监视和管理证书创建
适用于:Azure
本文中概述的方案/操作包括:
- 通过支持的颁发者请求 KV 证书
- 获取挂起的请求 - 请求状态为“正在进行”
- 获取挂起的请求 - 请求状态为“已完成”
- 获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”
- 获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”
- 在挂起的请求存在时创建(或导入)- 状态为“正在进行”
- 使用颁发者(例如 DigiCert)创建挂起的请求时进行合并
- 当挂起的请求状态为“正在进行”时请求取消
- 删除挂起的请求对象
- 手动创建 KV 证书
- 创建挂起的请求时进行合并 - 手动创建证书
通过支持的颁发者请求 KV 证书
| 方法 | 请求 URI |
|---|---|
| POST | https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version} |
以下示例要求在密钥保管库中已经有名称为“mydigicert”且颁发者提供者为 DigiCert 的对象。 证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。
请求
{
"policy": {
"x509_props": {
"subject": "CN=MyCertSubject1"
},
"issuer": {
"name": "mydigicert",
"cty": "OV-SSL",
}
}
}
响应
StatusCode: 202, ReasonPhrase: 'Accepted'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "mydigicert"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": false,
"status": "InProgress",
"status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",
"request_id": "a76827a18b63421c917da80f28e9913d"
}
获取挂起的请求 - 请求状态为“正在进行”
| 方法 | 请求 URI |
|---|---|
| GET | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
请求
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
注意
如果在查询中指定 request_id,则它充当筛选器。 如果 request_id 在查询中和在挂起对象中不同,则会返回 Http 状态代码 404。
响应
StatusCode: 200, ReasonPhrase: 'OK'
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "{issuer-name}"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": false,
"status": "inProgress",
"status_details": "…",
"request_id": "a76827a18b63421c917da80f28e9913d"
}
获取挂起的请求 - 请求状态为“已完成”
请求
| 方法 | 请求 URI |
|---|---|
| GET | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
响应
StatusCode: 200, ReasonPhrase: 'OK'
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "{issuer-name}"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": false,
"status": "completed",
"request_id": "a76827a18b63421c917da80f28e9913d",
"target": "https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"
}
获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”
请求
| 方法 | 请求 URI |
|---|---|
| GET | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
响应
StatusCode: 200, ReasonPhrase: 'OK'
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "{issuer-name}"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": false,
"status": "failed",
"status_details": "",
"request_id": "a76827a18b63421c917da80f28e9913d",
"error": {
"code": "<errorcode>",
"message": "<message>"
}
}
注意
errorcode 的值可以是“证书颁发者错误”或“请求被拒绝”,具体取决于是颁发者错误还是用户错误。
获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”
当挂起对象的状态不是 inProgress 时,创建/导入操作可以删除或覆盖该对象。
| 方法 | 请求 URI |
|---|---|
| GET | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
请求
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
GET "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
响应
StatusCode: 404, ReasonPhrase: 'Not Found'
{
"error": {
"code": "PendingCertificateNotFound",
"message": "…"
}
}
在挂起的请求存在时创建(或导入)- 状态为“正在进行”
挂起的对象有四个可能的状态:“正在进行”、“已取消”、“已失败”或“已完成”。
当挂起请求的状态为“正在进行”时,创建(和导入)操作会失败,并返回 Http 状态代码“409 (冲突)”。
若要消除冲突,请执行以下操作:
如果证书是手动创建的,可以通过执行合并操作来完成 KV 证书,也可以对挂起的对象执行删除操作。
如果证书是通过颁发者创建的,则可以等待,直到证书完成、失败或取消。 也可以删除挂起的对象。
注意
删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。
| 方法 | 请求 URI |
|---|---|
| POST | https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version} |
请求
{
"policy": {
"x509_props": {
"subject": "CN=MyCertSubject1"
},
"issuer": {
"name": "mydigicert"
}
}
}
响应
StatusCode: 409, ReasonPhrase: 'Conflict'
{
"error": {
"code": "Forbidden",
"message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
}
}
使用颁发者创建挂起的请求时进行合并
如果挂起的对象是使用颁发者创建的,则不允许合并,但当其状态为 inProgress 时,允许合并。
如果创建 x509 证书的请求因某种原因而失败或取消,并且 x509 证书可以通过带外方式进行检索,则可以通过合并操作来完成 KV 证书。
| 方法 | 请求 URI |
|---|---|
| POST | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version} |
请求
{
"x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}
响应
StatusCode: 403, ReasonPhrase: 'Forbidden'
{
"error": {
"code": "Forbidden",
"message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."
