Create Template
The API initiates a request to create certificate templates for AppViewX Native PKI.
Before you begin
- Refer to Prerequisites in the PKI User Guide.
Request Structure
| Endpoint: | v1/pki/ca/template/create |
| Type: | POST |
| Sample URL: |
To understand the elements of the sample URL, click here. |
| Headers | |
| Content-Type: | application/json |
| Name | Description |
|---|---|
| sessionId
|
(Mandatory) Session Id received after
login. Type: String Constraint: Required if username and password are not provided. |
| username
|
(Mandatory) AppViewX login username. Type: String Constraint: Required if sessionId is not provided. |
| password
|
(Mandatory) AppViewX login password. Type: String Constraint: Required if sessionId is not provided. |
Payload
| Name | Description |
|---|---|
| name | (Mandatory) Name of the certificate template Type: String |
| description | Description of the template Type: String |
| category | (Mandatory) Template category (e.g., End
Entity)Type: String |
| validityOffsetUnitType | Validity offset time unit for certificate validity. One of:
"MINUTES", "HOURS", "DAYS", "MONTHS", "YEARS". Type: String |
| validityOffsetUnitValue | Validity offset numeric value for the validity
duration. Type: String |
| allowTemplateValidity | When true, a CSR may override the template validity
period. Type: Boolean |
| noRevAvail | When true, the No Revocation Available extension is added to
issued certificates. Type: Boolean |
| Name | Description |
|---|---|
| allowCSRSubject | Allow the CSR to supply the subject
DN. Type: boolean |
| allowCSRSubjectAltName | Allow the CSR to supply Subject Alternative
Names. Type: boolean |
| allowCSRBasicConstraints | Allow the CSR to define Basic
Constraints. Type: boolean |
| allowCSRKeyUsage | Allow the CSR to define key usage
bits. Type: boolean |
| allowCSRExtendedKeyUsage | Allow the CSR to define Extended Key
Usage. Type: boolean |
| allowCSRCertificatePolicy | Allow the CSR to define Certificate
Policies. Type: boolean |
| allowCSRValidationURLs | Allow the CSR to define CRL/OCSP
URLs. Type: boolean |
Key Usage Object
| Field | Description |
|---|---|
| keyUsages top-level flags | |
| keyUsageCritical | Marks the Key Usage extension as critical. Type: boolean |
| restrictUnsupportedKeyUsage | Rejects certificates with key usage bits not configured in this
template. Type: boolean |
| extendedKeyUsageCritical | Marks the Extended Key Usage extension as
critical. Type: boolean |
| customExtendedKeyUsageExtensionsEnabled | Enables OID-based custom EKU values. Type: boolean |
| customExtendedKeyUsageExtensionsList | Array of OID strings for custom extended key usages. Required
when customExtendedKeyUsageExtensionsEnabled is true. Type: string |
| keyUsages.baseKeyUsage Key usage bits | |
| digitalSignature | Certificate may be used for digital signatures. Type: boolean |
| contentCommitment | Non-repudiation / content commitment bit. Type: boolean |
| keyEncipherment | Key may be used for key transport (e.g. RSA key exchange in
TLS). Type: boolean |
| dataEncipherment | Key may be used to encrypt data directly. Type: boolean |
| keyAgreement | Key may be used for key agreement (e.g. DH, ECDH). Type: boolean |
| certSign | Key may sign other certificates. Set true only for CA
templates. Type: boolean |
| crlSign | Key may sign CRLs. Type: boolean |
| encipherOnly | Key may only encipher during key agreement. Requires
keyAgreement: true. Type: boolean |
| decipherOnly | Key may only decipher during key agreement. Requires
keyAgreement: true. Type: boolean |
| keyUsages.extendedKeyUsage Standard EKU flags | |
| anyExtendedKeyUsage | Permits any EKU (2.5.29.37.0). Use with caution. Type: boolean |
