TinyCert REST API

elborracho · on Nov 23, 2014

Not saying it's a good or bad api - but it's not restful

I've had a quick go at redesigning it to be more restful. Not perfect, but better i think. Would like to hear others opinion.

/sessions [POST|DELETE]: Open|Close a API session

Certificate Authority management

/cas [GET]: Get a list of all CAs in your account

/cas/{caId} [GET]: Get further details on a given CA

/cas/{caId}/cert [GET]: Download the CA's certificate

/cas/{caId} [DELETE]: Delete a given CA

/cas [POST]: Create a new CA

Certificate management

/cas/{caId}/certs [GET]: Get a list of all certificates for a given CA

/cas/{caId}/certs/{certId}/details [GET]: Get further details on a given certificate

/cas/{caId}/certs/{certId} [GET]: Download the certificate

/cas/{caId}/certs/{certId}/sigreqs [POST]: signing request

/cas/{caId}/certs/{certId}/private-key [GET]: private key for a certificate

/cas/{caId}/certs/{certId} [put]: Re-issue an existing certificate

/cas/{caId}/certs/{certId}/status [put]: Change certificate status

/cas/{caId}/certs [POST]: Create a new certificate

ExpiredLink · on Nov 23, 2014

> but it's not restful

Absolutely mandatory comment on each REST API discussion!

elborracho · on Nov 23, 2014

Agreed :)

I tried to be constructive at the same time though

shdon · on Nov 25, 2014

Indeed. It is misnamed (and I'm the one who did the misnaming, I'll take the blame for it).

As it stands, it is a bit of a hybrid.

Your version (which is similar to what I had considered, actually) would be relatively easy to map onto the backend. I'll bear this in mind for a future revision. No promises, though.

kolev · on Nov 23, 2014

Agreed. I got so happy about the news that I didn't even check the API itself.

tokenizerrr · on Nov 23, 2014

A self hosted and open source version of something like this would be amazing. I'm not sure I feel comfortable leaving my private key on third party servers, even for non-production/purely personal usage.

Spidler · on Nov 23, 2014

We have one of those, a bit more limited as it only works on a single CA.

Give me a week and poke an email to spider@aanstoot.se and I'll see about giving preliminary access.

kolev · on Nov 23, 2014

I contacted the author on Twitter, he said there are some licensing issues preventing him from open-sourcing it, but it's in the plans.

dsl · on Nov 23, 2014

A number of network devices and software applications include a root CA certificate that allows them to unwrap SSL (for example Charles Proxy). The problem with that model is once installed, all users of that application implicitly trust each other. Integrating something like this would allow each user to have their own root CA.

shdon · on Nov 25, 2014

That is actually a very interesting application of the service that I hadn't even considered.

kolev · on Nov 23, 2014

This is nice for non-production environments - I've been issuing self-signed certificates, but this is a much more convenient approach and I'm pulling sleeves up to implement this.

_mikz · on Nov 23, 2014

I see generating new certificate happens on the server so it keeps the private key. Instead of sending the CSR and keeping the private key on the client. Sigh.