监视和管理证书创建

适用于:Azure

以下

本文中概述的方案/操作包括:

  • 通过支持的颁发者请求 KV 证书
  • 获取挂起的请求 - 请求状态为“正在进行”
  • 获取挂起的请求 - 请求状态为“已完成”
  • 获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”
  • 获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”
  • 在挂起的请求存在时创建(或导入)- 状态为“正在进行”
  • 使用颁发者(例如 DigiCert)创建挂起的请求时进行合并
  • 当挂起的请求状态为“正在进行”时请求取消
  • 删除挂起的请求对象
  • 手动创建 KV 证书
  • 创建挂起的请求时进行合并 - 手动创建证书

通过支持的颁发者请求 KV 证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

以下示例要求在密钥保管库中已经有名称为“mydigicert”且颁发者提供者为 DigiCert 的对象。 证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert",
      "cty": "OV-SSL",
    }
  }
}

响应

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "mydigicert"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "InProgress",
  "status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“正在进行”

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

Note

如果在查询中指定 request_id,则它充当筛选器。 如果 request_id 在查询中和在挂起对象中不同,则会返回 Http 状态代码 404。

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“已完成”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "completed",
  "request_id": "a76827a18b63421c917da80f28e9913d",
   "target": “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
}

获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "failed",
  "status_details": "",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "error": {
    "code": "<errorcode>",
    "message": "<message>"
  }
}

Note

errorcode 的值可以是“证书颁发者错误”或“请求被拒绝”,具体取决于是颁发者错误还是用户错误。

获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”

当挂起对象的状态不是“正在进行”时,创建/导入操作可能会删除或覆盖该对象。

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 404, ReasonPhrase: 'Not Found'
{
  "error":  
    "code": "PendingCertificateNotFound",
    "message": "…"
  }
}

在挂起的请求存在时创建(或导入)- 状态为“正在进行”

挂起的对象有四个可能的状态:“正在进行”、“已取消”、“已失败”或“已完成”。

当挂起请求的状态为“正在进行”时,创建(和导入)操作会失败,并返回 Http 状态代码“409 (冲突)”。

若要消除冲突,请执行以下操作:

  • 如果证书是手动创建的,可以通过执行合并操作来完成 KV 证书,也可以对挂起的对象执行删除操作。

  • 如果证书是通过颁发者创建的,则可以等待,直到证书完成、失败或取消。 也可以删除挂起的对象。

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert"
    }
  }
}

响应

StatusCode: 409, ReasonPhrase: 'Conflict'
{
  "error":  
    "code": "Forbidden",
    "message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
  }
}

使用颁发者创建挂起的请求时进行合并

当挂起的对象已使用颁发者创建时,不允许合并,但当其状态为“正在进行”时,允许合并。

如果创建 x509 证书的请求因某种原因而失败或取消,并且 x509 证书可以通过带外方式进行检索,则可以通过合并操作来完成 KV 证书。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{
  "x5c": [  "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8="  
  ]  
}

响应

StatusCode: 403, ReasonPhrase: 'Forbidden'
{
  "error": {
    "code": "Forbidden",
    "message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."
  }
}

当挂起的请求状态为“正在进行”时请求取消

取消操作只能通过请求来进行。 请求可能取消,也可能不取消。 如果请求的状态不是“正在进行”,则会返回 Http 状态“400 (请求无效)”。

方法 请求 URI
PATCH https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

{
  "cancellation_requested": true
}

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": true,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

删除挂起的请求对象

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
删除 https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "request_id": "a76827a18b63421c917da80f28e9913d",
}

手动创建 KV 证书

可以通过手动创建过程创建使用所选 CA 颁发的证书。 将颁发者的名称设置为“Unknown”,或者不指定颁发者字段。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "Unknown"
    }
  }
}

响应

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "Unknown"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "status": "inProgress",
  "status_details": "Pending certificate created. Please Perform Merge to complete the request.",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

创建挂起的请求时进行合并 - 手动创建证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{
  "x5c": [  "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8="  
}

元素名称 必须 类型 版本 说明
x5c 数组 <引入版本> Base 64 字符串数组形式的 X509 证书链。

响应

StatusCode: 201, ReasonPhrase: 'Created'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
{  
"id": "https mykeyvault.vault.azure.cn/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "kid": "https:// mykeyvault.vault.azure.cn/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "sid": " mykeyvault.vault.azure.cn/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "cer": "……de34534……",
    "x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",
    "attributes": {
        "enabled": true,
        "exp": 1530394215,
        "nbf": 1435699215,
        "created": 1435699919,
        "updated": 1435699919
    },
    "pending": {
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/pending"  
    },
    "policy": {
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/policy",  
        "key_props": {
            "exportable": false,
            "kty": "RSA",
            "key_size": 2048,
            "reuse_key": false
        },
        "secret_props": {
            "contentType": "application/x-pkcs12"
        },
        "x509_props": {
            "subject": "CN=Mycert1",
            "ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
            "validity_months": 12
        },
        "lifetime_actions": [{
            "trigger": {
                "lifetime_percentage": 80
            },
            "action": {
                "action_type": "EmailContacts"
            }
        }],
        "issuer": {
            "name": "Unknown"
        },
        "attributes": {
            "enabled": true,
            "created": 1435699811,
            "updated": 1435699811
        }
    }
}

另请参阅