certificate services 12.4 web service guide - entrust · must use an approved domain for your...

`

Certificate Services Web Service Guide

Software release: 12.4

Document issue: 1.0

Date of issue: March 2018

Entrust Datacard Certificate Services Web Service Guide 2

Copyright © 2018 Entrust Datacard. All rights reserved.

Entrust is a trademark or a registered trademark of Entrust Datacard Limited in Canada. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. or Entrust Datacard Limited in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.

This information is subject to change as Entrust Datacard reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant.

Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required.

`

Contents 3

Contents Contents ................................................................................................................... 3

Revision, audience and guide information ............................................................ 6

Revisions ...................................................................................................................................... 6

Audience ....................................................................................................................................... 6

Viewing this guide ....................................................................................................................... 6

Service endpoint ...................................................................................................... 7

Authentication ......................................................................................................... 7

User roles ................................................................................................................. 8

Method details ....................................................................................................... 11

Requesting, renewing, or reissuing a certificate.................................................................... 11

Method: certRequest ............................................................................................................... 11

Response ................................................................................................................................ 19 Revoking a certificate ................................................................................................................ 21

Method: deactivateCert ........................................................................................................... 21

Response ................................................................................................................................ 21

Finding a list of certificates using the certificate status, a search field, and a regular expression .................................................................................................................................. 22

Method: findCertList ................................................................................................................ 22 Response ................................................................................................................................ 23

Retrieving certificate information ............................................................................................ 24

Method: getCert ...................................................................................................................... 24

Response ................................................................................................................................ 24

Retrieving a certificate list (with some associated information) .......................................... 25

Method: getCertList ................................................................................................................. 25 Response ................................................................................................................................ 25

Retrieving a certificate list (with additional information) ...................................................... 26

Method: getExtCertList............................................................................................................ 26

Response ................................................................................................................................ 26

Retrieving a list of certificates using their tracking IDs ........................................................ 28

Method: getExtCertListByTrackingIds ..................................................................................... 28


Response ................................................................................................................................ 28

Retrieving a client list (and associated information) ............................................................. 30 Method: getClientList .............................................................................................................. 30

Response ................................................................................................................................ 30

Retrieving a domain list (and associated information) .......................................................... 31

Method: getDomainList ........................................................................................................... 31

Response ................................................................................................................................ 31

Retrieving an organization list ................................................................................................. 32 Method: getOrgList .................................................................................................................. 32

Response ................................................................................................................................ 32

Retrieving an approved organization list ................................................................................ 33

Method: getOrgUnitList ........................................................................................................... 33

Response ................................................................................................................................ 33

Retrieving inventory information ............................................................................................. 34 Method: getInventory .............................................................................................................. 34

Response ................................................................................................................................ 34

Retrieving custom tracking field information ......................................................................... 36

Method: getTrackingFields ...................................................................................................... 36

Response ................................................................................................................................ 36

Suspending a certificate ........................................................................................................... 37 Method: suspendCert .............................................................................................................. 37

Response ................................................................................................................................ 37

Restoring a certificate ............................................................................................................... 38

Method: restoreCert ................................................................................................................ 38

Response ................................................................................................................................ 38 Approving pending certificate requests .................................................................................. 39

Method: certApprove ............................................................................................................... 39

Response ................................................................................................................................ 39

Declining pending certificate requests ................................................................................... 41

Method: certDecline ................................................................................................................ 41

Response ................................................................................................................................ 41 Adding a client ........................................................................................................................... 42

Method: addClient ................................................................................................................... 42

Response ................................................................................................................................ 43

Adding a domain ........................................................................................................................ 44

`

Contents 5

Method: addDomain ................................................................................................................ 44

Response ................................................................................................................................ 44 Updating a certificate record .................................................................................................... 44

Method: certChange ................................................................................................................ 44

Response ................................................................................................................................ 46

Web service error response .................................................................................. 47

Error codes ................................................................................................................................. 47


Revision, audience and guide information Revisions

Revision Section Description

12.4 “Method: certRequest” on page 11

Added new CT logging option.

Added new Private Dedicated SSL certificate creation.

Audience This guide is intended for software developers who want to use the ECS API.

Viewing this guide Although this guide can be printed, it relies heavily on hyperlinks to other sections, so it is best viewed and used electronically.

`

Service endpoint 7

Service endpoint https://ws-managed.entrust.net/ws/cms.cfc?wsdl

Authentication User accounts for the Web service can be managed using Entrust Certificate Services Enterprise. Contact Entrust to add this management capability to your account.

