Sample Configuration:
{
"intermediate_cert_config": {
"common_name": "commonName",
"country": "IN",
"province": "IN",
"locality": "IN",
"organization": "AVX",
"organizational_unit": "AVX",
"use_est": true,
"appviewx_hostname": "<hostname>”,
"port": "<Port>",
"est_agent_setting_name": "<EST Agent Name>",
"key_type": "RSA",
"key_size": 4096,
"hash_function": "SHA256",
"reenrollment_trigger_before_no_of_days_of_expiry": 30
},
"device_cert_config": {
"is_device_cert_required": true,
"common_name": "test1",
"country": "IN",
"province": "IN",
"locality": "AVX",
"organization": "ORG",
"organizational_unit": "KS",
"appviewx_hostname": "<hostname>",
"port": "<port>",
"est_agent_setting_name": "<est_agent_name>",
"key_type": "ECC",
"key_size": 521,
"hash_function": "SHA256",
"reenrollment_trigger_before_no_of_days_of_expiry": 30
},
"new_intermediate_cert": true,
"mtls_ca_cert": "/home/suryanarayan.bhaskar/Downloads/AuthCert/Server_Certs/TRECDevICA1.crt",
"certificateRenewal_config": {
"isRenewalOfCertificatesRequired": true,
"renewal_check_interval_time_in_minutes": 1,
"appviewx_hostname": "<hostname>",
"port": "<port>",
"est_agent_setting_name": "<est_agent_setting_name>"
},
"mtls_server_cert_config": {
"is_private_key_label_required": false,
"mtls_server_cert_path": "<mtls_server_cert_path>",
"mtls_server_key_label": "<mtls server key label present inside hsm/tpm>",
"mtls_server_key_path": "<MTLS private key path>",
"reenrollment_trigger_before_no_of_days_of_expiry": 600,
"trigger_server_restart_script": "<script path used to restart the server once the mtls server cert is being renewed>"
},
"pkcs11_library": "<pkcs11 library path of hsm/tpm>",
"pkcs11_library_pin": "<pkcs11 library pin of hsm/tpm>",
"mtls_client_auth_cert_config": {
"is_private_key_label_required": true,
"mtls_auth_cert_path": "<mtls auth cert path >",
"mtls_auth_key_label": "<mtls auth key label present inside hsm/tpm>",
"mtls_auth_key_path": "<mtls auth key path>",
"reenrollment_trigger_before_no_of_days_of_expiry": 30
},
"discover_certificate_config": {
"is_discovery_required": false,
"scan_interval_time_in_minutes": 1,
"discovery_name": "<name of the discovery>",
"groupName": "<group name to which certificates has to be mapped in AppViewX>",
"appviewx_hostname": "<hostname>",
"port": "<Port>",
"est_agent_setting_name": "<EST Agent Name>" },
"mtls_azure_device_registration": {
"appviewx_hostname": "<Hostname>",
"port": "<Port>",
"est_agent_setting_name": "<EST Agent Name>",
"azure_device_registration_workflow": "<Workflow name>",
"poll_count": 6,
"poll_interval": 3
“azure_account”:”<Azure Account Name as configured in Integration Hub for Device Registration in Azure IoT Hub>”
},
"end_certificate_config_1": {
"validity_in_days": 30,
"extended_key_usage_list": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2",
"1.2.3.4.5.6.7.8.9"
],
"key_usage": {
"digital_signature": false,
"non_repudiation": false,
"key_encipherment": false,
"data_encipherment": false,
"key_agreement": true,
"key_cert_sign": true,
"crl_sign": true,
"encipher_only": true,
"decipher_only": false
},
"end_point_name": "device",
"is_device_cert": true,
"is_unlimited_validity": false,
"is_ca": true,
"path_length_constraint": 10
},
"end_certificate_config_2": {
"validity_in_days": 31,
"extended_key_usage_list": [
"1.3.6.1.5.5.7.3.1"
],
"key_usage": {
"digital_signature": false,
"non_repudiation": false,
"key_encipherment": true,
"data_encipherment": false,
"key_agreement": true,
"key_cert_sign": false,
"crl_sign": true,
"encipher_only": false,
"decipher_only": false
},
"end_point_name": "user",
"is_device_cert": false,
"is_unlimited_validity": false,
"is_ca": false,
"path_length_constraint": null
},
"end_certificate_config_3": {
"validity_in_days": 62,
"extended_key_usage_list": [
"1.3.6.1.5.5.7.3.1",
"1.3.6.1.5.5.7.3.2"
],
"key_usage": {
"digital_signature": true,
"non_repudiation": true,
"key_encipherment": true,
"data_encipherment": true,
"key_agreement": true,
"key_cert_sign": true,
"crl_sign": true,
"encipher_only": true,
"decipher_only": true
},
"end_point_name": "other",
"is_device_cert": false,
"is_unlimited_validity": false,
"is_ca": false,
"path_length_constraint": null
},
"port": 8088,
"intermediate_private_key_label_in_pkcs11": "20251111230215",
"intermediate_cert_path": "/home/suryanarayan.bhaskar/openssl/server.crt",
"encryption_key_file_path": "\u003cEncryption Key File Path for credentials\u003e"
}Table 2. Field Description for Intermediate_cert_config
| Field |
Description |
| common_name |
Common Name (CN) to be used in the Intermediate certificate
subject. |
| country |
Country (C) field value for the certificate subject (in ISO
2-letter code, e.g., IN, US). |
| province |
State/Province (ST) field value for the certificate
