16.2.1.15.2. Certificate Token¶

class privacyidea.lib.tokens.certificatetoken.CertificateTokenClass(aToken)[source]¶

Token to implement an X509 certificate. The certificate can be enrolled by sending a CSR to the server or the keypair is created by the server. If the server creates the keypair, the user can download an encrypted PKCS12 container file. The OTP PIN is used as passphrase for the PKCS12 file. If no PIN is set for the token, a random password will be generated and returned in the init details.

privacyIDEA is capable of working with different CA connectors.

Valid parameters are request or certificate, both PEM encoded. If you pass a request or genkey=1 you also need to pass the ca that should be used to sign the request. Passing a certificate just uploads the certificate to a new token object.

A certificate token can be created by an administrative task with the POST /token/init api like this:

Example Initialization Request:

POST /token/init HTTP/1.1
Host: example.com
Accept: application/json

type=certificate
user=cornelius
realm=realm1
request=<PEM encoded certificate request>
attestation=<PEM encoded attestation certificate>
ca=<name of the ca connector>

Example Initialization Request, key generation on servers side

In this case the certificate is created on behalf of another user.

POST /token/init HTTP/1.1
Host: example.com
Accept: application/json

type=certificate
user=cornelius
realm=realm1
genkey=1
ca=<name of the ca connector>

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "detail": {
    "certificate": "...PEM...",
    "serial": "CRT...."
  },
  "id": 1,
  "jsonrpc": "2.0",
  "result": {
    "status": true,
    "value": true
  },
}

Create a new token object.

Parameters:: db_token (Token) – A database token object
Returns:: A TokenClass object

get_as_dict() → dict[source]¶

This returns the token data as a dictionary. It is used to display the token list at /token/list.

The certificate token can add the PKCS12 file if it exists

Returns:: The token data as dictionary
Return type:: dict

static get_class_info(key=None, ret='all')[source]¶

returns a subtree of the token definition

Parameters:

key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found

Returns:

subsection if key exists or user defined

Return type:

dict or scalar

static get_class_prefix()[source]¶

static get_class_type()[source]¶

classmethod get_default_settings(g, params)[source]¶

This method returns a dictionary with additional settings for token enrollment. The settings that are evaluated are SCOPE.ADMIN|SCOPE.USER, action=trusted_Assertion_CA_path It sets a list of configured paths.

The returned dictionary is added to the parameters of the API call. :param g: context object, see documentation of Match :param params: The call parameters :type params: dict :return: default parameters

get_init_detail(params=None, user=None)[source]¶: At the end of the initialization we return the certificate and the PKCS12 file, if the private key exists.

hKeyRequired = False¶

revoke()[source]¶

This revokes the token. We need to determine the CA, which issues the certificate, contact the connector and revoke the certificate

Some token types may revoke a token without locking it.

set_pin(pin, encrypt=False)[source]¶

set the PIN of a token. The PIN of the certificate token is stored encrypted. It is used as passphrase for the PKCS12 file.

Parameters:

pin (str) – the pin to be set for the token
encrypt (bool) – ignored

update(param)[source]¶

This method is called during the initialization process.

Parameters:: param (dict) – parameters from the token init
Returns:: None

using_pin = False¶