Overview
This guide will walk you through downloading a keystore programmatically. You also have the option of doing this via the UI. Downloading a keystore involves the exchange of passphrases and private keys with a VSatellite. For greater security, CyberArk Certificate Manager - SaaS is designed to prevent exposure of sensitive data in the cloud by leveraging the NaCl libsodium library and its SealedBox component.
Since multiple steps and a third-party library are involved in requesting a certificate using Automated Secure Keypair (ASK) and downloading a keystore, it is easiest to illustrate using a code sample.
At the end of this walkthrough, you will:
- Create a certificate - Create a certificate using ASK.
- Get the DEK hash - Use the
idin the response to call the 'certificates{id}' function and get the data encryption key (DEK) hash. - Get the public key hash - Call the
edgeencryptionkeys/{DEK}function to get the publickeyhash. - Encrypt the passphrase - Use the DEK hash, password, and a nonce to encrypt the passphrase. Encryption is via a NaCl/libsodium library.
- Download the keystore - Call the
keystorefunction to download the keystore as a zip file.
📘 Note Keystore download is available only when the key pair was generated by Venafi.
Before you begin
To start the sample with the necessary data, execute these preliminary function calls.
-
If you have not already done so, obtain an API key.
-
Get and save the application identifier of an Application. The value is also known as the Application
id. For example:
{
"applications": [
{
"id": "785a6260-28f5-11eb-804b-6769144073a1",
...
- Get and save the identifier of a Certificate Issuing Template (CIT). The value is also known as the Certificate Issuing Template
id. By executing these APIs you will obtain the values required for the customer script we've supplied. Below, you'll find the individual values you need to retrieve:
API GET https://api.venafi.cloud/v1/certificateissuingtemplates
tppl-api-key: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
You will recieve a response similar to the below. Copy the template ID.
{
"certificateIssuingTemplates": [
{
"id": "7f3ff940-bcdf-11eb-9af9-c947417e28d0",
"companyId": "11447611-28f5-11eb-b879-87373a818312",
"certificateAuthority": "BUILTIN",
"name": "Example CIT",
"certificateAuthorityAccountId": "11a0c6e0-28f5-11eb-999a-4d91b3bd6de9",
"certificateAuthorityProductOptionId": "11a0c6e1-28f5-11eb-999a-4d91b3bd6de9",
"product": {
"certificateAuthority": "BUILTIN",
"productName": "Default Product",
"validityPeriod": "P90D"
Step 1: Executing a sample in an IDE
Choose a language from the below and open the sample in an IDE. Paste the values from the prior steps and run.
Python
To install NaCl, open a command prompt and type pip install pynacl.
- Type,
pip install six. - If you're using Python 3.x, replace
import six.moves.urllib.parse as urlparseand useimport urllib.parseinstead. - Download the Python sample.
- Set your environment variables based on parameters in the
# VaaS credentialssection. - Run the sample.
Go
The NaCl library is already present in the Go environment. No installation is necessary.
- Download the Go sample.
- Use a line editor. If necessary, set constants in the
Constdeclaration. - Run the sample.
Java
- Download the Java sample.
- Customize the script using a line editor:
- Follow the script instructions about installing import libraries.
- If necessary, set the
private static final stringvalues.
- Run the sample.
Step 2: Validate success
If the above execution does not work, you will get an error. If it does succeed, you will see various success messages dependent on your language:
- Go - displays the certificate, private key, and issuing chain on the screen.
- Python - displays a "Success" message and prints "Certificate: " {and the certificate},"Private Key: " {and the private key}, and then "Full Chain: " followed by the issuing chain.
- Java - Displays "--Certificate--" followed by the certificate, "--Chain of trust--" followed by the issuing chain, and "--Private Key--" followed by the private key.