Managing CAs

You can manage certificate authorities (CAs) for use as criteria in your API access rules. For more information, see About API Access Rules.

To further increase the security of your account, we recommend diversifying your authentication factors. By default, certificates and credentials act as knowledge factors. Certificates can act as possession factors when stored on physical devices such as smart cards.

Managing CAs Using OSC CLI

Creating a CA

The CreateCa command creates a Client Certificate Authority (CA).

For more information, see About API Access Rules.

Request sample: Example with access key/secret key authentication

$ osc-cli api CreateCa --profile "default" \
    --CaPem="$(cat ca-certificate.pem)" \
    --Description "CA example"

Request sample: Example with login/password authentication

$ osc-cli api CreateCa --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --CaPem="$(cat ca-certificate.pem)" \
    --Description "CA example"

This command contains the following attributes that you need to specify:

CaPem: The CA in PEM format.
With OSC CLI, use the following syntax to make sure your CA file is correctly parsed: --CaPem="$(cat FILENAME)".
Description: (optional) The description of the CA.
DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The CreateCa command returns the following elements:

Ca: Information about the Client Certificate Authority (CA).
- CaFingerprint: The fingerprint of the CA.
- CaId: The ID of the CA.
- Description: The description of the CA.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.

Result sample

{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "Ca": {
    "Description": "CA example",
    "CaId": "ca-fedcba0987654321fedcba0987654321",
    "CaFingerprint": "1234567890abcdef1234567890abcdef12345678"
  }
}

Getting Information About Your CAs

The ReadCas command gets information about one or more of your Client Certificate Authorities (CAs).

Request sample: Example with access key/secret key authentication

$ osc-cli api ReadCas --profile "default" \
    --Filters '{
        "CaIds": ["ca-fedcba0987654321fedcba0987654321"],
      }'

Request sample: Example with login/password authentication

$ osc-cli api ReadCas --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --Filters '{
        "CaIds": ["ca-fedcba0987654321fedcba0987654321"],
      }'

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
Filters: (optional) One or more filters.
- CaFingerprints: (optional) The fingerprints of the CAs.
- CaIds: (optional) The IDs of the CAs.
- Descriptions: (optional) The descriptions of the CAs.

The ReadCas command returns the following elements:

Cas: Information about one or more CAs.
- CaFingerprint: The fingerprint of the CA.
- CaId: The ID of the CA.
- Description: The description of the CA.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.

Result sample

{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "Cas": [
    {
      "Description": "CA example",
      "CaId": "ca-fedcba0987654321fedcba0987654321",
      "CaFingerprint": "1234567890abcdef1234567890abcdef12345678"
    }
  ]
}

Modifying a CA

The UpdateCa command modifies the specified attribute of a Client Certificate Authority (CA).

Request sample: Example with access key/secret key authentication

$ osc-cli api UpdateCa --profile "default" \
    --CaId "ca-fedcba0987654321fedcba0987654321" \
    --Description "New description"

Request sample: Example with login/password authentication

$ osc-cli api UpdateCa --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --CaId "ca-fedcba0987654321fedcba0987654321" \
    --Description "New description"

This command contains the following attributes that you need to specify:

CaId: The ID of the CA.
Description: (optional) The description of the CA.
DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The UpdateCa command returns the following elements:

Ca: Information about the Client Certificate Authority (CA).
- CaFingerprint: The fingerprint of the CA.
- CaId: The ID of the CA.
- Description: The description of the CA.
ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.

Result sample

{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  },
  "Ca": {
    "Description": "New description",
    "CaId": "ca-fedcba0987654321fedcba0987654321",
    "CaFingerprint": "1234567890abcdef1234567890abcdef12345678"
  }
}

Deleting a CA

The DeleteCa command deletes a specified Client Certificate Authority (CA).

Request sample: Example with access key/secret key authentication

$ osc-cli api DeleteCa --profile "default" \
    --CaId "ca-fedcba0987654321fedcba0987654321"

Request sample: Example with login/password authentication

$ osc-cli api DeleteCa --profile "default" --authentication-method "password" --login "$OSC_EMAIL" --password "$OSC_PASSWORD" \
    --CaId "ca-fedcba0987654321fedcba0987654321"

This command contains the following attributes that you need to specify:

CaId: The ID of the CA you want to delete.
DryRun: (optional) If true, checks whether you have the required permissions to perform the action.

The DeleteCa command returns the following elements:

ResponseContext: Information about the context of the response.
- RequestId: The ID of the request.

Result sample

{
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Related Page

About API Access Rules

Corresponding API Methods