Certificate Authority Management API Reference
Use the Certificate Authority Management API to connect your Alexa devices to WPA2 Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) networks and let Alexa Smart Properties (ASP) manage issuing and rotating certificates to your devices.
Before you can use the Certificate Authority Management API, visit the Alexa Smart Properties Console and request the WPA2 Enterprise Wi-Fi add-on package. An Alexa Smart Properties Solution Architect grants you access to the WPA2 Enterprise Wi-Fi feature after you confirm on-boarding and billing information. For more details about getting started, see WPA2 Enterprise Wi-Fi.
API endpoint
The endpoint of the Certificate Authority Management API is https://api.amazonalexa.com.
Authentication
Each API request must have an authorization header whose value is the access token retrieved from Login with Amazon (LWA). The token must have the following scopes:
credential_locker::wifi_management
alexa::enterprise:management
Operations
The Certificate Authority Management API includes the following operations.
Operation | HTTP Method and URI |
---|---|
| |
| |
| |
| |
| |
|
Create certificate authority
Create an ASP-hosted certificate authority to create a chain between the authentication server for your network (the RADIUS server) and ASP devices. After you create the certificate authority and get a certificate from the RADIUS server, the Private Certificate Authority (PCA) can issue certificates for ASP devices and authenticate them to the Wi-Fi network.
Request
Make a POST
request to the /v1/enterprise/certificateAuthorities/
resource.
Request header example
POST /v1/enterprise/certificateAuthorities/ HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes |
Request body example
{
"friendlyName": {
"type": "PLAIN",
"value": {
"text": "Customer Network #1"
}
},
"rotationPeriod": {
"value": 6,
"interval": "MONTHS"
}
}
Request body parameters
Parameter | Description | Type | Required |
---|---|---|---|
|
Provides a friendly name to the certificate authority. |
Object |
Yes |
|
The name value type. Supported value is |
String |
Yes |
|
The name value, as a |
Object |
Yes |
|
String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters. |
String |
Yes |
|
An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the |
Object |
Yes |
|
Numeric value of rotation interval. |
Integer |
Yes |
|
String enumeration of rotation interval. |
Enum |
Yes |
Response
A successful response returns HTTP 201
with the ID of the new certificate authority.
Response body example
{
"id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE"
}
Response body parameters
Parameter | Description | Type | Required |
---|---|---|---|
|
Unique ID of the created PCA |
String |
Yes |
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
User has already a certificate authority with the provided |
|
The provided friendly name is invalid. The friendly name must be between 1–100 characters. |
|
The provided rotation period is invalid. The rotation period must be |
|
The access token is missing, expired, or invalid. |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise Wi-Fi Add-on enabled. |
|
Request has been throttled |
|
An unknown problem on server side occurred when processing the request. |
|
Service is temporarily unavailable |
Example error payload
{
"type": "NAME_ALREADY_EXISTS",
"message": "User has already a certificate authority with the provided friendlyName."
}
Get certificate authority details
Get the details, including the status and the Certificate Signing Request (CSR) of a certificate authority. The CSR is the prerequisite for a root CA to sign a certificate for the certificate authority. You use this output to import certificates to the ASP Certificate Authority later on.
Request
Make a GET
request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId}
resource.
Request header example
GET /v1/enterprise/certificateAuthorities/{certificateAuthorityId}?expand=all HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes | |
|
Path |
Directed id of the certificate authority |
String |
Yes |
|
Query |
Specify whether to display all metadata for a certificate authority.
|
String |
No |
Request body
The request has no request body.
Response
A successful response returns HTTP 200
with certificate details in the response body.