To create a new API user, Administration > User Management > Create New User: User Type = API Users. See the Certificate Services online help for more information.

The Certificate Services Enterprise web service uses both client certificate authentication and password authentication.

To create the client certificate: 1. Use your Certificate Services Enterprise account to create an SSL certificate with client or

mutual authentication (Standard, Advantage, Unified Communication, or Extended Validation only) from a CSR. The certificate common name can be anything you like but it must use an approved domain for your account.

2. Install the resulting certificate on the host you will use to connect to the web service. Details about creating the CSR and installing the certificate will be specific to your application programming environment (for example, Java, Microsoft, or C++).

Note: You can update the certificate used by the client (renew or reissue) without affecting API access, if the DN in the certificate remains the same. Access to the API is tied to the DN, not the specific client certificate.

In addition to presenting a valid client certificate, the application accessing the web service must send a valid username and password using HTTP Basic authentication. HTTP Basic authentication uses the HTTP Authorization header. This header must be sent with every web service call. The HTTP authentication header uses the form username + ‘:’ + password, in base-64 encoded format.

https://ws-managed.entrust.net/ws/cms.cfc?wsdl


Consult the documentation for your application programming environment for details on how to do this.

User roles There are three levels of access to the Web service:

• Super User (highest level of access) • Limited User (access to most information and can request a certificate) • Read-Only (access to most information)

Note: These roles are specific to the Web Service and do not correspond to any Certificate Management Service roles.

This chart details the level of access granted to each role:

Action Method Super Limited Read-Only

Add new Domain addDomain X

Add new client addClient X

Approve pending certificate requests certApprove X

Update certificate record certChange X

Decline pending certificate requests certDecline X

Perform a certificate generation request certRequest X

X (request only)

Revoke a certificate deactivateCert X

Retrieves a list of certificates (and some associated information) using certificate status, search field, and a regular expression value. findCertList X X X

Retrieves a specific certificate for a given tracking ID getCert X X X

`

User roles 9

Action Method Super Limited Read-Only

Retrieve a set of certificates for a given status type getCertList X X X

Retrieve list of Clients from the associated account getClientList X X X

Retrieve list of domains getDomainList X X X

Retrieve an extended list of attributes for a set of certificates getExtCertList X X X

Retrieve an extended list of attributes for a set of certificates from a list of tracking IDs. getExtCertListByTrackingIds X X X

Retrieves inventory information getInventory X X X

Retrieves list of organizations from the associated account. getOrgList X X X

Retrieve list of the organizations (OUs) that have been approved by Entrust from the associated account. getOrgUnitList X X X

Retrieves a list of custom tracking fields getTrackingFields X X X

Restore certificate (unsuspend) restoreCert X

Suspend certificate suspendCert X


Certificate abbreviations used in this Web Service

Abbreviation Name used in Certificate Services Certificate type number (returned by some Web service methods)

standard Standard SSL Certificate 1

advantage Advantage SSL Certificate 4

ev Extended Validation Multi-Domain SSL Certificate

5

ucc Unified Communication Multi-Domain SSL Certificate

6

wc Wildcard SSL Certificate 11

ic Private SSL Certificate 29

cds_ind Document Signing Certificate (Individual) 21

cds_grp_man Document Signing Certificate (Group) 22

cds_grp_auto Document Signing Certificate Enterprise Lite 23

cds_grp_hsm Document Signing Certificate Enterprise Pro 24

smimeent S/MIME Enterprise Certificate 25

cs Code Signing Certificate 15

evcs Extended Validation Code Signing Certificate 36

pdssl Private Dedicated SSL Certificate 44

`

Method details 11

Method details This section documents the methods, the associated parameters, and the syntax.

Requesting, renewing, or reissuing a certificate Method: certRequest This method generates a Certificate Services Enterprise managed certificate.

Syntax: remote array certRequest ( string csr="", required numeric clientid, string organization="", required string certtype, date certexpdate, numeric certyears="0", string trackinginfo="", string extendedTrackinginfo="", boolean autoapprove="1", required string appname, required string appemail, required string apptelephone, numeric servernum="1", string subjectAltName="", string cds_email="", string cds_cn="", string cds_ou="", string cds_passphrase="", numeric trackingid="0", required string requesttype="new", string passphrase="", string signingAlgorithm="", string email="", string cn="", string eku="",string upn=””,additionalEmail=””, string ou="", boolean ctlog)

Method parameters

Parameter Type Required? Description

csr String

Yes, with conditions

The CSR, which is required for: standard, advantage, ev, ucc, ic, cds_grp_auto, cds_grp_hsm, and wc certificate types.