subject. |
| locality |
Locality/City (L) field value for the certificate
subject. |
| organization |
Organization (O) name to be included in the certificate
subject. |
| organizational_unit |
Organizational Unit (OU) to be included in the certificate
subject. |
| use_est |
Flag indicating whether EST protocol should be used for
issuance/reenrollment of Intermediate certificate. |
| appviewx_hostname |
Hostname or IP address where the EST service (AppViewX EST
endpoint) is hosted. |
| port |
Port number on which EST service/API is running. |
| est_agent_setting_name |
Name of the EST Agent configuration in AppViewX used for
certificate enrollment via MTLS. |
| key_type |
Cryptographic key type for the Intermediate certificate
(example: RSA, ECC). |
| key_size |
Size of the cryptographic key (e.g., 4096 for RSA, 256/384
for ECC). |
| hash_function |
Hash algorithm used during certificate signing (e.g., SHA256,
SHA384). |
| reenrollment_trigger_before_no_of_days_of_expiry |
Specifies how many days before certificate expiry the system
should automatically initiate the reenrollment process. |
Table 3. Field Description for device_cert_config
| Field |
Description |
| is_device_cert_required |
Specifies whether device certificate generation and
enrollment is required (true or false). |
| common_name |
Common Name (CN) to be assigned for the Device certificate —
usually represents device identity. |
| country |
Country (C) field value for the certificate subject (ISO
2-letter format, example, IN, US). |
| province |
State/Province (ST) field value for the certificate
subject. |
| locality |
Locality/City (L) field value for the certificate
subject. |
| organization |
Organization (O) name included in the certificate
subject. |
| organizational_unit |
Organizational Unit (OU) name included in the certificate
subject. |
| appviewx_hostname |
Hostname or IP address of the AppViewX EST endpoint used for
device certificate enrollment. |
| port |
Port number where AppviewX EST enrollment service is
running. |
| est_agent_setting_name |
Name of the EST Agent configuration in AppViewX to be used
for device certificate issuance via MTLS. |
| key_type |
Cryptographic key type for generating device certificate
(example: RSA, ECC). |
| key_size |
Size of the cryptographic key (e.g., 2048/4096 for RSA,
256/384/521 for ECC curves). |
| hash_function |
Hash algorithm used during certificate signing (e.g., SHA256,
SHA384). |
| reenrollment_trigger_before_no_of_days_of_expiry |
Specifies how many days before certificate expiry the system
should automatically initiate the reenrollment process. |
Table 4. Field Description for certificateRenewal_config
| Field |
Description |
| isRenewalOfCertificatesRequired |
Enables or disables automatic certificate renewal workflow
(true → renewal active). |
| renewal_check_interval_time_in_minutes |
Time interval (in minutes) at which the server checks for
certificate expiry and triggers renewal if required. If not
configured, the default interval is 1440 minutes. |
| appviewx_hostname |
Hostname or IP address of the AppViewX EST endpoint used for
certificate renewal actions. |
| port |
Port number on which the EST enrollment/reenrollment service
is running. |
| est_agent_setting_name |
Name of the EST Agent configuration in AppViewX that will be
used for certificate renewal via MTLS. |
Table 5. Field Description for mtls_server_cert_config
| Field |
Description |
| is_private_key_label_required |
Indicates whether the MTLS private key should be referenced
using a key label stored inside HSM/TPM (true) or via file-based
key path (false). |
| mtls_server_cert_path |
File path of the MTLS Server Certificate used by the EST
Standalone Server for secure communication. |
| mtls_server_key_label |
Label of the private key stored in HSM/TPM (used only when
is_private_key_label_required =
true). |
| mtls_server_key_path |
File path of the private key for MTLS Server Certificate
(used when key is not inside HSM/TPM). |
| reenrollment_trigger_before_no_of_days_of_expiry |
Number of days before expiry when the MTLS Server Certificate
should automatically be renewed. |
| trigger_server_restart_script |
File path of the script that restarts the EST Standalone
Server after certificate renewal to ensure the new certificate
is applied. |
Table 6. Field Description for mtls_client_auth_cert_config
| Field |
Description |
| is_private_key_label_required |
Determines whether the MTLS client private key is referenced
using a label stored inside HSM/TPM (true) or via local file
path (false). |
| mtls_auth_cert_path |
File path where the MTLS client authentication certificate is
stored. |
| mtls_auth_key_label |
Label of the MTLS client private key inside HSM/TPM (used
