String
`createdAt`	Time at which the certificate authority was created in RFC 3339 format.	Date
`updatedAt`	Time at which the certificate authority was last updated in RFC 3339 format. If the certificate authority hasn't been updated, this value is the same as the `createdAt` field.	Date
`csr`	The base64 PEM-encoded certificate signing request (CSR) for the certificate authority. If the `expand` query parameter is missing or if the certificate authority is in a status other than `PENDING_CERTIFICATE`, `ACTIVE`, or `EXPIRED`, this field is absent.	String
`certificateMetadata`	Certificate authority certificate metadata object. This property is present if the Import certificate operation has been called to import a certificate.	Object
`certificateMetadata.certificate`	Certificate that's imported to the certificate authority. Only present if the `expand` query parameter is set to `all`	String
`certificateMetadata.certificateChain`	Certificate chain that's imported to the certificate authority. Only present if the `expand` query parameter is set to `all`	String
`certificateMetadata.expiresAt`	Time after which the certificate of the certificate authority isn't valid. Also known as expiration time of certificate authority. This field is in RFC 3339 format.	Date
`certificateMetadata.activeFrom`	Time before which the certificate of the certificate authority isn't valid. This field is in RFC 3339 format.	Date
`rotationPeriod`	An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the `value` property.	Object
`rotationPeriod.value`	Numeric value of rotation interval. Accepted values: `6` or `12`.	Integer
`rotationPeriod.interval`	String enumeration of rotation interval. Accepted value: `MONTHS`.	Enum

HTTP status codes

Status	Description
`200 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 INVALID_EXPAND`	If the parameter is provided its value has to be 'all'.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions, or the user doesn't have the Enterprise Wi-Fi add-on enabled.
`404 Not Found`	The certificate authority in the path isn't found in the certificate authorities that the customer has access to
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side was encountered when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Get all certificate authorities

List ID, status, and other key information for all certificate authorities that were created by the user.

Request

Make a GET request to the /v1/enterprise/certificateAuthorities resource.

Request header example

GET /v1/enterprise/certificateAuthorities?nextToken={NEXT_TOKEN}&maxResults=10&expand=all HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`LWA token`	Header	LWA token.	String	Yes
`nextToken`	Query	Token to identify the next page of results. Get this token from the `nextToken` property in the response body of an earlier request.	String	No
`maxResults`	Query	Maximum number of results to display. The value of this parameter must be in the range of 1–100. Default is 10.	Integer	No
`expand`	Query	Specify whether to display all metadata for a certificate authority. Accepted values: `all`. When this parameter contains a value, the response object includes the `csr`, `certificateMetadata.certificate`, and `certificateMetadata.certificateChain` fields, provided that these fields and the `certificateMetadata` field wouldn't be absent for other reasons. See description of these fields and the `certificateMetadata` field for details.	String	No

Response

A successful response returns HTTP 200 with certificate details in the response body.

Response body example

{
  "paginationContext": {
    "nextToken": "EXAMPLE_TOKEN_VALUE"
  },
  "certificateAuthorities": [
    {
      "id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE",
      "friendlyName": {
        "type": "PLAIN",
        "value": {
          "text": "Customer Network #1"
        }
      },
      "status": "ACTIVE",
      "createdAt": "1970-01-01T00:00:00Z",
      "updatedAt": "1970-01-01T00:00:00Z",
      "csr": "-----BEGIN CERTIFICATE REQUEST-----CERTIFICATE_REQUEST_CONTENT-----END CERTIFICATE REQUEST-----",
      "certificateMetadata": {
        "certificate": "-----BEGIN CERTIFICATE-----CERTIFICATE_CONTENT-----END CERTIFICATE-----",
        "certificateChain": "-----BEGIN CERTIFICATE-----CERTIFICATE_CHAIN_CONTENT-----END CERTIFICATE-----",
        "expiresAt": "1970-01-01T00:00:00Z",
        "activeFrom": "1970-01-01T00:00:00Z"
      },
      "rotationPeriod": {
        "value": 6,
        "interval": "MONTHS"
      }
    }
  ]
}

