16.1.1.19. CA Connector endpoints

The CA connector REST API manages connections to Certificate Authorities that privacyIDEA uses when enrolling certificate tokens. See CA Connectors for the conceptual chapter that explains connector types and their configuration.

All endpoints require admin authentication. Read access is gated by the admin policy action caconnectorwrite, caconnectorread, caconnectordelete, write access by caconnectorwrite, caconnectorread, caconnectordelete, and deletion by caconnectorwrite, caconnectorread, caconnectordelete.

GET /caconnector/(name)
GET /caconnector/

Return CA connectors known to this server. If name is given as a path component, only the matching connector is returned; otherwise all connectors are listed. Each entry includes the full configuration of the connector, including any secrets stored alongside it.

Requires admin authentication and the policy action caconnectorwrite, caconnectorread, caconnectordelete.

Parameters:

  • name – optional path component selecting a single connector by name.

Status Codes:

  • 200 OK – list of connector dictionaries in result.value.

GET /caconnector/specific/(catype)

Return the type-specific configuration options that are available for a given CA connector type and an in-progress configuration. The WebUI calls this after the admin has chosen a connector type and entered the mandatory fields, in order to discover further options whose values depend on the current configuration (for example: which CA templates are available for a local openSSL connector).

Requires admin authentication and the policy action caconnectorwrite, caconnectorread, caconnectordelete.

Parameters:

  • catype – path component naming the connector type (e.g. local, microsoft).

Query:

any connector-specific configuration fields entered so far — they are passed verbatim to the connector class to compute the available options.

Status Codes:

  • 200 OK – dict of available options in result.value.

POST /caconnector/(name)

Create or update a CA connector. If a connector with the given name already exists, it is updated; otherwise it is created. On update only fields that should be changed need to be supplied, but the connector type must not be changed (it is bound to the connector class).

See CA Connectors for the supported types and their attributes.

Requires admin authentication and the policy action caconnectorwrite, caconnectorread, caconnectordelete.

Parameters:

  • name – path component, the connector name.

JSON Parameters:

  • type – connector type (e.g. local); required on creation.

Jsonparam:

any connector-specific configuration fields.

Status Codes:

  • 200 OK – database id of the connector in result.value.

DELETE /caconnector/(name)

Delete the CA connector with the given name and all its configuration entries.

Requires admin authentication and the policy action caconnectorwrite, caconnectorread, caconnectordelete.

Parameters:

  • name – path component, the connector name.

Status Codes:

  • 200 OK – id of the deleted connector in result.value.

  • 404 Not Found – no connector with that name exists.