Response body example
{
"id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE",
"friendlyName": {
"type": "PLAIN",
"value": {
"text": "Customer Network #1"
}
},
"status": "ACTIVE",
"createdAt": "1970-01-01T00:00:00Z",
"updatedAt": "1970-01-01T00:00:00Z",
"csr": "-----BEGIN CERTIFICATE REQUEST-----CERTIFICATE_REQUEST_CONTENT-----END CERTIFICATE REQUEST-----",
"certificateMetadata": {
"certificate": "-----BEGIN CERTIFICATE-----CERTIFICATE_CONTENT-----END CERTIFICATE-----",
"certificateChain": "-----BEGIN CERTIFICATE-----CERTIFICATE_CHAIN_CONTENT-----END CERTIFICATE-----",
"expiresAt": "1970-01-01T00:00:00Z",
"activeFrom": "1970-01-01T00:00:00Z"
},
"rotationPeriod": {
"value": 6,
"interval": "MONTHS"
}
}
Response body properties
Property | Description | Type |
---|---|---|
|
Id of the certificate authority |
String |
|
Friendly name of the certificate authority. The field supports UTF-8 encoding with a maximum length of 100 characters. |
Object |
|
The name value type. Supported value is |
String |
|
The name value, as a | |
|
String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters. |
String |
|
Current status of the certificate authority. For the list of possible statuses, see Certificate authority status. |
String |
|
Time at which the certificate authority was created in RFC 3339 format. |
Date |
|
Time at which the certificate authority was last updated in RFC 3339 format. If the certificate authority hasn't been updated, this value is the same as the |
Date |
|
The base64 PEM-encoded certificate signing request (CSR) for the certificate authority. If the |
String |
|
Certificate authority certificate metadata object. This property is present if the Import certificate operation has been called to import a certificate. |
Object |
|
Certificate that's imported to the certificate authority. Only present if the |
String |
|
Certificate chain that's imported to the certificate authority. Only present if the |
String |
|
Time after which the certificate of the certificate authority isn't valid. Also known as expiration time of certificate authority. This field is in RFC 3339 format. |
Date |
|
Time before which the certificate of the certificate authority isn't valid. This field is in RFC 3339 format. |
Date |
|
An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the |
Object |
|
Numeric value of rotation interval. |
Integer |
|
String enumeration of rotation interval. |
Enum |
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
If the parameter is provided its value has to be 'all'. |
|
The access token is missing, expired, or invalid. |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions, or the user doesn't have the Enterprise Wi-Fi add-on enabled. |
|
The certificate authority in the path isn't found in the certificate authorities that the customer has access to |
|
Request has been throttled |
|
An unknown problem on server side was encountered when processing the request. |
|
Service is temporarily unavailable |
Get all certificate authorities
List ID, status, and other key information for all certificate authorities that were created by the user.
Request
Make a GET
request to the /v1/enterprise/certificateAuthorities
resource.
Request header example
GET /v1/enterprise/certificateAuthorities?nextToken={NEXT_TOKEN}&maxResults=10&expand=all HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes | |
|
Query |
Token to identify the next page of results. Get this token from the |
String |
No |
|
Query |
Maximum number of results to display. The value of this parameter must be in the range of 1–100. Default is 10. |
Integer |
No |
|
Query |
Specify whether to display all metadata for a certificate authority.
|
String |
No |
Response
A successful response returns HTTP 200
with certificate details in the response body.
Response body example
{
"paginationContext": {
"nextToken": "EXAMPLE_TOKEN_VALUE"
},
"certificateAuthorities": [
{
"id": "amzn1.alexa.enterprise.certificateAuthority.did.EXAMPLE_ID_VALUE",
"friendlyName": {
"type": "PLAIN",
"value": {
"text": "Customer Network #1"
}
},
"status": "ACTIVE",
"createdAt": "1970-01-01T00:00:00Z",
"updatedAt": "1970-01-01T00:00:00Z",
"csr": "-----BEGIN CERTIFICATE REQUEST-----CERTIFICATE_REQUEST_CONTENT-----END CERTIFICATE REQUEST-----",
"certificateMetadata": {
"certificate": "-----BEGIN CERTIFICATE-----CERTIFICATE_CONTENT-----END CERTIFICATE-----",
"certificateChain": "-----BEGIN CERTIFICATE-----CERTIFICATE_CHAIN_CONTENT-----END CERTIFICATE-----",
"expiresAt": "1970-01-01T00:00:00Z",
"activeFrom": "1970-01-01T00:00:00Z"
},
"rotationPeriod": {
"value": 6,
"interval": "MONTHS"
}
}
]
}
Response body properties
Property | Description | Type |
---|---|---|
|
The |
Object |
|
A token to retrieve the next page of results. Pass this string to the |
String |
|
Array of |
Array |
|
Id of the certificate authority |
String |
|
Friendly name of the certificate authority. The field supports UTF-8 encoding with a maximum length of 100 characters. |
Object |
|
The name value type. Supported value is |
String |