Response body properties

Property	Description	Type
`paginationContext`	The `paginationContext` object.	Object
`paginationContext.nextToken`	A token to retrieve the next page of results. Pass this string to the `nextToken` query parameter in a subsequent call to `/v1/enterprise/certificateAuthorities`. This property is absent when there are no more results.	String
`certificateAuthorities`	Array of `certificateAuthority` objects.	Array
`certificateAuthorities[].id`	Id of the certificate authority	String
`certificateAuthorities[].friendlyName`	Friendly name of the certificate authority. The field supports UTF-8 encoding with a maximum length of 100 characters.	Object
`certificateAuthorities[].friendlyName.type`	The name value type. Supported value is `"PLAIN"`, indicating that the `value` property contains the plain text value for this property.	String
`certificateAuthorities[].friendlyName.value`	The name value, as a `Value` object.	Object
`certificateAuthorities[].friendlyName.value.text`	String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters.	String
`certificateAuthorities[].status`	Current status of the certificate authority. For the list of possible statuses, see Certificate authority status.	String
`certificateAuthorities[].createdAt`	Time at which the certificate authority was created in RFC 3339 format.	Date
`certificateAuthorities[].updatedAt`	Time at which the certificate authority was last updated in RFC 3339 format. If the certificate authority hasn't been updated, this value is the same as the `createdAt` field.	Date
`certificateAuthorities[].csr`	The base64 PEM-encoded certificate signing request (CSR) for the certificate authority. If the `expand` query parameter is missing or if the certificate authority is in a status other than `PENDING_CERTIFICATE`, `ACTIVE`, or `EXPIRED`, this field is absent.	String
`certificateAuthorities[].certificateMetadata`	Certificate authority certificate metadata object. This property is present if the Import certificate operation has been called to import a certificate.	Object
`certificateAuthorities[].certificateMetadata.certificate`	Certificate that's imported to the certificate authority. Only present if the `expand` query parameter is set to `all`	String
`certificateAuthorities[].certificateMetadata.certificateChain`	Certificate chain that's imported to the certificate authority. Only present if the `expand` query parameter is set to `all`	String
`certificateAuthorities[].certificateMetadata.expiresAt`	Time after which the certificate of the certificate authority isn't valid. Also known as expiration time of certificate authority. This field is in RFC 3339 format.	Date
`certificateAuthorities[].certificateMetadata.activeFrom`	Time before which the certificate of the certificate authority isn't valid. This field is in RFC 3339 format.	Date
`certificateAuthorities[].rotationPeriod`	An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the `value` property.	Object
`certificateAuthorities[].rotationPeriod.value`	Numeric value of rotation interval. Accepted values: `6` or `12`.	Integer
`certificateAuthorities[].rotationPeriod.interval`	String enumeration of rotation interval. Accepted value: `MONTHS`.	Enum

HTTP status codes

Status	Description
`200 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 INVALID_NEXT_TOKEN`	There was an issue with parsing the `nextToken`.
`400 INVALID_MAX_RESULTS`	The value must be in the range of 1–10.
`400 INVALID_EXPAND`	If the parameter is provided its value has to be 'all'.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise WiFi Add-on enabled.
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side was encountered when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Example error payload

{
    "type": "INVALID_NEXT_TOKEN",
    "message": "There was an issue with parsing the nextToken."
}

Import certificate

Import certificates into a certificate authority. You must sign the CSR that was provided in the GET certificate authority API call on your RADIUS server. This provides you with the certificate and certificate chain to import to your certificate authority.

After you import the certificate, your Certificate Authority is marked as ACTIVE status, which enables the Certificate Authority to issue certificates to Alexa Smart Properties devices.

Amazon recommends that you configure the imported certificate with a certificate validity period between three to six years.

Request

Make a POST request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate resource. Provide the certificate and certificate chain to import in the request body.

Request header example

POST /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`LWA token`	Header	LWA token.	String	Yes
`certificateAuthorityId`	Path	Directed id of the certificate authority	String	Yes

Request body example

{
  "certificate": "-----BEGIN CERTIFICATE-----\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n-----END CERTIFICATE-----",
  "certificateChain": "-----BEGIN CERTIFICATE-----\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n----END CERTIFICATE-----"
}

Request body parameters

Parameter	Description	Type	Required
`certificate`	The certificate for a certificate authority, signed by your RADIUS server.	String	Yes
`certificateChain`	All your certificates, other than the certificate to import, in the chain to the root CA.	String	Yes

Response

A successful response returns an HTTP 204 response with an empty HTTP body.

HTTP status codes

Status	Description
`204 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 CERTIFICATE_MISMATCH`	The certificate authority certificate you're importing doesn't comply with conditions specified in the certificate that signed it.
`400 CONCURRENT_MODIFICATION`	A previous update to the certificate authority is still ongoing.
`400 INVALID_STATE`	The state of the certificate authority doesn't allow this action to occur.
`400 MALFORMED_CERTIFICATE`	One or more fields in the certificate are invalid.
`400 REQUEST_IN_PROGRESS`	Your request is already in progress. This exception is thrown when the customer tries to import the same certificates in a very close succession.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise WiFi Add-on enabled.
`404 Not Found`	The certificate authority in the path doesn't exist
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side was encountered when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Example error payload

{
    "type": "CERTIFICATE_MISMATCH",
    "message": "The certificate authority certificate you are importing does not comply with conditions specified in the certificate that signed it."
}

Update certificate authority

Change the certificate authority details. You can change the "friendly name" of the certificate authority or change the certificate rotation period.

Request

Make a PUT request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId} resource. Provide the new values in the request body.

Request header example

PUT /v1/enterprise/certificateAuthorities/{certificateAuthorityId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`LWA token`	Header	LWA token.	String	Yes
`certificateAuthorityId`	Path	Directed id of the certificate authority	String	Yes

Request body example

{
  "friendlyName": {
    "type": "PLAIN",
    "value": {
      "text": "Customer Network #2"
    }
  },
  "rotationPeriod": {
    "value": 6,
    "interval": "MONTHS"
  }
}

Request body parameters

You must provide at least one object to update, either friendlyName or rotationPeriod. If neither are included in the request body, the operation call fails with an HTTP 400 error.

