监视和管理证书创建

适用于:Azure

以下

本文中概述的方案/操作包括:

  • 通过支持的颁发者请求 KV 证书
  • 获取挂起的请求 - 请求状态为“正在进行”
  • 获取挂起的请求 - 请求状态为“已完成”
  • 获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”
  • 获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”
  • 在挂起的请求存在时创建(或导入)- 状态为“正在进行”
  • 使用颁发者(例如 DigiCert)创建挂起的请求时进行合并
  • 当挂起的请求状态为“正在进行”时请求取消
  • 删除挂起的请求对象
  • 手动创建 KV 证书
  • 创建挂起的请求时进行合并 - 手动创建证书

通过支持的颁发者请求 KV 证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

以下示例要求在密钥保管库中已经有名称为“mydigicert”且颁发者提供者为 DigiCert 的对象。 有关如何使用颁发者的详细信息,请参阅证书颁发者

请求

{  
  "policy": {  
    "x509_props": {  
      "subject": "CN=MyCertSubject1"  
    },  
  "issuer": {  
       "name": "mydigicert",  
    "cty": "OV-SSL",  
    }  
  }  
}  

响应

StatusCode: 202, ReasonPhrase: 'Accepted'  
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "mydigicert"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": false,  
  "status": "InProgress",  
  "status_details": "Pending certificate created. Certificate request is in progress. This may take some time based on the issuer provider. Please check again later",  
  "request_id": "a76827a18b63421c917da80f28e9913d"  
}  

获取挂起的请求 - 请求状态为“正在进行”

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

Note

如果在查询中指定 request_id,则它充当筛选器。 如果 request_id 在查询中和在挂起对象中不同,则会返回 Http 状态代码 404。

响应

StatusCode: 200, ReasonPhrase: 'OK'  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "{issuer-name}"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": false,  
  "status": "inProgress",  
  "status_details": "…",  
  "request_id": "a76827a18b63421c917da80f28e9913d"  
}  

获取挂起的请求 - 请求状态为“已完成”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "{issuer-name}"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": false,  
  "status": "completed",  
  "request_id": "a76827a18b63421c917da80f28e9913d",  
   "target": “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
}  

获取挂起的请求 - 挂起的请求状态为“已取消”或“已失败”

请求

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "{issuer-name}"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": false,  
  "status": "failed",  
  "status_details": "",  
  "request_id": "a76827a18b63421c917da80f28e9913d",  
   "error":  
    {  
        "code": "<errorcode>",    
        "message": "<message>"  
    }  
}  

Note

errorcode 的值可以是“证书颁发者错误”或“请求被拒绝”,具体取决于是颁发者错误还是用户错误。

获取挂起的请求 - 挂起的请求状态为“已删除”或“已覆盖”

当挂起对象的状态不是“正在进行”时,创建/导入操作可能会删除或覆盖该对象。

方法 请求 URI
GET https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

GET “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 404, ReasonPhrase: 'Not Found'  
{  
  "error":  
    {  
         "code": "PendingCertificateNotFound",  
        "message": "…"  
    }  
}  

在挂起的请求存在时创建(或导入)- 状态为“正在进行”

挂起的对象有四个可能的状态:“正在进行”、“已取消”、“已失败”或“已完成”。

当挂起请求的状态为“正在进行”时,创建(和导入)操作会失败,并返回 Http 状态代码“409 (冲突)”。

若要消除冲突,请执行以下操作:

  • 如果证书是手动创建的,可以通过执行合并操作来完成 KV 证书,也可以对挂起的对象执行删除操作。

  • 如果证书是通过颁发者创建的,则可以等待,直到证书完成、失败或取消。 也可以删除挂起的对象。

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{  
  "policy": {  
    "x509_props": {  
      "subject": "CN=MyCertSubject1"  
    },  
  "issuer": {  
       "name": "mydigicert"  
    }  
  }  
}  

响应

StatusCode: 409, ReasonPhrase: 'Conflict'  
{  
  "error":  
    {  
        "code": "Forbidden",  
        "message": "A new key vault certificate can not be created or imported while a pending key vault certificate's status is inProgress."  
    }  
}  

使用颁发者创建挂起的请求时进行合并

当挂起的对象已使用颁发者创建时,不允许合并,但当其状态为“正在进行”时,允许合并。

如果创建 x509 证书的请求因某种原因而失败或取消,并且 x509 证书可以通过带外方式进行检索,则可以通过合并操作来完成 KV 证书。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{  
  "x5c": [  "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8="  
  ]  
}  