}
}
当挂起的请求状态为“正在进行”时请求取消
取消操作只能通过请求来进行。 请求可能取消,也可能不取消。 如果请求的状态不是“正在进行”,则会返回 Http 状态“400 (请求无效)”。
| 方法 | 请求 URI |
|---|---|
| PATCH | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
请求
PATCH "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
PATCH "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
{
"cancellation_requested": true
}
响应
StatusCode: 200, ReasonPhrase: 'OK'
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "{issuer-name}"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": true,
"status": "inProgress",
"status_details": "…",
"request_id": "a76827a18b63421c917da80f28e9913d"
}
删除挂起的请求对象
注意
删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。
| 方法 | 请求 URI |
|---|---|
| DELETE | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version} |
请求
DELETE "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
OR
DELETE "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"
响应
StatusCode: 200, ReasonPhrase: 'OK'
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "{issuer-name}"
},
"csr": "MIICq......DD5Lp5cqXg==",
"cancellation_requested": false,
"status": "inProgress",
"request_id": "a76827a18b63421c917da80f28e9913d",
}
手动创建 KV 证书
可以通过手动创建过程创建使用所选 CA 颁发的证书。 将颁发者的名称设置为“未知”,或者不指定颁发者字段。
| 方法 | 请求 URI |
|---|---|
| POST | https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version} |
请求
{
"policy": {
"x509_props": {
"subject": "CN=MyCertSubject1"
},
"issuer": {
"name": "Unknown"
}
}
}
响应
StatusCode: 202, ReasonPhrase: 'Accepted'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"
{
"id": "https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",
"issuer": {
"name": "Unknown"
},
"csr": "MIICq......DD5Lp5cqXg==",
"status": "inProgress",
"status_details": "Pending certificate created. Please Perform Merge to complete the request.",
"request_id": "a76827a18b63421c917da80f28e9913d"
}
创建挂起的请求时进行合并 - 手动创建证书
| 方法 | 请求 URI |
|---|---|
| POST | https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version} |
请求
{
"x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}
| 元素名称 | 必须 | 类型 | 版本 | 说明 |
|---|---|---|---|---|
| x5c | 是 | array | <引入版本> | Base 64 字符串数组形式的 X509 证书链。 |
响应
StatusCode: 201, ReasonPhrase: 'Created'
Location: "https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"
{
"id": "https mykeyvault.vault.azure.cn/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",
"kid": "https:// mykeyvault.vault.azure.cn/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",
"sid": " mykeyvault.vault.azure.cn/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",
"cer": "……de34534……",
"x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",
"attributes": {
"enabled": true,
"exp": 1530394215,
"nbf": 1435699215,
"created": 1435699919,
"updated": 1435699919
},
"pending": {
"id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/pending"
},
"policy": {
"id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/policy",
"key_props": {
"exportable": false,
"kty": "RSA",
"key_size": 2048,
"reuse_key": false
},
"secret_props": {
"contentType": "application/x-pkcs12"
},
"x509_props": {
"subject": "CN=Mycert1",
"ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
"validity_months": 12
},
"lifetime_actions": [{
"trigger": {
"lifetime_percentage": 80
},
"action": {
"action_type": "EmailContacts"
}
}],
"issuer": {
"name": "Unknown"
},
"attributes": {
"enabled": true,
"created": 1435699811,
"updated": 1435699811
}
}
}