Push Certificates to Azure Application Gateway (Gateway Listener Profile | Choose from Key Vault)

This API will push certificates and their corresponding private keys to Microsoft Azure devices with the application gateway service.

Before You Begin

Before attempting to push a certificate to a Azure device with the application gateway service through AppViewX, ensure the following:
  • Azure devices with the application gateway service should be added in AppViewX.
  • The devices should be in Managed state.

Request Structure

Endpoint: /certificate/pushToDevice
Type: POST
Sample URL: 
https://<IP/HostName/TenantName>:<GWPORT>/avxapi/certificate/pushToDevice?gwsource=external

To understand the elements of the sample URL, click here.
Headers
Content-Type: application/json
Table 1. Request Parameters
Name Description
sessionId

Header

 (Mandatory) Session ID received after login

Type: String

Constraints: Required if username and password are not provided.
username

Header

 AppViewX login username

Type: String

Constraints: Required if sessionId is not provided.
password

Header

 AppViewX login password

Type: String

Constraints: Required if sessionId is not provided.
Content-Type

Header

 Specifies the nature of the data in the payload

Type: String
gwsource

Query

 Source from which the request is triggered. (E.g. external)

Type: String
Payload

Body

 Contains all the parameters to be sent in the request body for the post request

Type: Payload

Payload

Table 2. Payload
Name Description
generalInformation (Mandatory) General details related to the push operation

Type: generalInformation
certificateID (Mandatory) Unique identifier of the certificate to be pushed
certificateDetails

(Mandatory) Details of the certificate to be pushed

Type: certificateDetails
pushDetails

(Mandatory) Details for certificate management after the push operation

Type: pushDetails
selectedProfiles (Mandatory) Actual profile details of services to which where we are trying to push/bind the certificate

Type: String
Table 3. generalInformation
Name Description
category (Mandatory) Device type of the target system to which the certificate will be pushed

Type: String

Possible value(s): Cloud
vendor (Mandatory) Cloud device vendor

Type: String

Possible value(s): Azure
serviceFilterSelection (Mandatory) Service type to which the certificate will be pushed

Type: String

Possible value(s): Application Gateway
profileFilterSelection Target profile that defines the details for integrating and pushing certificates to the target system

Type: String

Possible value(s): ::Listener
name Name given to the connector that will be created to push the certificate to the cloud device

Type: String
profileType (Mandatory) Type/category of the profile being used to determine how the certificate is managed after it is pushed

Type: String

Possible value(s): push and bind, push only
description Additional details related to the certificate being pushed, the connector for pushing the certificate.

Type: String
Table 4. certificateDetails
Name Description
certificateType (Mandatory) Type of the certificate that is being pushed

Type: String

Possible value(s): Server, Client, Code signing
certificateFileName (Mandatory) Name of the certificate being pushed to the gateway

Type: String
isNewCertificate (Optional) Specify if the certificate being pushed to the application gateway is a new certificate or an existing certificate that is being replaced

Type: String

Possible value(s): true, false
pushLocation (Mandatory) Endpoint where the certificate will be pushed

Type: String

Possible value(s): Application Gateway
keyVaultSubscriptionId (Optional) Subscription ID of the key vault in which the certificate will stored after it is pushed

Type: String
keyVaultName (Optional) Name of the key vault in which the certificate will stored after it is pushed

Type: String
useExisting (Optional) Specify if the certificate being pushed to the key vault needs to be replaced

Type: String

Possible value(s): true, false
keyVaultCertificateName (Optional) Name assigned to the certificate after it is pushed to the key vault

Type: String
pushRootAndIntermediateCertificates (Optional) Push root and intermediate certificates along with the end certificate

Type: Boolean

Possible value(s):
  • 1: Yes
  • 0: No
profileFilterSelection Specific profile type where the certificate will be applied

Type: String

Possible value(s): Gateway Listener Profile
certificateTags

(Optional) Key-value pair attributes to add additional details about the certificate

Type: String
Table 5. pushDetails
Name Description
scriptLocation (Mandatory) Select the location of the script file.

Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

Type: String

Possible Values: appviewx and device
preValidationScriptPath (Mandatory if scriptLocation is device) Location of the script that will be executed before the certificate is pushed to the target system

Type: String
postValidationScriptPath (Mandatory if scriptLocation is device) Location of the script that will be executed before the certificate is pushed to the target system

Type: String
pushAutomatically Automatically push certificate to the target system, after it is renewed/reissued

Type: Boolean

Possible value(s):
  • 1: Yes
  • 0: No

Response Structure

Table 6. Response Structure
Name Description
response Contains the response attributes for the push request

Type: response
message Success message of the action or failure description in case of error

Type: String
appStatusCode Application specific status code for the response. Will be non-null for failure response.

Type: String
tags More info in case of failure response
Table 7. Response
Name Description
requestId Request ID for push action for the application connector

Type: String
connectorId ID of the application connector for pushing the certificate

Type: String

Status Codes

Table 8. Status Codes
HTTP Status code appStatusCode Message and Possible Remediation
202 Accepted NA 1 connector(s) saved and push operation has been triggered.
401 Unauthorized AVX_GW_003 Authentication failed, reason - Invalid Credentials

Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param.
400 Bad Request MANDATORY_FIELD_MISSING Mandatory field is missing or invalid - <<field name>>

Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request.
404 Not Found NO_RECORDS_FOUND No matching records found - certificate not found.

Possible remediation: Please provide correct value for the field certificateId.
400 Bad Request INVALID_REQUEST selectedProfiles are already available in the specified certificate.

Possible remediation: Please provide a different value for the field selectedProfiles.
417 Expectation failed CERT-APP-0016 Connector with profiles {} already exists.

Possible remediation: Profile connector already exists for the selected certificate. Please change the certificateId or delete the existing connector.
500 Internal Server Error avx-common-011 Error while processing

Sample Request/Response

Sample Request
{
  "generalInformation": {
    "category": "cloud",
    "vendor": "Azure",
    "serviceFilterSelection": "Application Gateway",
    "profileFilterSelection": "::Listener",
    "name": "Azure connector4",
    "description": "",
    "profileType": "Push and Bind Profiles"
  },
  "certificateDetails": {
    "certificateType": "PKCS12-.p12",
    "certificateFileName": "certagviakv.p12",
    "isNewCertificate": true,
    "pushLocation": "Key vault",
    "keyVaultSubscriptionId": "0c740e00-404f-44f7-807a-416d671de225",
    "keyVaultName": "multicloud-kv",
    "useExisting": false,
    "keyVaultCertificateName": "newkv10",
    "pushRootAndIntermediateCertificates": true,
    "profileFilterSelection": "Gateway Listener Profile",
    "certificateTags": {
      
    }
  },
  "pushDetails": {
    "scriptLocation": "appviewx",
    "preValidationScriptPath": "",
    "postValidationScriptPath": "",
    "pushAutomatically": false
  },
  "certificateId": "67a9a1535e121f50b46791d0",
  "selectedProfiles": [
    "Azure.All::e5f90d85-3cdf-457d-a611-1aca82b0843b::0c740e00-404f-44f7-807a-416d671de225::Microsoft.Network/applicationGateways::v2::eastus::multicloud::TestAG::Listener"
  ]
}
Sample Response
{
    "response": [
        {
            "requestId": "357",
            "connectorId": "1739492235630"
        }
    ],
    "message": "1 connector(s) saved and push opertaion has been triggered.",
    "appStatusCode": null,
    "tags": {},
    "headers": null
}

References

Understanding the sample URL
  • IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
    • IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication

      The IP address will be included in the endpoint URL for an on-prem deployment.

    • HostName: A human-readable label assigned to a device (host) on a network

      The hostname will be included in the endpoint URL for an on-prem deployment.

    • TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify

      The tenant name will be included in the endpoint URL for a SaaS deployment.

  • GWPORT: AppViewX gateway port

    A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.

    Example: 31443

  • avxapi: Path parameter value (static) that is part of the endpoint's URL
  • Endpoint: Endpoint of the API, for example: execute-hook
  • gwsource: Source or origin of a gateway, for example: external.