响应

StatusCode: 403, ReasonPhrase: 'Forbidden'  
{  
  "error":  
    {  
       "code": "Forbidden",  
       "message": "Merge is forbidden on pending object created with issuer : <issuer-name> while it is in progess."  
    }  
}  

当挂起的请求状态为“正在进行”时请求取消

取消操作只能通过请求来进行。 请求可能取消,也可能不取消。 如果请求的状态不是“正在进行”,则会返回 Http 状态“400 (请求无效)”。

方法 请求 URI
PATCH https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

PATCH “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

{  
  "cancellation_requested": true  
}  

响应

StatusCode: 200, ReasonPhrase: 'OK'  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "{issuer-name}"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": true,  
  "status": "inProgress",  
  "status_details": "…",  
  "request_id": "a76827a18b63421c917da80f28e9913d"  
}  

删除挂起的请求对象

Note

删除挂起的对象可能会(也可能不会)取消向提供者发出的 x509 证书请求。

方法 请求 URI
删除 https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}

请求

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"

OR

DELETE “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}"

响应

StatusCode: 200, ReasonPhrase: 'OK'  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "{issuer-name}"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "cancellation_requested": false,  
  "status": "inProgress",  
  "request_id": "a76827a18b63421c917da80f28e9913d",  
}  

手动创建 KV 证书

可以通过手动创建过程创建使用所选 CA 颁发的证书。 将颁发者的名称设置为“Unknown”,或者不指定颁发者字段。

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/create?api-version={api-version}

请求

{  
  "policy": {  
    "x509_props": {  
      "subject": "CN=MyCertSubject1"  
    }  
  "issuer": {  
       "name": "Unknown"  
    }  
  }  
}  

响应

StatusCode: 202, ReasonPhrase: 'Accepted'  
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending?api-version={api-version}&request_id=a76827a18b63421c917da80f28e9913d"  
{  
  "id": “https://mykeyvault.vault.azure.cn/certificates/mycert1/pending",  
  "issuer": {  
    "name": "Unknown"  
  },  
  "csr": "MIICq......DD5Lp5cqXg==",  
  "status": "inProgress",  
  "status_details": "Pending certificate created. Please Perform Merge to complete the request.",  
  "request_id": "a76827a18b63421c917da80f28e9913d"  
}  

创建挂起的请求时进行合并 - 手动创建证书

方法 请求 URI
POST https://mykeyvault.vault.azure.cn/certificates/mycert1/pending/merge?api-version={api-version}

请求

{  
  "x5c": [  "MIICxTCCAbi………………………trimmed for brevitiy……………………………………………EPAQj8="  
  ]  
}  
元素名称 必须 类型 版本 说明
x5c 数组 <引入版本> Base 64 字符串数组形式的 X509 证书链。

响应

StatusCode: 201, ReasonPhrase: 'Created'  
Location: “https://mykeyvault.vault.azure.cn/certificates/mycert1?api-version={api-version}"  
{  
"id": "https mykeyvault.vault.azure.cn/certificates/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "kid": "https:// mykeyvault.vault.azure.cn/keys/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "sid": " mykeyvault.vault.azure.cn/secrets/mycert1/f366e1a9dd774288ad84a45a5f620352",  
    "cer": "……de34534……",  
    "x5t": "n14q2wbvyXr71Pcb58NivuiwJKk",  
    "attributes": {  
        "enabled": true,  
        "exp": 1530394215,  
        "nbf": 1435699215,  
        "created": 1435699919,  
        "updated": 1435699919  
    },  
    "pending": {  
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/pending"  
    },  
    "policy": {  
        "id": "https:// mykeyvault.vault.azure.cn/certificates/mycert1/policy",  
        "key_props": {  
            "exportable": false,  
            "kty": "RSA",  
            "key_size": 2048,  
            "reuse_key": false  
        },  
        "secret_props": {  
            "contentType": "application/x-pkcs12"  
        },  
        "x509_props": {  
            "subject": "CN=Mycert1",  
            "ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"],  
                       "validity_months":12  
        },  
        "lifetime_actions": [{  
            "trigger": {  
                "lifetime_percentage": 80  
            },  
            "action": {  
                "action_type": "EmailContacts"  
            }  
        }],  
        "issuer": {  
            "name": "Unknown"  
        },  
        "attributes": {  
            "enabled": true,  
            "created": 1435699811,  
            "updated": 1435699811  
        }  
    }  
}  

另请参阅