Create Template
The API initiates a request to create certificate templates for AppViewX Native PKI.
Before you begin
- Refer to Prerequisites in the PKI User Guide.
Request Structure
| Endpoint: | v1/pki/ca/template/create |
| Type: | POST |
| Sample URL: |
To understand the elements of the sample URL, click here. |
| Headers | |
| Content-Type: | application/json |
| Name | Description |
|---|---|
| sessionId
|
(Mandatory) Session Id received after
login. Type: String Constraint: Required if username and password are not provided. |
| username
|
(Mandatory) AppViewX login username. Type: String Constraint: Required if sessionId is not provided. |
| password
|
(Mandatory) AppViewX login password. Type: String Constraint: Required if sessionId is not provided. |
Payload
| Name | Description |
|---|---|
| name | (Mandatory) Name of the certificate template Type: String |
| description | Description of the template Type: String |
| category | (Mandatory) Template category (e.g., End
Entity)Type: String |
| validityOffsetUnitType | Validity offset unit (e.g., MINUTES,
HOURS, DAYS)Type: String |
| validityOffsetUnitValue | Validity offset value Type: String |
| allowTemplateValidity | Whether template-defined validity is allowed Type: Boolean |
| noRevAvail | Indicates if revocation information is unavailable Type: Boolean |
| Name | Description |
|---|---|
| allowCSRSubject | Allow subject from CSR Type: boolean |
| allowCSRSubjectAltName | Allow SAN from CSR Type: boolean |
| allowCSRBasicConstraints | Allow basic constraints from CSR Type: boolean |
| allowCSRKeyUsage | Allow key usage from CSR Type: boolean |
| allowCSRExtendedKeyUsage | Allow extended key usage from CSR Type: boolean |
| allowCSRCertificatePolicy | Allow certificate policy from CSR Type: boolean |
| allowCSRValidationURLs | Allow validation URLs from CSR Type: boolean |
Key Usage Configuration
| Name | Description |
|---|---|
| digitalSignature | Enable digital signature Type: boolean |
| contentCommitment | Enable non-repudiation Type: boolean |
| keyEncipherment | Enable key encipherment Type: boolean |
| dataEncipherment | Enable data encipherment Type: boolean |
| keyAgreement | Enable key agreement Type: boolean |
| certSign | Enable certificate signing Type: boolean |
| crlSign | Enable CRL signing Type: boolean |
| encipherOnly | Enable encipher-only Type: boolean |
| decipherOnly | Enable decipher-only Type: boolean |
| restrictUnsupportedKeyUsage | Restrict Unsupported Key Usage for Signature-Only
Algorithms Type: boolean Default value: "restrictUnsupportedKeyUsage": false, |
| Name | Description |
|---|---|
| anyExtendedKeyUsage | Allow any extended key usage Type: boolean |
| serverAuth | TLS server authentication Type: boolean |
| clientAuth | TLS client authentication Type: boolean |
| codeSigning | Code signing Type: boolean |
| emailProtection | Email protection Type: boolean |
| timeStamping | Time stamping Type: boolean |
| ocspSigning | OCSP signing Type: boolean |
| ipsecEndSystem | IPSec end system Type: boolean |
| ipsecTunnel | IPSec tunnel Type: boolean |
| ipsecUser | IPSec user Type: boolean |
