Example: Getting and installing a signed leaf certificate using REST APIs

此示例包括创建信任锚（TA）配置文件的步骤。如果先前配置了TA配置文件，则将跳过示例的那一步。当您将证书作为看法的一部分时，TA配置文件用于验证签名证书。

For more information about certificates and certificate management, see theSecurity Guide.

Procedure

Create a TA profile:

From the certificate authority (CA), get a copy of the certificate against which you will validate leaf certificates.

The certificate you validate leaf certificates against can be a root certificate or an intermediate certificate.

The steps to get the leaf certificate depend on the CA and the operating system you use.

Create a JSON object with acertificatekey and anamekey.

For example:

{ "name": "", "certificate": "“}

为了价值namekey, replacewith the name of the TA profile you want to create.

为了价值certificatekey, replaceby pasting the copied certificate.

After pasting, edit the text to ensure proper loading as a JSON object by doing the following:

Ensure the certificate headers and footers are treated as separate lines by adding\ncharacters after the header and before the footer.

The following example shows the\ncharacters in bold.

{“名称”：“ myta”，“证书”：“ -----开始证书-------------\nMIIF2DCCA8CgAwIBAgIlCnL MA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQDAl ... PKj0FmJ1+Qzw9Bcm6HiPTyxOVozMeRQzSQhTZVlh3OvBw/cUwTIqFJCe/afNQCqa9XnvTpJvP/Q3z ... S4L9sxrk/i3hKB88\n-----END CERTIFICATE-----" }

Ensure that any private key headers and footers are treated as separate lines by adding\ncharacters before and after them as needed.

For example:

\n-----BEGIN PRIVATE KEY-----\n MIIFDjBABgkqhkiG9wBBQ0wMzAbBgqkw0QwwDQIpJMN7sVGwCAggA ... iKnXnUMpVPfLc74ty2S41DtH0X9gf6aa1jStg+7cND9XfGtjaV2CA \n-----END PRIVATE KEY-----\n

\n-----BEGIN ENCRYPTED PRIVATE KEY-----\n IJ6L/UhEtH523nUkdV6gvAgoYaD83PswToAGv5VS8OMFTPttrn5/K ... OgSecqZsG6arbx0ESaYBir1c/6rPspcjbx283iD1MWOpeoS2aEmOX= \n-----END ENCRYPTED PRIVATE KEY-----\n

Use the POST method to create the TA profile with the copied certificate. Include the JSON object in the request body:

Example method and URI:

POST "https://192.0.2.5/rest/v1/system/pki_ta_profiles"

示例卷曲命令：

$curl - -noproxy 192.0.2.5 -k -k -x post \ -b/tmp/primary_auth_cookie \ -h'content -type：application/json'“ https：//192.0.2.0.2.5/rest/rest/v10.04/system/system/system/ppki_ta_profiles'-d '{ "name": "myta", "certificate": "-----BEGIN CERTIFICATE-----\nMIIF2DCCA8CgAwIBAgIJANkWgud1lCnL MA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAl ... PKj0FmJ1+Qzw9Bcm6HiPTyxOVozMeRQzSQhTZVlh3OvBw/cUwTIqFJCe/afNQCqa9XnvTpJvP/Q3ze6 S4L9sxrk/i3hKB88\n-----结束证书-----”}'

成功完成后，Switch返回响应代码201创建。

Create a certificate with a pending certificate signing request (CSR).

For information about the required and optional items in the request body, see the JSON model for thecertificates资源AOS-CXREST API Reference.

Example method and URI:

POST "https://192.0.2.5/rest/v1/certificates"

Example request body:

{ "certificate_name": "my-cert-name", "subject": { "common_name": "CX-8400" "country": "US", "locality":"el camino", "state": "CA", "org": "HPE", "org_unit": "Aruba", }, "key_type": "RSA", "key_size": 2048, "cert_type": "regular" }

Example curl command:

$curl --noproxy 192.0.2.5 -k -X POST \ -b /tmp/primary_auth_cookie \ -d '{ "certificate_name": "my-cert-name", "subject": { "common_name": "CX-8400" "country": "US", "locality":"el camino", "state": "CA", "org": "HPE", "org_unit": "Aruba", }, "key_type": "RSA", "key_size": 2048, "cert_type": "regular" }' "https://192.0.2.5/rest/v1/certificates"

成功完成后，Switch返回响应代码201创建。

Get the certificate you created in the previous step.
Example method and URI:
```
GET "https://192.0.2.5/rest/v1/证书/my-cert-name”
```
Example curl command:
```
$curl -noproxy 192.0.2.5 -K get \ -b/tmp/primary_auth_cookie \“ https://192.0.2.5/rest/v1/证书/my-cert-name”
```
On successful completion, the switch returns response code 200 OK and a response body containing the CSR in PEM format.
Send the CSR to the CA for signing.

The steps to send the CSR depend on the CA and the operating system you use.

The CA returns the signed certificate in PEM format.

Import the signed certificate by using a PUT request to update themy-cert-name证书签署证书你跟从ed from the CA.

The imported certificate data must include all the intermediate CA certificates in the certificate chain leading to the certificate that was imported into the specified TA profile.

If you copy and paste the certificate into a JSON object, you must ensure that the certificate and private key headers and footers are processed as separate lines by editing the text to add\ncharacters as needed.

As part of the PUT request, the switch attempts to validate the certificate against the pool of all TA profiles installed on the switch. The certificate is accepted if it is validated with one of the TA profiles.

Example method and URI:

放“ https://192.0.2.5/rest/v1/证书/my-cert-name”

Example request body:

{ "certificate": "-----BEGIN CERTIFICATE-----\n MIIFRDCCAyygAwIBAgQP8nS2Vp15u0xXMdkDJzANBgkqhkiG9w0Bv ... 1NGNm3NG03GqPScs/TF9bVyFA5BOS5lmmkfRYK8D/kMTfRreSdxis YQ1u1NqShps= \n-----END CERTIFICATE-----\n \n-----BEGIN ENCRYPTED PRIVATE KEY-----\n MIIFDjBABgkqhkiG9wBBQ0wMzAbBgqkw0QwwDQIpJMN7sVGwCAggA ... iKnXnUMpVPfLc74ty2S41DtH0X9gf6aa1jStg+7cND9XfGtjaV2+/ cb4= \n-----END ENCRYPTED PRIVATE KEY-----" }

示例卷曲命令：

$curl --noproxy 192.0.2.5 -k -X PUT \ -b /tmp/primary_auth_cookie \ -d '{ "certificate": "-----BEGIN CERTIFICATE-----\n MIIFRDCCAyygAwIBAgQP8nS2Vp15u0xXMdkDJzANBgkqhkiG9w0Bv ... 1NGNm3NG03GqPScs/TF9bVyFA5BOS5lmmkfRYK8D/kMTfRreSdxis YQ1u1NqShps= \n-----END CERTIFICATE-----\n \n-----BEGIN ENCRYPTED PRIVATE KEY-----\n MIIFDjBABgkqhkiG9wBBQ0wMzAbBgqkw0QwwDQIpJMN7sVGwCAggA ... iKnXnUMpVPfLc74ty2S41DtH0X9gf6aa1jStg+7cND9XfGtjaV2+/ cb4= \n-----END ENCRYPTED PRIVATE KEY-----" }' "https://192.0.2.5/rest/v1/证书/my-cert-name”

On successful completion, the switch returns response code 200 OK.

The certificate is installed and ready to be associated with switch features.