A CSR is mandatory if you are creating a new certificate. It is optional if you are renewing or reissuing a certificate.

The CSR is optional for smimeent, and if it is not provided, a passphrase must be specified instead.

If a CSR is provided for smimeent, it must not contain a SubjectAltName extension.

If both a passphrase and CSR are provided for smimeent, the CSR will be used and the passphrase, ignored.

clientid Numeric

Yes The ID of the client. The ID of the primary client is 1. Use getClientList to obtain the IDs of other clients.

organization String No The organization name—only valid for the primary client (client ID 1), except for Private Dedicated SSL.



For Private Dedicated SSL certs, this parameter is optional and, if provided, the string used here will be override the O in the CSR.

Note: This parameter is ignored for certificate reissue.

certtype String Yes The type of certificate requested:

standard

advantage

ev

ucc

cds_ind

cds_grp_man

cds_grp_auto

cds_grp_hsm

wc

smimeent

ic

pdssl

Note: This parameter is ignored for certificate reissue or renew.

certexpdate Date Yes (for pooling accounts)

The date the certificate is set to expire (pooling accounts only)

Format: YYYY-MM-DD

Note: This parameter is ignored for certificate reissue.

certyears Numeric

Yes, conditionally; see next table cell for details

The lifetime of the certificate in years. Applies to all non-pooling accounts and to cds_ind, cds_grp_man, cds_grp_auto, cds_grp_hsm, and smimeent certificates, regardless of account type.)

trackinginfo String No Free form tracking to attach to the record for the certificate.

extendedTrackinginfo

String Yes, if any custom fields are enabled,

URL Encoded custom information to be attached to the record for the certificate.

Format:

`

Method details 13


otherwise No

text1=value1&text2=value2

- text<number> corresponds to the number of the Field label field in the Certificate Services interface.

- There are 15 fields in the interface so the number can be 1 to 15 (inclusive). The value corresponds to the string entered in the field by the user.

- There is a 255 character limit.

- Use the getTrackingFields method to obtain the text<number> of the tracking field before using it in this method.

- All enabled text fields must be included in the extendedTrackingInfo string. If a field is optional, the field value can be omitted, but the field name (text<number>) must be provided.

For example, if text1 is mandatory and text2 is optional, extendedTrackingInfo must contain:

text1=value1&text2=

- If you have hard-coded the numeric string identifiers returned in prior releases, these will no longer be valid and must be replaced.

- Only fields marked “text<number>” in the interface are valid fields. Non-text custom fields that are configured in the Certificate Services interface are ignored by the Web service. Multiline fields are also ignored.

autoapprove Boolean

No Defaults to 1

For standard, advantage, ev, ucc, wc, and ic types:

- If set to 0, certificate request is queued for approval by an administrator.

- If set to 1 (default) the certificate is generated immediately.

- autoapprove only applies for requesttype=new. It does not apply to reissue or renew. Reissue and renew requests are considered to have been approved during the original certificate issuance and are not queued for further approval.

- autoapprove is subject to an account-wide setting "Allow auto-approve". If "Allow auto-approve" is turned on, then autoapprove is consulted. If "Allow auto-approve" is turned off, then autoapprove is ignored, new requests are queued for administrator



approval, and reissue and renew requests are rejected by the Web service. Contact Entrust to determine if "Allow auto-approve" is enabled for your account.

For smimeent:

- Must be set to 1. S/MIME certificates are always generated immediately.

- Additionally, the account-wide setting "Allow auto-approve" must be turned on before you can issue Secure Email Enterprise certificates using the Web service.

appname String Yes Requester Name

appemail String Yes Requester Email

apptelephone String Yes Requester telephone number

servernum String No This parameter is no longer used.

subjectAltName String No Enter the subjectAltName identifier, as a list of comma-delimited values (applies to standard, ucc, ic, advantage, ev, and wc certificate types).

Note: If you are requesting a new SSL certificate, and you pass a subjectAltName parameter, any SAN names in the CSR are ignored. If no subjectAltName parameter is passed, the SAN names in the CSR are used.