Parameter	Description	Type	Required
`friendlyName`	Provides a friendly name to the certificate authority.	Object	No if `rotationPeriod` contains an object.
`friendlyName.type`	The name value type. Supported value is `"PLAIN"`, indicating that the `value` property contains the plain text value for this property.	String	Yes
`friendlyName.value`	The name value, as a `Value` object.	Object	Yes
`friendlyName.value.text`	String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of one character and a max length of 100 characters.	String	Yes
`rotationPeriod`	An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the `value` property.	Object	No if `friendlyName` contains an object.
`rotationPeriod.value`	Numeric value of rotation interval. Accepted values: `6` or `12`.	Integer	Yes
`rotationPeriod.interval`	String enumeration of rotation interval. Accepted value: `MONTHS`.	Enum	Yes

Response

A successful response returns HTTP 204 with an empty response body.

If both friendlyName and rotationPeriod properties in the request body are empty, the operation returns an HTTP 400 error.

HTTP status codes

Status	Description
`204 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 EMPTY_INPUT`	Either a new `friendlyName` or a new `rotationPeriod` must be provided.
`400 NAME_ALREADY_EXISTS`	User has already a certificate authority with the provided `friendlyName`.
`400 INVALID_FRIENDLY_NAME`	The provided friendly name is invalid. The friendly name has to be between 1–100 characters.
`400 INVALID_ROTATION_PERIOD`	The provided rotation period is invalid. Only the values of 6 MONTHS and 12 MONTHS are allowed.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`404 Not Found`	The certificate authority in the path isn't found in the certificate authorities that the customer has access to
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions, or the customer doesn't have a valid Enterprise WiFi Add-on enabled.
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side was encountered when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Example error payload

{
    "type": "EMPTY_INPUT",
    "message": "Either a new friendlyName or a new rotationPeriod needs to be provided."
}

Delete certificate authority

Delete a certificate authority. Certificates that were issued to devices before you delete the authority remain valid until you remove the certificate authority certificate from the trust store for your RADIUS server.

Request

Make a DELETE request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId} resource.

Request header example

DELETE /v1/enterprise/certificateAuthorities/{certificateAuthorityId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}

Request path and header parameters

Parameter	Located in	Description	Type	Required
`LWA token`	Header	LWA token.	String	Yes
`certificateAuthorityId`	Path	Directed id of the certificate authority to delete.	String	Yes

Request body

This request has no request body.

Response

A successful response returns an HTTP 204 response with an empty HTTP body.

HTTP status codes

Status	Description
`204 OK`	The request succeeded.
`400 Bad Request`	The request is malformed or is missing any required parameters.
`400 CONCURRENT_MODIFICATION`	A previous update to the certificate authority is still ongoing.
`401 Unauthorized`	The access token is missing, expired, or invalid.
`403 Forbidden`	The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise Wi-Fi Add-on enabled.
`404 Not Found`	The certificate authority in the path isn't found in the certificate authorities that the customer has access to
`429 Too Many Requests`	Request has been throttled
`500 Internal Service Error`	An unknown problem on server side was encountered when processing the request.
`503 Service Unavailable`	Service is temporarily unavailable

Example error payload

{
    "type": "CONCURRENT_MODIFICATION",
    "message": "A previous update to your certificate authority is still ongoing."
}

Certificate authority status

A certificate authority can have any of the statuses shown in the following table.

Status	Can the CA issue certificates?	Can you get CSR from the CA and install certificate on the CA?	Are you billed for the CA?
`CREATING` – The CA is being created.	No	No	Yes
`PENDING_CERTIFICATE` – The CA has been created and needs a certificate to be operational.	No	Yes	Yes
`ACTIVE` - The CA is active and is ready to issue certificates	Yes	Yes	Yes
`EXPIRED` – The CA certificate has expired	No	Yes	Yes
`FAILED` - CA creation failed due to internal error. A failed CA cannot be recovered. Delete the CA and create a new one.	No	No	No

Was this page helpful?

Provide feedback

Last updated: frontmatter-missing

Certificate Authority Management API Reference

API endpoint

Authentication

Operations

Create certificate authority

Request

Request header example

Request path and header parameters

Request body example

Request body parameters

Response

Response body example

Response body parameters

HTTP status codes

Example error payload

Get certificate authority details

Request

Request header example

Request path and header parameters

Request body

Response

Response body example

Response body properties

HTTP status codes

Get all certificate authorities

Request

Request header example

Request path and header parameters

Response

Response body example

Response body properties

HTTP status codes

Example error payload

Import certificate

Request

Request header example

Request path and header parameters

Request body example

Request body parameters

Response

HTTP status codes

Example error payload

Update certificate authority

Request

Request header example

Request path and header parameters

Request body example

Request body parameters

Response

HTTP status codes

Example error payload

Delete certificate authority

Request

Request header example

Request path and header parameters

Request body

Response

HTTP status codes

Example error payload

Certificate authority status

Related topics

Was this page helpful?