| serverAuth | TLS web server authentication (1.3.6.1.5.5.7.3.1). Type: boolean |
| clientAuth | TLS web client authentication (1.3.6.1.5.5.7.3.2). Type: boolean |
| codeSigning | Code signing (1.3.6.1.5.5.7.3.3). Type: boolean |
| emailProtection | Secure email / S/MIME (1.3.6.1.5.5.7.3.4). Type: boolean |
| timeStamping | Trusted timestamping (1.3.6.1.5.5.7.3.8). Type: boolean |
| ocspSigning | OCSP response signing (1.3.6.1.5.5.7.3.9). Type: boolean |
| ipsecEndSystem | IPsec end-system (1.3.6.1.5.5.7.3.5). Type: boolean |
| ipsecTunnel | IPsec tunnel (1.3.6.1.5.5.7.3.6). Type: boolean |
| ipsecUser | IPsec user (1.3.6.1.5.5.7.3.7). Type: boolean |
| smartcardlogon | Smart card logon (Microsoft OID). Type: boolean |
| kdcAuthentication | Kerberos KDC authentication. Type: boolean |
| Name | Description |
|---|---|
| isCA | Indicates if certificate is a CA Type: boolean |
| critical | Whether CA extension is critical Type: boolean |
| maxIssuerPathLength | Maximum issuer path length (`NONE` or
numeric) Type: string |
| Name | Description |
|---|---|
| allowAuthorityKeyId | Enable Authority Key Identifier Type: boolean |
| inheritAuthorityKeyIdFromCA | Inherit AKI from CA Type: boolean |
| allowSubjectKeyId | Enable Subject Key Identifier Type: boolean |
| subjectKeyHashBit | Hash size for Subject Key ID Type: string |
| Name | Description |
|---|---|
| additionalCustomExtensionEnabled | Enable additional extensions Type: boolean |
| oid | Extension OID Type: string |
| name | Extension name Type: string |
| critical | Whether extension is critical Type: boolean |
| extnValue | Extension value Type: string |
| allowCSRCustomExtensions | Allow CSR-defined extensions Type: boolean |
| allowBase64EncodedInput | Allow Base64 encoded values Type: boolean |
| Name | Description |
|---|---|
| certificatePolicyEnabled | Enable certificate policies Type: boolean |
| critical | Mark policy as critical Type: boolean |
| inheritFromCa | Inherit policies from CA Type: boolean |
| customEnabled | Enable custom policies Type: boolean |
| certificatePolicyOidList | List of policy OIDs and qualifiers Type: array |
| Name | Description |
|---|---|
| subjectAltName.critical | Mark SAN extension as critical Type: boolean |
| sanFieldname | SAN type (e.g., DNS_NAME,
IP_ADDRESS)Type: string |
| encodeType | Encoding type (e.g., DERIA5STRING,
DEROCTETSTRING)Type: string |
| Name | Description |
|---|---|
| enableCrlDp | Enable CRL distribution points Type: boolean |
| enableCaDefinedCrlDp | Use CA-defined CRL DP Type: boolean |
| enableCustomCrlDp | Enable custom CRL DP Type: boolean |
| customCrlDp | List of custom CRL URLs Type: array |
| Name | Description |
|---|---|
| enableOcspDp | Enable OCSP distribution point Type: boolean |
| downloadIssuerCertificate | Allow issuer certificate download Type: boolean |
| enableCaDefinedOcspLink | Use CA-defined OCSP link Type: boolean |
| enableCustomDefinedOcspLink | Use custom OCSP link Type: boolean |
| customDefinedOcspLink | List of custom OCSP URLs Type: array |
Response Structure
Response returns string of type application/json with the following body parameters:
| Name | Description |
|---|---|
| response | Indicates status of the API operation. |
| message | Success message - PKIaaS CA configuration added
successfully Type: String |
| appStatusCode | Application specific status code for the response. It is a
non-null value for a failure response. Type: String |
| tags | Additional information in case of failure response. |
Status Codes
| HTTP Code | appStatusCode | Response Message |
|---|---|---|
| 201 Created | null | Template <name> created successfully. |
| 401 Unauthorized | AVX_GW_003 | Authentication failed, reason - Invalid Credentials.