|
The name value, as a |
Object |
|
String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of 1 character and a maximum length of 100 characters. |
String |
|
Current status of the certificate authority. For the list of possible statuses, see Certificate authority status. |
String |
|
Time at which the certificate authority was created in RFC 3339 format. |
Date |
|
Time at which the certificate authority was last updated in RFC 3339 format. If the certificate authority hasn't been updated, this value is the same as the |
Date |
|
The base64 PEM-encoded certificate signing request (CSR) for the certificate authority. If the |
String |
|
Certificate authority certificate metadata object. This property is present if the Import certificate operation has been called to import a certificate. |
Object |
|
Certificate that's imported to the certificate authority. Only present if the |
String |
|
Certificate chain that's imported to the certificate authority. Only present if the |
String |
|
Time after which the certificate of the certificate authority isn't valid. Also known as expiration time of certificate authority. This field is in RFC 3339 format. |
Date |
|
Time before which the certificate of the certificate authority isn't valid. This field is in RFC 3339 format. |
Date |
|
An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the |
Object |
|
Numeric value of rotation interval. |
Integer |
|
String enumeration of rotation interval. |
Enum |
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
There was an issue with parsing the |
|
The value must be in the range of 1–10. |
|
If the parameter is provided its value has to be 'all'. |
|
The access token is missing, expired, or invalid. |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise WiFi Add-on enabled. |
|
Request has been throttled |
|
An unknown problem on server side was encountered when processing the request. |
|
Service is temporarily unavailable |
Example error payload
{
"type": "INVALID_NEXT_TOKEN",
"message": "There was an issue with parsing the nextToken."
}
Import certificate
Import certificates into a certificate authority. You must sign the CSR that was provided in the GET certificate authority API call on your RADIUS server. This provides you with the certificate and certificate chain to import to your certificate authority.
After you import the certificate, your Certificate Authority is marked as ACTIVE
status, which enables the Certificate Authority to issue certificates to Alexa Smart Properties devices.
Amazon recommends that you configure the imported certificate with a certificate validity period between three to six years.
Request
Make a POST
request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate
resource. Provide the certificate and certificate chain to import in the request body.
Request header example
POST /v1/enterprise/certificateAuthorities/{certificateAuthorityId}/importCertificate HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes | |
|
Path |
Directed id of the certificate authority |
String |
Yes |
Request body example
{
"certificate": "-----BEGIN CERTIFICATE-----\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n-----END CERTIFICATE-----",
"certificateChain": "-----BEGIN CERTIFICATE-----\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\n\nCERTIFICATE_CONTENT\nMULTIPLE_LINES_WITH_LINE_BREAK_CHARACTERS\n----END CERTIFICATE-----"
}
Request body parameters
Parameter | Description | Type | Required |
---|---|---|---|
|
The certificate for a certificate authority, signed by your RADIUS server. |
String |
Yes |
|
All your certificates, other than the certificate to import, in the chain to the root CA. |
String |
Yes |
Response
A successful response returns an HTTP 204
response with an empty HTTP body.
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
The certificate authority certificate you're importing doesn't comply with conditions specified in the certificate that signed it. |
|
A previous update to the certificate authority is still ongoing. |
|
The state of the certificate authority doesn't allow this action to occur. |
|
One or more fields in the certificate are invalid. |
|
Your request is already in progress. This exception is thrown when the customer tries to import the same certificates in a very close succession. |
|
The access token is missing, expired, or invalid. |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise WiFi Add-on enabled. |
|
The certificate authority in the path doesn't exist |
|
Request has been throttled |
|
An unknown problem on server side was encountered when processing the request. |
|
Service is temporarily unavailable |
Example error payload
{
"type": "CERTIFICATE_MISMATCH",
"message": "The certificate authority certificate you are importing does not comply with conditions specified in the certificate that signed it."
}
Update certificate authority
Change the certificate authority details. You can change the "friendly name" of the certificate authority or change the certificate rotation period.