| dvcs | DVCS Type: boolean |
| Name | Description |
|---|---|
| customExtendedKeyUsageExtensionsEnabled | Enable custom EKUs Type: boolean |
| customExtendedKeyUsageExtensionsList | List of custom EKU OIDs Type: array |
| Name | Description |
|---|---|
| isCA | Indicates if certificate is a CA Type: boolean |
| critical | Whether CA extension is critical Type: boolean |
| maxIssuerPathLength | Maximum issuer path length (`NONE` or
numeric) Type: string |
| Name | Description |
|---|---|
| allowAuthorityKeyId | Enable Authority Key Identifier Type: boolean |
| inheritAuthorityKeyIdFromCA | Inherit AKI from CA Type: boolean |
| allowSubjectKeyId | Enable Subject Key Identifier Type: boolean |
| subjectKeyHashBit | Hash size for Subject Key ID Type: string |
| Name | Description |
|---|---|
| additionalCustomExtensionEnabled | Enable additional extensions Type: boolean |
| oid | Extension OID Type: string |
| name | Extension name Type: string |
| critical | Whether extension is critical Type: boolean |
| extnValue | Extension value Type: string |
| allowCSRCustomExtensions | Allow CSR-defined extensions Type: boolean |
| allowBase64EncodedInput | Allow Base64 encoded values Type: boolean |
| Name | Description |
|---|---|
| certificatePolicyEnabled | Enable certificate policies Type: boolean |
| critical | Mark policy as critical Type: boolean |
| inheritFromCa | Inherit policies from CA Type: boolean |
| customEnabled | Enable custom policies Type: boolean |
| certificatePolicyOidList | List of policy OIDs and qualifiers Type: array |
| Name | Description |
|---|---|
| subjectAltName.critical | Mark SAN extension as critical Type: boolean |
| sanFieldname | SAN type (e.g., DNS_NAME,
IP_ADDRESS)Type: string |
| encodeType | Encoding type (e.g., DERIA5STRING,
DEROCTETSTRING)Type: string |
| Name | Description |
|---|---|
| enableCrlDp | Enable CRL distribution points Type: boolean |
| enableCaDefinedCrlDp | Use CA-defined CRL DP Type: boolean |
| enableCustomCrlDp | Enable custom CRL DP Type: boolean |
| customCrlDp | List of custom CRL URLs Type: array |
| Name | Description |
|---|---|
| enableOcspDp | Enable OCSP distribution point Type: boolean |
| downloadIssuerCertificate | Allow issuer certificate download Type: boolean |
| enableCaDefinedOcspLink | Use CA-defined OCSP link Type: boolean |
| enableCustomDefinedOcspLink | Use custom OCSP link Type: boolean |
| customDefinedOcspLink | List of custom OCSP URLs Type: array |
Response Structure
Response returns string of type application/json with the following body parameters:
| Name | Description |
|---|---|
| response | Indicates status of the API operation. |
| message | Success message - PKIaaS CA configuration added
successfully Type: String |
| appStatusCode | Application specific status code for the response. It is a
non-null value for a failure response. Type: String |
| tags | Additional information in case of failure response. |
Status Codes
| HTTP Code | appStatusCode | Response Message |
|---|---|---|
| 201 Created | null | Template <name> created successfully. |
| 401 Unauthorized | AVX_GW_003 | Authentication failed, reason - Invalid Credentials.
