Skip to main content

Store or create a new certificate of the given OrganisationCertificateType for the given organisation

POST 
/organisations/:OrganisationId/certificates/:OrganisationCertificateType

create an organisation certificate

Request

Path Parameters

    OrganisationId OrganisationIdrequired

    Possible values: non-empty and <= 40 characters, Value must match regular expression ^[^<>]*$

    The organisation ID

    OrganisationCertificateType OrganisationCertificateTyperequired

    Possible values: [qwac, qseal, rtswac, rtsseal, brseal, brseal_ext, rtstransport_rs, resource_server_signing, resource_server_encryption]

    Default value: rtsseal

    The certificate type

Header Parameters

    x-fapi-auth-date string

    Possible values: Value must match regular expression ^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} (GMT|UTC)$

    The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

    x-fapi-customer-ip-address string

    The PSU's IP address if the PSU is currently logged in with the TPP.

    x-fapi-interaction-id string

    An RFC4122 UID used as a correlation id.

    x-customer-user-agent string

    Indicates the user-agent that the PSU is using.

Body

required

  • PEM file -- when the request Content-Type header is set to application/x-pem-file the contents of the PEM file will differ depending upon OrganisationCertificateType. If OrganisationCertificateType is set to qwac, qseal then the PEM file should contain a QWAC or a QSEAL certificate respectively; if OrganisationCertificateType is set to rtswac, rtsseal, brcac or brseal then the PEM file should contain a Certificate Signing Request (CSR) for an RTS-issued RTSWAC, RTSSEAL, BRCAC or BRSEAL certificate respectively.
  • Signed JWT -- when the request Content-Type header is set to application/jwt the body of the signed JWT will contain a CSR or a certificate.

Requesting a Certificate using a signed JWT

The header kid claim is the ID of the QSealC certificate assigned to it by the RTS JWKS store. The body csr claim is the CSR in the DER format.

{
  "typ": "JWT",
  "alg": "ES256",
  "kid": "ABCD1234",
}
{
  "csr": "string"
}

Uploading a Certificate using a signed JWT

The header kid claim is the ID of the QSealC certificate assigned to it by the RTS JWKS store. The body x5c claim is the array of certificate, issuer certificate, and root certificate in the DER format.

{
  "typ": "JWT",
  "alg": "ES256",
  "kid": "ABCD1234",
}
{
  "x5c": ["qsealc", "issuer certificate", "root certificate"]
}

EXAMPLE REQUEST PAYLOAD USING SIGNED JWT REQUESTS

POST /organisations/123456789012345678/certificates/rtswac HTTP/1.1
Content-Type: application/jwt
Accept: application/json
Host: raidiam.tobedecided.org.uk
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IkFCQ0QxMjM0IiwieDVjIjpbInFzZWFsYyIsImlzc3VlciBjZXJ0aWZpY2F0ZSIsInJvb3QgY2VydGlmaWNhdGUiXX0.eyJyZWRpcmVjdF91cmlzIjpbInN0cmluZyJdLCJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6InN0cmluZyIsImdyYW50X3R5cGVzIjpbInN0cmluZyJdLCJyZXNwb25zZV90eXBlcyI6WyJzdHJpbmcibSwiY2xpZW50X25hbWUiOiJzdHJpbmciLCJjbGllbnRfdXJpIjoic3RyaW5nIiwibG9nb191cmkiOiJzdHJpbmciLCJzY29wZSI6InN0cmluZyIsImNvbnRhY3RzIjpbInVzZXJAZXhhbXBsZS5jb20iXSwidG9zX3VyaSI6InN0cmluZyIsInBvbGljeV91cmkiOiJzdHJpbmciLCJqd2tzX3VyaSI6InN0cmluZyIsImp3a3MiOnt9LCJzb2Z0d2FyZV9pZCI6InN0cmluZyIsInNvZnR3YXJlX3ZlcnNpb24iOiJzdHJpbmcifQ.lMsADSHkFGUw5PtgdEqXslYArzqf6tbg0lo0kCitOUA

    string

    Possible values: Value must match regular expression ^[^<>]*$

Responses

A certificate object

Response Headers

  • x-fapi-interaction-id

    string

Schema

    OrganisationId OrganisationId (string)

    Possible values: non-empty and <= 40 characters, Value must match regular expression ^[^<>]*$

    Unique ID associated with the organisation

    SoftwareStatementIds SoftwareStatementId (string)[]

    Possible values: <= 40 characters, Value must match regular expression ^[^<>]*$

    ClientName string

    Possible values: <= 40 characters

    Status string

    Possible values: <= 40 characters

    ValidFromDateTime string

    Possible values: <= 30 characters

    RevokedDateTime string

    Possible values: <= 30 characters

    ExpiryDateTime string

    Possible values: <= 30 characters

    e string

    Possible values: <= 255 characters

    keyType string

    Possible values: <= 255 characters

    kid string

    Possible values: <= 255 characters

    kty string

    Possible values: <= 255 characters

    n string

    Possible values: <= 255 characters

    use string

    Possible values: <= 255 characters

    x5c string[]

    Possible values: <= 255 characters

    x5t string

    Possible values: <= 255 characters

    x5thashS256 string

    Possible values: <= 255 characters

    x5u string

    Possible values: <= 255 characters

    SignedCertPath string

    Possible values: <= 255 characters

    Used to display location of the signed certificate in PEM format

    JwkPath string

    Possible values: <= 255 characters

    Used to display path to JWKS containing this certificate

    OrgJwkPath string

    Possible values: <= 255 characters

    Used to display path to Org JWKS containing org certificates

Loading...