Remediation: Ensure that valid username and password or a valid sessionId is provided as header parameters. |
| 400 Bad Request | VALIDATION_ERROR_0004 | Mandatory Field 'name' is missing or empty Remediation: Enter all fields that are mandatory. |
| 409 conflict | TEMPLATE_ALREADY_EXISTS | Occurs when given template name already
exists. Remediation: Provide a unique template name. |
Sample Request/Response
{
"name": "testTemplate",
"description": "",
"category": "End Entity",
"validityOffsetUnitType": "MINUTES",
"validityOffsetUnitValue": "10",
"allowTemplateValidity": false,
"noRevAvail": true,
"allowCSRSubject": false,
"allowCSRSubjectAltName": false,
"allowCSRBasicConstraints": false,
"allowCSRKeyUsage": false,
"allowCSRExtendedKeyUsage": false,
"allowCSRCertificatePolicy": false,
"allowCSRValidationURLs": false,
"keyUsages": {
"baseKeyUsage": {
"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": false,
"crlSign": false,
"encipherOnly": true,
"decipherOnly": true
},
"keyUsageCritical": true,
"restrictUnsupportedKeyUsage":false,
"extendedKeyUsage": {
"anyExtendedKeyUsage": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"timeStamping": true,
"ocspSigning": true,
"ipsecEndSystem": true,
"ipsecTunnel": false,
"ipsecUser": false,
"dvcs": false,
"sbgpCertAAServerAuth": false,
"scvp_responder": false,
"eapOverPPP": false,
"eapOverLAN": false,
"scvpServer": false,
"scvpClient": false,
"ipsecIKE": false,
"capwapAC": false,
"capwapWTP": false,
"smartcardlogon": false,
"macAddress": false,
"msSGC": false,
"nsSGC": false,
"encryptionFileSystem": false,
"kdcAuthentication": false,
"certificateRequestAgent": false,
"fileRecovery": false
},
"extendedKeyUsageCritical": true,
"customExtendedKeyUsageExtensionsEnabled": true,
"customExtendedKeyUsageExtensionsList": [
"1.2.3"
]
},
"caOptions": {
"isCA": false,
"critical": true,
"maxIssuerPathLength": "NONE"
},
"authorityAndSubjectKey": {
"allowAuthorityKeyId": true,
"inheritAuthorityKeyIdFromCA": true,
"allowSubjectKeyId": true,
"subjectKeyHashBit": "160"
},
"additionalCustomExtensionEnabled": true,
"additionalExtensions": [
{
"oid": "1.2.4",
"name": "DERBITSTRING",
"critical": true,
"extnValue": "123456",
"allowCSRCustomExtensions": false,
"allowBase64EncodedInput": false
}
],
"templateCertificatePolicy": {
"certificatePolicyEnabled": true,
"critical": true,
"inheritFromCa": true,
"customEnabled": true,
"certificatePolicyOidList": [
{
"oid": "1.7.8",
"type": "User Notice Text",
"value": "1234"
},
{
"oid": "1.3.4",
"type": "CPS URI",
"value": "https://192.168.145.86:31443/avxapi/cps"
},
{
"oid": "2.7.8",
"type": "No Policy Qualifier",
"value": "12345"
}
]
},
"subjectAltName": {
"critical": true
},
"sanFieldDescriptorList": [
{
"sanFieldname": "DNS_NAME",
"encodeType": "DERIA5STRING"
},
{
"sanFieldname": "IP_ADDRESS",
"encodeType": "DEROCTETSTRING"
}
],
"crlConfig": {
"enableCrlDp": false,
"enableCaDefinedCrlDp": false,
"enableCustomCrlDp": false,
"customCrlDp": []
},
"aiaConfig": {
"enableOcspDp": true,
"downloadIssuerCertificate": true,
"enableCaDefinedOcspLink": false,
"enableCustomDefinedOcspLink": false,
"customDefinedOcspLink": []
}
}{
"response": null,
"message": "Template testTemplate created successfully",
"appStatusCode": null,
"tags": {},
"headers": null
}References
- IP/HostName/TenantName: Replace with the actual IP address, hostname,
or tenant name based on the specific configuration in AppViewX.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
The IP address will be included in the endpoint URL for an on-prem deployment.
- HostName: A human-readable label assigned to a device (host)
on a network
The hostname will be included in the endpoint URL for an on-prem deployment.
- TenantName: An identifier label for a tenant given to
indicate which tenant's data the API request will
access/modify
The tenant name will be included in the endpoint URL for a SaaS deployment.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
- GWPORT: AppViewX gateway port
A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.
Example: 31443
- avxapi: Path parameter value (static) that is part of the endpoint's URL
- Endpoint: Endpoint of the API, for example: execute-hook
- gwsource: Source or origin of a gateway, for example: external.
