/create-pki-cert-issuerAsk AIpost https://api.akeyless.io/create-pki-cert-issuerBody Paramsallow-any-namebooleanIf set, clients can request certificates for any CNtruefalseallow-copy-ext-from-csrbooleanIf set, will allow copying the extra extensions from the csr file (if given)truefalseallow-subdomainsbooleanIf set, clients can request certificates for subdomains of the allowed domainstruefalseallowed-domainsstringA list of the allowed domains that clients can request to be included in the certificate (in a comma-delimited list)allowed-extra-extensionsstringA json string containing the allowed extra extensions for the pki cert issuerallowed-ip-sansstringA list of the allowed CIDRs for ips that clients can request to be included in the certificate as part of the IP Subject Alternative Names (in a comma-delimited list)allowed-uri-sansstringA list of the allowed URIs that clients can request to be included in the certificate as part of the URI Subject Alternative Names (in a comma-delimited list)auto-renewbooleanAutomatically renew certificates before expirationtruefalseca-targetstringThe name of an existing CA target to attach this PKI Certificate Issuer to, required in Public CA modeclient-flagbooleanIf set, certificates will be flagged for client auth usetruefalsecode-signing-flagbooleanIf set, certificates will be flagged for code signing usetruefalsecountrystringA comma-separated list of countries that will be set in the issued certificatecreate-private-crlbooleanSet this to allow the issuer will expose a CRL endpoint in the Gatewaytruefalsecreate-private-ocspbooleanSet this to enable an OCSP endpoint in the Gateway and include its URL in AIAtruefalsecreate-public-crlbooleanSet this to allow the cert issuer will expose a public CRL endpointtruefalsecreate-public-ocspbooleanSet this to enable a public OCSP endpoint and include its URL in AIA (served by UAM and includes account id)truefalsecritical-key-usagestringDefaults to trueMark key usage as critical [true/false]delete_protectionstringProtection from accidental deletion of this object [true/false]descriptionstringDescription of the objectdestination-pathstringA path in which to save generated certificatesdisable-wildcardsbooleanIf set, generation of wildcard certificates will be disabled.truefalseenable-acmebooleanIf set, the cert issuer will support the acme protocoltruefalseexpiration-event-inarray of stringsHow many days before the expiration of the certificate would you like to be notified.expiration-event-inADD stringgw-cluster-urlstringThe GW cluster URL to issue the certificate from. Required in Public CA mode, to allow CRLs on private CA, or to enable ACMEis-cabooleanIf set, the basic constraints extension will be added to certificatetruefalseitem-custom-fieldsobjectAdditional custom fields to associate with the itemitem-custom-fields objectjsonbooleanDefaults to falseSet output format to JSONtruefalsekey-usagestringDefaults to DigitalSignature,KeyAgreement,KeyEnciphermentkey-usagelocalitystringA comma-separated list of localities that will be set in the issued certificatemax-path-lenint64Defaults to -1The maximum path length for the generated certificate. -1, means unlimitedmetadatastringDeprecated - use descriptionnamestringrequiredPKI certificate issuer namenot-enforce-hostnamesbooleanIf set, any names are allowed for CN and SANs in the certificate and not only a valid host nametruefalsenot-require-cnbooleanIf set, clients can request certificates without a CNtruefalseocsp-ttlstringOCSP NextUpdate window for OCSP responses (min 10m). Supports s,m,h,d suffix.organizational-unitsstringA comma-separated list of organizational units (OU) that will be set in the issued certificateorganizationsstringA comma-separated list of organizations (O) that will be set in the issued certificatepostal-codestringA comma-separated list of postal codes that will be set in the issued certificateprotect-certificatesbooleanWhether to protect generated certificates from deletiontruefalseprovincestringA comma-separated list of provinces that will be set in the issued certificatescheduled-renewint64Number of days before expiration to renew certificatesserver-flagbooleanIf set, certificates will be flagged for server auth usetruefalsesigner-key-namestringA key to sign the certificate with, required in Private CA modestreet-addressstringA comma-separated list of street addresses that will be set in the issued certificatetagarray of stringsList of the tags attached to this keytagADD stringtokenstringAuthentication token (see /auth and /configure)ttlstringrequiredThe maximum requested Time To Live for issued certificates, in seconds. In case of Public CA, this is based on the CA target's supported maximum TTLsuid-tokenstringThe universal identity token, Required only for universal_identity authenticationResponses 200createPKICertIssuerResponse wraps response body. defaulterrorResponse wraps any error to return it as a JSON object with one "error" field.Updated 7 months ago
