Compartir a través de

监视和管理证书创建

适用于:Azure

本文中概述的方案/操作包括:

  • 通过支持的颁发者请求 KV 证书
  • 获取挂起的请求 - 请求状态为“正在进行”
  • 获取挂起的请求 - 请求状态为“已完成”
  • 获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”
  • 获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”
  • 在挂起的请求存在时创建(或导入)- 状态为“正在进行”
  • 使用颁发者(例如 DigiCert)创建挂起的请求时进行合并
  • 当挂起的请求状态为“正在进行”时请求取消
  • 删除挂起的请求对象
  • 手动创建 KV 证书
  • 创建挂起的请求时进行合并 - 手动创建证书

通过支持的颁发者请求 KV 证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

以下示例要求在密钥保管库中已经有名称为“mydigicert”且颁发者提供者为 DigiCert 的对象。 证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert",
      "cty": "OV-SSL",
    }
  }
}

响应

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "mydigicert"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "InProgress",
  "status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“正在进行”

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

注意

如果在查询中指定 request_id,则它充当筛选器。 如果 request_id 在查询中和在挂起对象中不同,则会返回 Http 状态代码 404。

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“已完成”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "completed",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "target": "https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"
}

获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "failed",
  "status_details": "",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "error": {
    "code": "<errorcode>",
    "message": "<message>"
  }
}

注意

errorcode 的值可以是“证书颁发者错误”或“请求被拒绝”,具体取决于是颁发者错误还是用户错误。

获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”

当挂起对象的状态不是 inProgress 时,创建/导入操作可以删除或覆盖该对象。

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 404, ReasonPhrase: 'Not Found'
{
  "error": {
    "code": "PendingCertificateNotFound",
    "message": "…"
  }
}

在挂起的请求存在时创建(或导入)- 状态为“正在进行”

挂起的对象有四个可能的状态:“正在进行”、“已取消”、“已失败”或“已完成”。

当挂起请求的状态为“正在进行”时,创建(和导入)操作会失败,并返回 Http 状态代码“409 (冲突)”。

若要消除冲突,请执行以下操作:

  • 如果证书是手动创建的,可以通过执行合并操作来完成 KV 证书,也可以对挂起的对象执行删除操作。

  • 如果证书是通过颁发者创建的,则可以等待,直到证书完成、失败或取消。 也可以删除挂起的对象。

注意

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert"
    }
  }
}

响应

StatusCode: 409, ReasonPhrase: 'Conflict'
{
  "error": {
    "code": "Forbidden",
    "message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
  }
}

使用颁发者创建挂起的请求时进行合并

如果挂起的对象是使用颁发者创建的,则不允许合并,但当其状态为 inProgress 时,允许合并。

如果创建 x509 证书的请求因某种原因而失败或取消,并且 x509 证书可以通过带外方式进行检索,则可以通过合并操作来完成 KV 证书。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

响应

StatusCode: 403, ReasonPhrase: 'Forbidden'
{
  "error": {
    "code": "Forbidden",
    "message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."
  }
}

当挂起的请求状态为“正在进行”时请求取消

取消操作只能通过请求来进行。 请求可能取消,也可能不取消。 如果请求的状态不是“正在进行”,则会返回 Http 状态“400 (请求无效)”。

方法 请求 URI
PATCH https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

PATCH "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

PATCH "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

{
  "cancellation_requested": true
}

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": true,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

删除挂起的请求对象

注意

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
DELETE https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

DELETE "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

DELETE "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "request_id": "a76827a18b63421c917da80f28e9913d",
}

手动创建 KV 证书

可以通过手动创建过程创建使用所选 CA 颁发的证书。 将颁发者的名称设置为“未知”,或者不指定颁发者字段。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "Unknown"
    }
  }
}

响应

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
  "id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
  "issuer": {
    "name": "Unknown"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "status": "inProgress",
  "status_details": "Pending certificate created. Please Perform Merge to complete the request.",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

创建挂起的请求时进行合并 - 手动创建证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

元素名称 必须 类型 版本 说明
x5c array <引入版本> Base 64 字符串数组形式的 X509 证书链。

响应

StatusCode: 201, ReasonPhrase: 'Created'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"
{
	"id": "https mykeyvault.vault.azure.cn/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"kid": "https:// mykeyvault.vault.azure.cn/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"sid": " mykeyvault.vault.azure.cn/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",
	"cer": "……de34534……",
	"x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",
	"attributes": {
		"enabled": true,
		"exp": 1530394215,
		"nbf": 1435699215,
		"created": 1435699919,
		"updated": 1435699919
	},
	"pending": {
		"id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/pending"
	},
	"policy": {
		"id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/policy",
		"key_props": {
			"exportable": false,
			"kty": "RSA",
			"key_size": 2048,
			"reuse_key": false
		},
		"secret_props": {
			"contentType": "application/x-pkcs12"
		},
		"x509_props": {
			"subject": "CN=Mycert1",
			"ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
			"validity_months": 12
		},
		"lifetime_actions": [{
			"trigger": {
				"lifetime_percentage": 80
			},
			"action": {
				"action_type": "EmailContacts"
			}
		}],
		"issuer": {
			"name": "Unknown"
		},
		"attributes": {
			"enabled": true,
			"created": 1435699811,
			"updated": 1435699811
		}
	}
}