PKIProfile

Description

API


    POST /api/pkiprofile
    PUT /api/pkiprofile/<key>
    DELETE /api/pkiprofile/<key>
    GET /api/pkiprofile
    GET /api/pkiprofile/<key>

CLI


    configure pkiprofile <key>
    delete pkiprofile <key>
    show pkiprofile <key>

Data

PKIProfile

uuid

Type
string
Category
required
Description

name

Type
string
Category
required
Description
Name of the PKI Profile

ca_certs

Type
SSLCertificate
Category
repeated
Description
List of Certificate Authorities (Root and Intermediate) trusted that is used for certificate validation

crls

Type
CRL
Category
repeated
Description
Certificate Revocation Lists

ignore_peer_chain

Type
bool
Category
optional
Description
When enabled, Avi will not trust Intermediate and Root certs presented by a client. Instead, only the chain certs configured in the Certificate Authority section will be used to verify trust of the client's cert.
Default
False

crl_check

Type
bool
Category
optional
Description
When enabled, Avi will verify via CRL checks that certificates in the trust chain have not been revoked.
Default
True

validate_only_leaf_crl

Type
bool
Category
optional
Description
When enabled, Avi will only validate the revocation status of the leaf certificate using CRL. To enable validation for the entire chain, disable this option and provide all the relevant CRLs
Default
True

tenant_ref

Type
Reference to Tenant
Category
required
Description

SSLCertificate

version

Type
string
Category
optional
Description

serial_number

Type
string
Category
optional
Description

self_signed

Type
bool
Category
optional
Description

issuer

Type
SSLCertificateDescription
Category
optional
Description

subject

Type
SSLCertificateDescription
Category
optional
Description

key_params

Type
SSLKeyParams
Category
optional
Description

public_key

Type
string
Category
optional
Description

signature_algorithm

Type
string
Category
optional
Description

signature

Type
string
Category
optional
Description

not_before

Type
string
Category
optional
Description

not_after

Type
string
Category
optional
Description

certificate

Type
string
Category
optional
Description

certificate_signing_request

Type
string
Category
optional
Description

text

Type
string
Category
optional
Description

fingerprint

Type
string
Category
optional
Description

expiry_status

Type
enum
Category
optional
Description
Default
SSL_CERTIFICATE_GOOD
Choices
SSL_CERTIFICATE_EXPIRED, SSL_CERTIFICATE_GOOD, SSL_CERTIFICATE_EXPIRY_WARNING

chain_verified

Type
bool
Category
optional
Description

SSLCertificateDescription

common_name

Type
string
Category
optional
Description

email_address

Type
string
Category
optional
Description

organization_unit

Type
string
Category
optional
Description

organization

Type
string
Category
optional
Description

locality

Type
string
Category
optional
Description

state

Type
string
Category
optional
Description

country

Type
string
Category
optional
Description

distinguished_name

Type
string
Category
optional
Description

SSLKeyParams

algorithm

Type
enum
Category
required
Description
Default
SSL_KEY_ALGORITHM_RSA
Choices
SSL_KEY_ALGORITHM_RSA, SSL_KEY_ALGORITHM_EC

rsa_params

Type
SSLKeyRSAParams
Category
optional
Description

ec_params

Type
SSLKeyECParams
Category
optional
Description

SSLKeyRSAParams

key_size

Type
enum
Category
optional
Description
Default
SSL_KEY_2048_BITS
Choices
SSL_KEY_1024_BITS, SSL_KEY_3072_BITS, SSL_KEY_4096_BITS, SSL_KEY_2048_BITS

exponent

Type
uint32
Category
optional
Description
Default
65537

SSLKeyECParams

curve

Type
enum
Category
optional
Description
Default
SSL_KEY_EC_CURVE_SECP256R1
Choices
SSL_KEY_EC_CURVE_SECP521R1, SSL_KEY_EC_CURVE_SECP256R1, SSL_KEY_EC_CURVE_SECP384R1

CRL

server_url

Type
string
Category
optional
Description
URL of a server that issues the Certificate Revocation list. If this is configured, CRL will be periodically downloaded either based on the configured update interval or the next update interval in the CRL. CRL itself is stored in the body.

body

Type
string
Category
optional
Description
Certificate Revocation list from a given issuer in PEM format. This can either be configured directly or via the server_url.

last_update

Type
string
Category
optional
Description
The date when this CRL was last issued

next_update

Type
string
Category
optional
Description
The date when a newer CRL will be available. Also conveys the date after which the CRL should be considered obsolete.

update_interval

Type
int32
Category
optional
Description
Interval in minutes to check for CRL update. If not specified, interval will be 1 day

etag

Type
string
Category
optional
Description
Cached etag to optimize the download of the CRL

text

Type
string
Category
optional
Description
Certificate Revocation list in plain text for readability

common_name

Type
string
Category
optional
Description
Common name of the issuer in the Certificate Revocation list

fingerprint

Type
string
Category
optional
Description
Fingerprint of the CRL. Used to avoid configuring duplicates

distinguished_name

Type
string
Category
optional
Description
Distinguished name of the issuer in the Certificate Revocation list

last_refreshed

Type
string
Category
optional,readonly
Description
Last time CRL was refreshed by the system. This is an internal field used by the system

References

Tenant

Sub Objects