Remediation: Ensure that valid username and password or a valid sessionId is provided as header parameters. |
| 400 Bad Request | VALIDATION_ERROR_0004 | Mandatory Field 'name' is missing or empty Remediation: Enter all fields that are mandatory. |
| 409 conflict | TEMPLATE_ALREADY_EXISTS | Occurs when given template name already
exists. Remediation: Provide a unique template name. |
Sample Request/Response
{
"name": "testTemplate",
"description": "",
"category": "End Entity",
"validityOffsetUnitType": "MINUTES",
"validityOffsetUnitValue": "10",
"allowTemplateValidity": false,
"noRevAvail": true,
"allowCSRSubject": false,
"allowCSRSubjectAltName": false,
"allowCSRBasicConstraints": false,
"allowCSRKeyUsage": false,
"allowCSRExtendedKeyUsage": false,
"allowCSRCertificatePolicy": false,
"allowCSRValidationURLs": false,
"keyUsages": {
"baseKeyUsage": {
"digitalSignature": true,
"contentCommitment": true,
"keyEncipherment": true,
"dataEncipherment": true,
"keyAgreement": true,
"certSign": false,
"crlSign": false,
"encipherOnly": true,
"decipherOnly": true
},
"keyUsageCritical": true,
"restrictUnsupportedKeyUsage": false,
"extendedKeyUsage": {
"anyExtendedKeyUsage": true,
"serverAuth": true,
"clientAuth": true,
"codeSigning": true,
"emailProtection": true,
"timeStamping": true,
"ocspSigning": true,
"ipsecEndSystem": true,
"ipsecTunnel": false,
"ipsecUser": false,
"dvcs": false,
"sbgpCertAAServerAuth": false,
"scvp_responder": false,
"eapOverPPP": false,
"eapOverLAN": false,
"scvpServer": false,
"scvpClient": false,
"ipsecIKE": false,
"capwapAC": false,
"capwapWTP": false,
"smartcardlogon": false,
"macAddress": false,
"msSGC": false,
"nsSGC": false,
"encryptionFileSystem": false,
"kdcAuthentication": false,
"certificateRequestAgent": false,
"fileRecovery": false
},
"extendedKeyUsageCritical": true,
"customExtendedKeyUsageExtensionsEnabled": true,
"customExtendedKeyUsageExtensionsList": [
"1.2.3"
]
},
"caOptions": {
"isCA": false,
"critical": true,
"maxIssuerPathLength": "NONE"
},
"authorityAndSubjectKey": {
"allowAuthorityKeyId": true,
"inheritAuthorityKeyIdFromCA": true,
"allowSubjectKeyId": true,
"subjectKeyHashBit": "160"
},
"additionalCustomExtensionEnabled": true,
"additionalExtensions": [
{
"oid": "1.2.4",
"name": "DERBITSTRING",
"critical": true,
"extnValue": "123456",
"allowCSRCustomExtensions": false,
"allowBase64EncodedInput": false
}
],
"templateCertificatePolicy": {
"certificatePolicyEnabled": true,
"critical": true,
"inheritFromCa": true,
"customEnabled": true,
"certificatePolicyOidList": [
{
"oid": "1.7.8",
"type": "User Notice Text",
"value": "1234"
},
{
"oid": "1.3.4",
"type": "CPS URI",
"value": "https://192.168.145.86:31443/avxapi/cps"
},
{
"oid": "2.7.8",
"type": "No Policy Qualifier",
"value": "12345"
}
]
},
"subjectAltName": {
"critical": true
},
"sanFieldDescriptorList": [
{
"sanFieldname": "DNS_NAME",
"encodeType": "DERIA5STRING"
},
{
"sanFieldname": "IP_ADDRESS",
"encodeType": "DEROCTETSTRING"
}
],
"crlConfig": {
"enableCrlDp": false,
"enableCaDefinedCrlDp": false,
"enableCustomCrlDp": false,
"customCrlDp": []
},
"aiaConfig": {
"enableOcspDp": true,
"downloadIssuerCertificate": true,
"enableCaDefinedOcspLink": false,
"enableCustomDefinedOcspLink": false,
"customDefinedOcspLink": []
}
}{
"response": null,
"message": "Template testTemplate created successfully",
"appStatusCode": null,
"tags": {},
"headers": null
}References
- IP/HostName/TenantName: Replace with the actual IP address, hostname,
or tenant name based on the specific configuration in AppViewX.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
The IP address will be included in the endpoint URL for an on-prem deployment.
- HostName: A human-readable label assigned to a device (host)
on a network
The hostname will be included in the endpoint URL for an on-prem deployment.
- TenantName: An identifier label for a tenant given to
indicate which tenant's data the API request will
access/modify
The tenant name will be included in the endpoint URL for a SaaS deployment.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
- GWPORT: AppViewX gateway port
A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.
Example: 31443
- avxapi: Path parameter value (static) that is part of the endpoint's URL
- Endpoint: Endpoint of the API, for example: execute-hook
- gwsource: Source or origin of a gateway, for example: external.