Request
Make a PUT
request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId}
resource. Provide the new values in the request body.
Request header example
PUT /v1/enterprise/certificateAuthorities/{certificateAuthorityId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes | |
|
Path |
Directed id of the certificate authority |
String |
Yes |
Request body example
{
"friendlyName": {
"type": "PLAIN",
"value": {
"text": "Customer Network #2"
}
},
"rotationPeriod": {
"value": 6,
"interval": "MONTHS"
}
}
Request body parameters
You must provide at least one object to update, either friendlyName
or rotationPeriod
. If neither are included in the request body, the operation call fails with an HTTP 400
error.
Parameter | Description | Type | Required |
---|---|---|---|
|
Provides a friendly name to the certificate authority. |
Object |
No if |
|
The name value type. Supported value is |
String |
Yes |
|
The name value, as a |
Object |
Yes |
|
String value of the friendly name of the certificate authority. The field supports UTF-8 encoding with a minimum length of one character and a max length of 100 characters. |
String |
Yes |
|
An object that specifies how often to rotate device certificates. A rotation period can be 6 months or 12 months, specified in the |
Object |
No if |
|
Numeric value of rotation interval. |
Integer |
Yes |
|
String enumeration of rotation interval. |
Enum |
Yes |
Response
A successful response returns HTTP 204
with an empty response body.
If both friendlyName
and rotationPeriod
properties in the request body are empty, the operation returns an HTTP 400
error.
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
Either a new |
|
User has already a certificate authority with the provided |
|
The provided friendly name is invalid. The friendly name has to be between 1–100 characters. |
|
The provided rotation period is invalid. Only the values of 6 MONTHS and 12 MONTHS are allowed. |
|
The access token is missing, expired, or invalid. |
|
The certificate authority in the path isn't found in the certificate authorities that the customer has access to |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions, or the customer doesn't have a valid Enterprise WiFi Add-on enabled. |
|
Request has been throttled |
|
An unknown problem on server side was encountered when processing the request. |
|
Service is temporarily unavailable |
Example error payload
{
"type": "EMPTY_INPUT",
"message": "Either a new friendlyName or a new rotationPeriod needs to be provided."
}
Delete certificate authority
Delete a certificate authority. Certificates that were issued to devices before you delete the authority remain valid until you remove the certificate authority certificate from the trust store for your RADIUS server.
Request
Make a DELETE
request to the /v1/enterprise/certificateAuthorities/{certificateAuthorityId}
resource.
Request header example
DELETE /v1/enterprise/certificateAuthorities/{certificateAuthorityId} HTTP/1.1
Host: api.amazonalexa.com
Accept: application/json
Authorization: Bearer {LWA Token}
Request path and header parameters
Parameter | Located in | Description | Type | Required |
---|---|---|---|---|
|
Header |
String |
Yes | |
|
Path |
Directed id of the certificate authority to delete. |
String |
Yes |
Request body
This request has no request body.
Response
A successful response returns an HTTP 204
response with an empty HTTP body.
HTTP status codes
Status | Description |
---|---|
|
The request succeeded. |
|
The request is malformed or is missing any required parameters. |
|
A previous update to the certificate authority is still ongoing. |
|
The access token is missing, expired, or invalid. |
|
The access token is valid, but the user doesn't have the needed LWA scope permissions or the customer doesn't have a valid Enterprise Wi-Fi Add-on enabled. |
|
The certificate authority in the path isn't found in the certificate authorities that the customer has access to |
|
Request has been throttled |
|
An unknown problem on server side was encountered when processing the request. |
|
Service is temporarily unavailable |
Example error payload
{
"type": "CONCURRENT_MODIFICATION",
"message": "A previous update to your certificate authority is still ongoing."
}
Certificate authority status
A certificate authority can have any of the statuses shown in the following table.
Status | Can the CA issue certificates? | Can you get CSR from the CA and install certificate on the CA? | Are you billed for the CA? |
---|---|---|---|
|
No |
No |
Yes |
|
No |
Yes |
Yes |
|
Yes |
Yes |
Yes |
|
No |
Yes |
Yes |
|
No |
No |
No |
Related topics
Last updated: frontmatter-missing