监视和管理证书创建Monitor and manage certificate creation

适用于:AzureApplies To: Azure

以下The following

本文中概述的方案/操作包括:The scenarios / operations outlined in this article are:

  • 通过支持的颁发者请求 KV 证书Request a KV Certificate with a supported issuer
  • 获取挂起的请求 - 请求状态为“正在进行”Get pending request - request status is "inProgress"
  • 获取挂起的请求 - 请求状态为“已完成”Get pending request - request status is "complete"
  • 获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”Get pending request - pending request status is "canceled" or "failed"
  • 获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”Get pending request - pending request status is "deleted" or "overwritten"
  • 在挂起的请求存在时创建(或导入)- 状态为“正在进行”Create (or Import) when pending request exists - status is "inProgress"
  • 使用颁发者(例如 DigiCert)创建挂起的请求时进行合并Merge when pending request is created with an issuer (DigiCert, for example)
  • 当挂起的请求状态为“正在进行”时请求取消Request a cancellation while the pending request status is "inProgress"
  • 删除挂起的请求对象Delete a pending request object
  • 手动创建 KV 证书Create a KV certificate manually
  • 创建挂起的请求时进行合并 - 手动创建证书Merge when a pending request is created - manual certificate creation

通过支持的颁发者请求 KV 证书Request a KV Certificate with a supported issuer

方法Method 请求 URIRequest URI
POSTPOST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

以下示例要求在密钥保管库中已经有名称为“mydigicert”且颁发者提供者为 DigiCert 的对象。The following examples require an object named "mydigicert" to already be available in your key vault with the issuer provider as DigiCert. 证书颁发者是 Azure Key Vault (KV) 中表示为 CertificateIssuer 资源的实体。The certificate issuer is an entity represented in Azure Key Vault (KV) as a CertificateIssuer resource. 它用于提供有关 KV 证书来源的信息,例如颁发者名称、提供者、凭据和其他管理详细信息。It is used to provide information about the source of a KV certificate; issuer name, provider, credentials, and other administrative details.

请求Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert",
      "cty": "OV-SSL",
    }
  }
}

响应Response

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "mydigicert"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "InProgress",
  "status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“正在进行”Get pending request - request status is "inProgress"

方法Method 请求 URIRequest URI
GETGET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求Request

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

Note

如果在查询中指定 request_id,则它充当筛选器。If request_id is specified in the query, it acts like a filter. 如果 request_id 在查询中和在挂起对象中不同,则会返回 Http 状态代码 404。If the request_id in the query and in the pending object are different, an http status code of 404 is returned.

响应Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

获取挂起的请求 - 请求状态为“已完成”Get pending request - request status is "complete"

请求Request

方法Method 请求 URIRequest URI
GETGET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "completed",
  "request_id": "a76827a18b63421c917da80f28e9913d",
   "target": “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
}

获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”Get pending request - pending request status is "canceled" or "failed"

请求Request

方法Method 请求 URIRequest URI
GETGET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "failed",
  "status_details": "",
  "request_id": "a76827a18b63421c917da80f28e9913d",
  "error": {
    "code": "<errorcode>",
    "message": "<message>"
  }
}

Note

errorcode 的值可以是“证书颁发者错误”或“请求被拒绝”,具体取决于是颁发者错误还是用户错误。The value of the errorcode can be "Certificate issuer error" or "Request rejected" based on issuer or user error respectively.

获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”Get pending request - pending request status is "deleted" or "overwritten"

当挂起对象的状态不是“正在进行”时,创建/导入操作可能会删除或覆盖该对象。A pending object can be deleted or overwritten by a create/import operation when its status is not "inProgress."

方法Method 请求 URIRequest URI
GETGET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求Request

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应Response

StatusCode: 404, ReasonPhrase: 'Not Found'
{
  "error": {
    "code": "PendingCertificateNotFound",
    "message": "…"
  }
}

在挂起的请求存在时创建(或导入)- 状态为“正在进行”Create (or Import) when pending request exists - status is "inProgress"

挂起的对象有四个可能的状态:“正在进行”、“已取消”、“已失败”或“已完成”。A pending object has four possible states; "inprogress", "canceled", "failed", or "completed."

当挂起请求的状态为“正在进行”时,创建(和导入)操作会失败,并返回 Http 状态代码“409 (冲突)”。When a pending request's state is "inprogress", create (and import) operations will fail with an http status code of 409 (conflict).

若要消除冲突,请执行以下操作:To fix a conflict:

  • 如果证书是手动创建的,可以通过执行合并操作来完成 KV 证书,也可以对挂起的对象执行删除操作。If the certificate is being manually created, you can either complete the KV certificate by doing a merge or delete on the pending object.

  • 如果证书是通过颁发者创建的,则可以等待,直到证书完成、失败或取消。If the certificate is being created with an issuer, you can wait until the certificate completes, fails or is canceled. 也可以删除挂起的对象。Alternatively, you can delete the pending object.

