Certificate Web Service Client
A java API for Certificate Web Service.
Download
Download the latest JAR or grab via Maven:
<dependency>
<groupId>com.oneops</groupId>
<artifactId>certs-client</artifactId>
<version>1.1.4</version>
</dependency>
Examples
Initializing CWS Client
CwsClient client = CwsClient.builder()
.endPoint("Api Endpoint")
.appId("App ID")
.teamDL("Base Team DL")
.keystore("Keystore Path")
.keystorePassword("Keystore password")
.build();
- Keystore should be of type PKCS#12 format.
- For loading the keystore from classpath use,
classpath:/<your/cws/keystore/path>.p12
- If the keystore contains multiple cert entries, use .keyAlias("cws-client-key") to select the proper client private key.
- To enable http debugging for troubleshooting, set .debug(true) to the CwsClient.builder()
- In order to create a
PKCS#12(.p12)
keystore from PEM/DER encoded certificate, use the followingopenssl
command.
$ openssl pkcs12 -export -chain -out cws-keystore.p12 -inkey private.key -password pass:test123 \
-in client.crt -certfile client.crt -CAfile cacert.crt -name cws-client-key \
-caname root-ca
# Add trust-store entry (cacert.crt) to the keystore.
$ keytool -importcert -trustcacerts -alias root-ca -storetype PKCS12 \
-keystore cws-keystore.p12 -storepass test123 -file cacert.crt
# View pkcs12 keystore details
$ openssl pkcs12 -info -password pass:test123 -in cws-keystore.p12
# keytool -list -storepass test123 -keystore cws-keystore.p12 -v
Create new certificate
String cn = "test1.domain.com" ;
String teamDL = "test-teamDL"; // Relative to Base TeamDL.
List<String> sans = Arrays.asList("app1.domain.com","app2.domain.com");
String certName = client.createCert(cn,sans, teamDL);
Check certificate exists
boolean exists = client.certExists(cn, teamDL);
Download certificate
-
Download the private key, certificate and it's trust chain as PKCS#12 format.
// Generate Keystore/key password (Optional) String keystorePasswd = PasswordGen.builder().build().generate(20); String base64Content = client.downloadCert(cn, teamDL, keystorePasswd, CertFormat.PKCS12);
-
Download CertBundle, which contains encrypted PKCS#8 private key, client cert and cacerts.
// Private key password should be at-least 4 chars. CertBundle certBundle = client.downloadCert(cn, teamDL, Optional.of("test123")); // certBundle.key() // certBundle.keyPassword() // certBundle.cert() // certBundle.cacert()
-
Download CertBundle which contains encrypted
PKCS#1
private key, client cert and cacerts.CertBundle certBundle = client.downloadCert(cn, teamDL, Optional.empty()); // certBundle.key() // certBundle.cert() // certBundle.cacert()
Get certificate expiration date
LocalDateTime date = client.getCertExpirationDate(cn, teamDL);
View certificate details
ViewRes viewRes = client.viewCert(cn, teamDL);
Revoke and disable the certificate
RevokeRes revokeRes = client.revokeCert(cn, teamDL, RevokeReason.NONE, true);
Renew certificate
boolean success = client.renewCert(cn, teamDL);
Delete certificate
client.obsoleteCert(cn, teamDL);
Testing
Set the following env variables and run ./mvnw clean test
to execute the unit tests.
export cws_host=...
export cws_app_id=...
export cws_team_dl=....
export cws_domain=...
export cws_keystore=.....p12
export cws_keystore_pass=....
Dependencies
License
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.