Certificate Token

class privacyidea.lib.tokens.certificatetoken.CertificateTokenClass(aToken)[source]

Token to implement an X509 certificate. The certificate can be enrolled by sending a CSR to the server or the keypair is created by the server. If the server creates the keypair, the user can download a PKCS12 file. The OTP PIN is used as passphrase for the PKCS12 file.

privacyIDEA is capable of working with different CA connectors.

Valid parameters are request or certificate, both PEM encoded. If you pass a request you also need to pass the ca that should be used to sign the request. Passing a certificate just uploads the certificate to a new token object.

A certificate token can be created by an administrative task with the token/init api like this:

Example Initialization Request:

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

request=<PEM encoded request>
attestation=<PEM encoded attestation certificate>
ca=<name of the ca connector>

Example Initialization Request, key generation on servers side

In this case the certificate is created on behalf of another user.

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

ca=<name of the ca connector>

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

   "detail": {
     "certificate": "...PEM..."
   "id": 1,
   "jsonrpc": "2.0",
   "result": {
     "status": true,
     "value": true
   "version": "privacyIDEA unknown"

Create a new token object.


db_token (Token) – A database token object


A TokenClass object


This returns the token data as a dictionary. It is used to display the token list at /token/list.

The certificate token can add the PKCS12 file if it exists


The token data as dict

Return type


static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type

dict or scalar

static get_class_prefix()[source]
static get_class_type()[source]
classmethod get_default_settings(g, params)[source]

This method returns a dictionary with additional settings for token enrollment. The settings that are evaluated are SCOPE.ADMIN|SCOPE.USER, action=trusted_Assertion_CA_path It sets a list of configured paths.

The returned dictionary is added to the parameters of the API call. :param g: context object, see documentation of Match :param params: The call parameters :type params: dict :return: default parameters

get_init_detail(params=None, user=None)[source]

At the end of the initialization we return the certificate and the PKCS12 file, if the private key exists.

hKeyRequired = False

This revokes the token. We need to determine the CA, which issues the certificate, contact the connector and revoke the certificate

Some token types may revoke a token without locking it.

set_pin(pin, encrypt=False)[source]

set the PIN of a token. The PIN of the certificate token is stored encrypted. It is used as passphrase for the PKCS12 file.

  • pin (basestring) – the pin to be set for the token

  • encrypt (bool) – If set to True, the pin is stored encrypted and can be retrieved from the database again


This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None

using_pin = False