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。Deleting a pending object may or may not cancel the x509 certificate request with the provider.

方法Method 请求 URIRequest URI
POSTPOST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "mydigicert"
    }
  }
}

响应Response

StatusCode: 409, ReasonPhrase: 'Conflict'
{
  "error": {
    "code": "Forbidden",
    "message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."
  }
}

使用颁发者创建挂起的请求时进行合并Merge when pending request is created with an issuer

当挂起的对象已使用颁发者创建时,不允许合并,但当其状态为“正在进行”时,允许合并。Merge is not allowed when a pending object is created with an issuer but is allowed when its state is "inProgress."

如果创建 x509 证书的请求因某种原因而失败或取消,并且 x509 证书可以通过带外方式进行检索,则可以通过合并操作来完成 KV 证书。If the request to create the x509 certificate fails or cancels for some reason, and if an x509 certificate can be retrieved by out-of-band means, a merge operation can be done to complete the KV certificate.

方法Method 请求 URIRequest URI
POSTPOST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求Request

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

响应Response

StatusCode: 403, ReasonPhrase: 'Forbidden'
{
  "error": {
    "code": "Forbidden",
    "message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."
  }
}

当挂起的请求状态为“正在进行”时请求取消Request a cancellation while the pending request status is "inProgress"

取消操作只能通过请求来进行。A cancellation can only be requested. 请求可能取消,也可能不取消。A request may or may not be canceled. 如果请求的状态不是“正在进行”,则会返回 Http 状态“400 (请求无效)”。If a request is not "inProgress", an http status of 400 (Bad Request) is returned.

方法Method 请求 URIRequest URI
PATCHPATCH https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求Request

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

{
  "cancellation_requested": true
}

响应Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": true,
  "status": "inProgress",
  "status_details": "…",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

删除挂起的请求对象Delete a pending request object

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。Deleting the pending object may or may not cancel the x509 certificate request with the provider.

方法Method 请求 URIRequest URI
删除DELETE https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求Request

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OROR

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应Response

StatusCode: 200, ReasonPhrase: 'OK'
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "{issuer-name}"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "cancellation_requested": false,
  "status": "inProgress",
  "request_id": "a76827a18b63421c917da80f28e9913d",
}

手动创建 KV 证书Create a KV certificate manually

可以通过手动创建过程创建使用所选 CA 颁发的证书。You can create a certificate issued with a CA of your choice through a manual creation process. 将颁发者的名称设置为“Unknown”,或者不指定颁发者字段。Set the name of the issuer to “Unknown” or do not specify the issuer field.

方法Method 请求 URIRequest URI
POSTPOST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求Request

{
  "policy": {
    "x509_props": {
      "subject": "CN=MyCertSubject1"
    },
    "issuer": {
      "name": "Unknown"
    }
  }
}

响应Response

StatusCode: 202, ReasonPhrase: 'Accepted'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {
    "name": "Unknown"
  },
  "csr": "MIICq......DD5Lp5cqXg==",
  "status": "inProgress",
  "status_details": "Pending certificate created. Please Perform Merge to complete the request.",
  "request_id": "a76827a18b63421c917da80f28e9913d"
}

创建挂起的请求时进行合并 - 手动创建证书Merge when a pending request is created - manual certificate creation

方法Method 请求 URIRequest URI
POSTPOST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求Request

{
  "x5c": [ "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8=" ]
}

元素名称 必须 类型 版本 说明Description
x5cx5c Yes 数组array <引入版本><introducing version> Base 64 字符串数组形式的 X509 证书链。X509 certificate chain as base 64 string array.

响应Response

StatusCode: 201, ReasonPhrase: 'Created'
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
{  
"id": "https mykeyvault.vault.azure.cn/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "kid": "https:// mykeyvault.vault.azure.cn/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "sid": " mykeyvault.vault.azure.cn/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "cer": "……de34534……",
    "x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",
    "attributes": {
        "enabled": true,
        "exp": 1530394215,
        "nbf": 1435699215,
        "created": 1435699919,
        "updated": 1435699919
    },
    "pending": {
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/pending"  
    },
    "policy": {
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/policy",  
        "key_props": {
            "exportable": false,
            "kty": "RSA",
            "key_size": 2048,
            "reuse_key": false
        },
        "secret_props": {
            "contentType": "application/x-pkcs12"
        },
        "x509_props": {
            "subject": "CN=Mycert1",
            "ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],
            "validity_months": 12
        },
        "lifetime_actions": [{
            "trigger": {
                "lifetime_percentage": 80
            },
            "action": {
                "action_type": "EmailContacts"
            }
        }],
        "issuer": {
            "name": "Unknown"
        },
        "attributes": {
            "enabled": true,
            "created": 1435699811,
            "updated": 1435699811
        }
    }
}

另请参阅See Also