Push Certificates to Azure Key Vault (Secrets Location)

This API will push certificates and their corresponding private keys to Microsoft Azure devices with the key vault service.

Before You Begin

Before attempting to push a certificate to a Azure device with the key vault service through AppViewX, ensure the following:
  • Azure devices with the key vault service should be added in AppViewX.
  • The devices should be in Managed state.

Request Structure

Endpoint: /certificate/pushToDevice
Type: POST
Sample URL: 
https://<IP/HostName/TenantName>:<GWPORT>/avxapi/certificate/pushToDevice?gwsource=external

To understand the elements of the sample URL, click here.
Headers
Content-Type: application/json
Table 1. Request Parameters
Name Description
sessionId

Header

 (Mandatory) Session ID received after login

Type: String

Constraints: Required if username and password are not provided.
username

Header

 AppViewX login username

Type: String

Constraints: Required if sessionId is not provided.
password

Header

 AppViewX login password

Type: String

Constraints: Required if sessionId is not provided.
Content-Type

Header

 Specifies the nature of the data in the payload

Type: String
gwsource

Query

 Source from which the request is triggered. (E.g. external)

Type: String
Payload

Body

 Contains all the parameters to be sent in the request body for the post request

Type: Payload

Payload

Table 2. Payload
Name Description
generalInformation (Mandatory) General details related to the push operation

Type: generalInformation
certificateID (Mandatory) Unique identifier of the certificate to be pushed
certificateDetails

(Mandatory) Details of the certificate to be pushed

Type: certificateDetails
pushDetails

(Mandatory) Details for certificate management after the push operation

Type: pushDetails
selectedProfiles (Mandatory) Actual profile details of services to which where we are trying to push/bind the certificate

Type: String
Table 3. generalInformation
Name Description
category (Mandatory) Device type of the target system to which the certificate will be pushed

Type: String

Possible value(s): Cloud
vendor (Mandatory) Cloud device vendor

Type: String

Possible value(s): Azure
serviceFilterSelection (Mandatory) Service type to which the certificate will be pushed

Type: String

Possible value(s): Key vault
name Name given to the connector that will be created to push the certificate to the cloud device

Type: String
profileType (Mandatory) Type/category of the profile being used to determine how the certificate is managed after it is pushed

Type: String

Possible value(s): push and bind, push only
description Additional details related to the certificate being pushed, the connector for pushing the certificate.

Type: String
Table 4. certificateDetails
Name Description
certificateType (Mandatory) Type of the certificate that is being pushed

Type: String

Possible value(s): Server, Client, Code signing
certificateFileName (Mandatory) Name of the certificate being pushed

Type: String
certificateLocation

(Optional) Key vault location where the certificate will be stored

Type: String

Possible value(s): secrets
secretCertificateEnabled (Optional) Enable certificate after it is pushed to the target system

Type: Boolean

Possible value(s): true, false
setActivationDate (Optional) Specify if an activation date has to be set for the certificate being pushed

Type: Boolean

Possible value(s): true, false
secretCertificateActivationDate (Mandatory if setActivationDate = true) Activation date of the certificate

Type: Long

activationTimezone (Mandatory if setActivationDate = true) Time zone of the activation date of the certificate

Type: String
setExpirationDate (Optional) Specify if an expiration date has to be set for the certificate being pushed

Type: String

Possible value(s): true, false
secretCertificateExpiry (Mandatory if setExpirationDate = true) Expiration date of the certificate

Type: Long
expirationTimezone (Mandatory if setActivationDate = true) Time zone of the expiration date of the certificate

Type: String
pushRootAndIntermediateCertificates (Optional) Push root and intermediate certificates along with the end certificate

Type: Boolean

Possible value(s):
  • 1: Yes
  • 0: No
certificateTags

(Optional) Key-value pair attributes to add additional details about the certificate

Type: String
Table 5. pushDetails
Name Description
scriptLocation (Mandatory) Select the location of the script file.

Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

Type: String

Possible Values: appviewx and device
preValidationScriptPath (Mandatory if scriptLocation is device) Location of the script that will be executed before the certificate is pushed to the target system

Type: String
postValidationScriptPath (Mandatory if scriptLocation is device) Location of the script that will be executed before the certificate is pushed to the target system

Type: String
pushAutomatically Automatically push certificate to the target system, after it is renewed/reissued

Type: Boolean

Possible value(s):
  • 1: Yes
  • 0: No

Response Structure

Table 6. Response Structure
Name Description
response Contains the response attributes for the push request

Type: response
message Success message of the action or failure description in case of error

Type: String
appStatusCode Application specific status code for the response. Will be non-null for failure response.

Type: String
tags More info in case of failure response
Table 7. Response
Name Description
requestId Request ID for push action for the application connector

Type: String
connectorId ID of the application connector for pushing the certificate

Type: String

Status Codes

Table 8. Status Codes
HTTP Status code appStatusCode Message and Possible Remediation
202 Accepted NA 1 connector(s) saved and push operation has been triggered.
401 Unauthorized AVX_GW_003 Authentication failed, reason - Invalid Credentials

Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param.
400 Bad Request MANDATORY_FIELD_MISSING Mandatory field is missing or invalid - <<field name>>

Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request.
404 Not Found NO_RECORDS_FOUND No matching records found - certificate not found.

Possible remediation: Please provide correct value for the field certificateId.
400 Bad Request INVALID_REQUEST selectedProfiles are already available in the specified certificate.

Possible remediation: Please provide a different value for the field selectedProfiles.
417 Expectation failed CERT-APP-0016 Connector with profiles {} already exists.

Possible remediation: Profile connector already exists for the selected certificate. Please change the certificateId or delete the existing connector.
500 Internal Server Error avx-common-011 Error while processing

Sample Request/Response

Sample Request
{
  "generalInformation": {
    "category": "cloud",
    "vendor": "Azure",
    "serviceFilterSelection": "Key vault",
    "name": "Azure connector2",
    "description": "",
    "profileType": "Push and Bind Profiles"
  },
  "certificateDetails": {
    "certificateType": "PKCS12-.p12",
    "certificateFileName": "kv10sec.p12",
    "certificateLocation": "secrets",
    "secretCertificateEnabled": true,
    "setActivationDate": true,
    "secretCertificateActivationDate": 1739190546000,
    "activationTimezone": "GMT",
    "setExpirationDate": true,
    "secretCertificateExpiry": 1740745746000,
    "expirationTimezone": "GMT",
    "pushRootAndIntermediateCertificates": true,
    "certificateTags": {
      
    }
  },
  "pushDetails": {
    "scriptLocation": "appviewx",
    "preValidationScriptPath": "",
    "postValidationScriptPath": "",
    "pushAutomatically": false
  },
  "certificateId": "67a9a1535e121f50b46791d0",
  "selectedProfiles": [
    "Azure.All::e5f90d85-3cdf-457d-a611-1aca82b0843b::0c740e00-404f-44f7-807a-416d671de225::Microsoft.KeyVault/vaults::eastus::multicloud::multicloud-kv"
  ]
}
Sample Response
{
    "response": [
        {
            "requestId": "354",
            "connectorId": "1739342741168"
        }
    ],
    "message": "1 connector(s) saved and push operation has been triggered.",
    "appStatusCode": null,
    "tags": {},
    "headers": null
}

References

Understanding the sample URL
  • IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
    • IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication

      The IP address will be included in the endpoint URL for an on-prem deployment.

    • HostName: A human-readable label assigned to a device (host) on a network

      The hostname will be included in the endpoint URL for an on-prem deployment.

    • TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify

      The tenant name will be included in the endpoint URL for a SaaS deployment.

  • GWPORT: AppViewX gateway port

    A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.

    Example: 31443

  • avxapi: Path parameter value (static) that is part of the endpoint's URL
  • Endpoint: Endpoint of the API, for example: execute-hook
  • gwsource: Source or origin of a gateway, for example: external.