Skip to main content

Overview

This guide will walk you through downloading a keystore programmatically. You also have the option of doing this via the UI. Downloading a keystore involves the exchange of passphrases and private keys with a VSatellite. For greater security, CyberArk Certificate Manager - SaaS is designed to prevent exposure of sensitive data in the cloud by leveraging the NaCl libsodium library and its SealedBox component.

Since multiple steps and a third-party library are involved in requesting a certificate using Automated Secure Keypair (ASK) and downloading a keystore, it is easiest to illustrate using a code sample.

At the end of this walkthrough, you will:

  1. Create a certificate - Create a certificate using ASK.
  2. Get the DEK hash - Use theid in the response to call the 'certificates{id}' function and get the data encryption key (DEK) hash.
  3. Get the public key hash - Call the edgeencryptionkeys/{DEK} function to get the public key hash.
  4. Encrypt the passphrase - Use the DEK hash, password, and a nonce to encrypt the passphrase. Encryption is via a NaCl/libsodium library.
  5. Download the keystore - Call the keystore function to download the keystore as a zip file.

📘 Note Keystore download is available only when the key pair was generated by Venafi.

Before you begin

To start the sample with the necessary data, execute these preliminary function calls.

  1. If you have not already done so, obtain an API key.

  2. Get and save the application identifier of an Application. The value is also known as the Application id. For example:

{
"applications": [
{
"id": "785a6260-28f5-11eb-804b-6769144073a1",
...
  1. Get and save the identifier of a Certificate Issuing Template (CIT). The value is also known as the Certificate Issuing Template id. By executing these APIs you will obtain the values required for the customer script we've supplied. Below, you'll find the individual values you need to retrieve:
API GET https://api.venafi.cloud/v1/certificateissuingtemplates
tppl-api-key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

You will recieve a response similar to the below. Copy the template ID.

{
"certificateIssuingTemplates": [
{
"id": "7f3ff940-bcdf-11eb-9af9-c947417e28d0",
"companyId": "11447611-28f5-11eb-b879-87373a818312",
"certificateAuthority": "BUILTIN",
"name": "Example CIT",
"certificateAuthorityAccountId": "11a0c6e0-28f5-11eb-999a-4d91b3bd6de9",
"certificateAuthorityProductOptionId": "11a0c6e1-28f5-11eb-999a-4d91b3bd6de9",
"product": {
"certificateAuthority": "BUILTIN",
"productName": "Default Product",
"validityPeriod": "P90D"

Step 1: Executing a sample in an IDE

Choose a language from the below and open the sample in an IDE. Paste the values from the prior steps and run.

Python

To install NaCl, open a command prompt and type pip install pynacl.

  1. Type, pip install six.
  2. If you're using Python 3.x, replace import six.moves.urllib.parse as urlparse and use import urllib.parse instead.
  3. Download the Python sample.
  4. Set your environment variables based on parameters in the # VaaS credentials section.
  5. Run the sample.

Go

The NaCl library is already present in the Go environment. No installation is necessary.

  1. Download the Go sample.
  2. Use a line editor. If necessary, set constants in the Const declaration.
  3. Run the sample.

Java

  1. Download the Java sample.
  2. Customize the script using a line editor:
    • Follow the script instructions about installing import libraries.
    • If necessary, set the private static final string values.
  3. Run the sample.

Step 2: Validate success

If the above execution does not work, you will get an error. If it does succeed, you will see various success messages dependent on your language:

  • Go - displays the certificate, private key, and issuing chain on the screen.
  • Python - displays a "Success" message and prints "Certificate: " {and the certificate},"Private Key: " {and the private key}, and then "Full Chain: " followed by the issuing chain.
  • Java - Displays "--Certificate--" followed by the certificate, "--Chain of trust--" followed by the issuing chain, and "--Private Key--" followed by the private key.