only if is_private_key_label_required =
true). |
| mtls_auth_key_path |
File path of the MTLS client private key (used only when
private key is not inside HSM/TPM). |
| reenrollment_trigger_before_no_of_days_of_expiry |
Number of days before certificate expiry when the MTLS client
authentication certificate should be automatically
renewed. |
Table 7. Field Description for discover_certificate_config
| Field |
Description |
| is_discovery_required |
Enables or disables certificate discovery workflow (true →
discover certificates periodically on the server). |
| scan_interval_time_in_minutes |
Time interval (in minutes) between consecutive certificate
discovery scans. If not configured, the default interval is 30
minutes. |
| discovery_name |
Name assigned to this discovery job for identification and
tracking purposes in AppViewX. |
| groupName |
AppViewX group under which discovered certificates should be
uploaded and organized. |
| appviewx_hostname |
Hostname or IP address of the AppViewX CERT+ API endpoint
used for uploading discovered certificates. |
| port |
Port number where the AppViewX upload API service is
reachable. |
| est_agent_setting_name |
EST Agent configuration name in AppViewX to be used for
secure certificate upload via MTLS. |
Table 8. Field Description for mtls_azure_device_registration
| Field |
Description |
| appviewx_hostname |
Hostname or IP address of the AppViewX API endpoint used for
Azure IoT device registration communication. |
| port |
Port number on which the AppViewX API services are
reachable. |
| est_agent_setting_name |
EST Agent configuration name in AppViewX used to authenticate
and securely send device registration requests. |
| azure_device_registration_workflow |
AppViewX workflow name that processes and updates the device
details to Azure IoT Hub using mTLS authentication. |
| poll_count |
Maximum number of times the server will poll Azure IoT Hub
(via AppViewX) to check if the device registration status is
updated successfully. |
| poll_interval |
Time interval (in seconds/minutes) between each poll attempt
during the registration status check. |
| azure_account |
Azure Account Name configured in Integration Hub for Device
Registration in Azure IoT Hub |
Table 9. Field Description for EST server configuration
| Field |
Description |
| new_intermediate_cert |
A boolean value (true or false) indicating whether to create
a new Intermediate Certificate. |
| mtls_ca_cert |
Path to the CA certificate of the client certificate's issuer
or root CA, used for establishing a Mutual TLS (mTLS)
connection. This is the CA certificate or a bundle of
intermediate and root certificates of the EST client cert [used
by EST client], which is used to validate the mTLS
connection. |
| pkcs11_library |
Path to the PKCS#11 shared library (.so file) used for
Hardware Security Module (HSM) or Trusted Platform Module (TPM)
integration. |
| pkcs11_library_pin |
The PIN used to authenticate to the PKCS#11 library
(HSM/TPM). |
| port |
The port number on which the EST (Enrollment over Secure
Transport) client listens. |
| intermediate_private_key_label_in_pkcs11 |
The label of the private key stored inside the PKCS#11 module
(HSM/TPM) for the intermediate Certificate. |
| intermediate_cert_path |
Path where the intermediate certificate is stored which can
be used to issue certificate without fetching a new certificate
from AppViewX (Please pass the private_key_label and set the
new_intermediate_cert field as false before
proceeding with this option) |
| Each end_certificate_config
block defines the parameters for generating an end certificate,
including validity, key usage, and extended key usage
(EKU). |
Table 10. Field Description for Endpoint Configuration
| Field |
Description |
| end_point_name |
Name of the endpoint receiving the certificate. |
| validity_in_days |
Number of days the certificate will remain valid. |
| extended_key_usage_list |
A list of OID strings representing extended key usages (EKU),
such as
1.3.6.1.5.5.7.3.1 for TLS Web
Server Authentication.1.3.6.1.5.5.7.3.2 for TLS Web Client
Authentication. |
| key_usage |
Boolean flags to specify the certificate's key usages (set
true or false for each if required):
- digital_signature: Allows the
certificate to verify digital signatures.
- key_encipherment: Enables encryption of
keys.
- data_encipherment: Enables direct encryption of
user data.
- key_agreement: Supports key exchange
protocols
- key_cert_sign: Allows the certificate
to sign other certificates.
- crl_sign: Allows the certificate to
sign Certificate Revocation Lists (CRL)
- encipher_only: Restricts key agreement usage to
encryption only.
- decipher_only: Restricts key agreement usage to
decryption only.
|
