Certificate Token

class privacyidea.lib.tokens.certificatetoken.CertificateTokenClass(aToken)[source]

Token to implement an X509 certificate. The certificate can be enrolled by sending a CSR to the server or the keypair is created by the server. If the server creates the keypair, the user can download a PKCS12 file. The OTP PIN is used as passphrase for the PKCS12 file.

privacyIDEA is capable of working with different CA connectors.

Valid parameters are request or certificate, both PEM encoded. If you pass a request you also need to pass the ca that should be used to sign the request. Passing a certificate just uploads the certificate to a new token object.

A certificate token can be created by an administrative task with the token/init api like this:

Example Initialization Request:

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

request=<PEM encoded request>
ca=<name of the ca connector>

Example Initialization Request, key generation on servers side

In this case the certificate is created on behalf of another user.

POST /auth HTTP/1.1
Host: example.com
Accept: application/json

ca=<name of the ca connector>

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

   "detail": {
     "certificate": "...PEM..."
   "id": 1,
   "jsonrpc": "2.0",
   "result": {
     "status": true,
     "value": true
   "version": "privacyIDEA unknown"

This returns the token data as a dictionary. It is used to display the token list at /token/list.

The certificate token can add the PKCS12 file if it exists

Returns:The token data as dict
Return type:dict
static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:

dict or scalar

static get_class_prefix()[source]
static get_class_type()[source]
get_init_detail(params=None, user=None)[source]

At the end of the initialization we return the certificate and the PKCS12 file, if the private key exists.

hKeyRequired = False

This revokes the token. We need to determine the CA, which issues the certificate, contact the connector and revoke the certificate

Some token types may revoke a token without locking it.

set_pin(pin, encrypt=False)[source]

set the PIN of a token. The PIN of the certificate token is stored encrypted. It is used as passphrase for the PKCS12 file.

  • pin (basestring) – the pin to be set for the token
  • encrypt (bool) – If set to True, the pin is stored encrypted and can be retrieved from the database again

This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None

using_pin = False