Note: See the requesttype parameter (further in this table) to understand more about SANs during reissues and renewals.

Note: In the case of Standard certificates, if the CN of the certificate is <domain>.<tld> only the www.<domain>.<tld> value is accepted. If the CN of the certificate is www.<domain>.<tld> only the <domain>.<tld> value is accepted.

cds_email String No The email address that appears in the Document Signing certificate DN. Only applicable to Document Signing certificate types.

cds_cn String No The cn in the Document Signing certificate DN. Only applicable to Document Signing certificate types.

cds_ou: String No The OU in the Document Signing certificate DN. Only applicable Document Signing certificate types.

`

Method details 15


cds_passphrase String No The pickup passphrase for the Document Signing certificate.

trackingid Numeric

Maybe The tracking ID of the certificate being renewed or reissued.

The trackingid parameter is mandatory for renewals and reissues.


requesttype String Yes New (default), Reissue, Renew

Notes on certificate reissues:

• You can reissue a certificate with additional (or fewer) SANs by including a complete list of them in the CSR or subjectAltName parameter. You will be charged for additional SANs.

• If you reissue a certificate, the certificate being replaced is revoked 30 days after submitting the request. This gives you time to replace the certificate with the reissued one before users start seeing trust errors.

• The 30-day delayed revocation does not apply to smimeent certificates. The original S/MIME certificate is always revoked immediately.

• If you create an smimeent certificate using this Web Service you cannot renew or reissue it through the Certificate Services user interface. You must use the Web Service to renew or reissue smimeent certificates that were created using the Web Service. Certificates created using the Web Service can be revoked using either the Web Service or the Certificate Services user interface.

Notes on certificate renewals:

• If you renew an SSL certificate under a pooling account, the renewed certificate only uses up a license when the original certificate expires.

• If you renew an SSL certificate under a non-pooling account, the lifetime remaining on the original certificate is added to the lifetime of the new certificate. For example, if a 1-year certificate is renewed 30 days before expiry, then the new 1-year certificate will have a lifetime of 1 year plus 30 days.

• The CN cannot be changed on a renewal. • If you renew under a non-pooling account,

you can add or remove SANs, as you can with reissues (see above for details).

• If you renew under a pooling account, you can add SANs, but you cannot remove any. To add SANs, specify them in the subjectAltName or CSR parameter. This list is appended to the list of SANs from the original certificate.

`

Method details 17


passphrase String Yes (if the account is configured to require a password)

The certificate pickup password.

Note: A passphrase must be used if it is set to “required” in the account under Options > Certificate Pickup Password. A passphrase is used to protect smimeent certificates without CSRs. The passphrase protects the returned PKCS12 containing the private key and certificate.

If a passphrase and CSR are provided in an smimeent certificate request, the CSR will be used and the passphrase, ignored.

signingAlgorithm String No Signing algorithm of certificate (sha1 or sha2). The account default is used if not specified.

Note: This parameter is only applicable when the account preference is set to “Select signing algorithm at certificate generation time.”

Note: As of January 1, 2016 any certificates except ic certificates being issued, reissued, or renewed will use SHA2, even if the SHA1 algorithm is specified in the request. Private SSL (ic) certificates can continue to use SHA-1.

email String No email attribute in the DN (applicable to smimeent certtype only)

cn String No cn attribute in the DN (applicable to smimeent certtype only)

eku String No Extended Key Usage of certificate (ServerAuth, ClientAuth, ServerAndClientAuth) (applicable to all public SSL certificate types--standard, advantage, ev, wc, and ucc certtypes)

upn String No User Principal Name.

Applicable to the smimeent certtype only.

The Web service supports upn for new, reissued, and renewed SMIME certificates. If specified, it must be a valid email address and its domain has to be the approved domain for that client.

additionalEmails String No A comma-separated list of additional email addresses to receive the delivery notice and expiry notification for the certificate.


ou String No Organizational unit. This parameter can be set to the name of the ou or to “[no ou]”. See the behavior below. This parameter is valid for SSL, and S/MIME certificate types.

OU behavior is dependent on whether organizational units are enabled for your account:

If OU is disabled for your account:

New certificates: OUs from CSRs or the “ou” input parameter are ignored.

Reissued certificates: OUs from CSRs, or the “ou” input parameter are ignored.

Renewed certificates: OUs from CSRs, or the “ou” input parameter are ignored.

If OUs are enabled for your account:

New certificates: Valid OUs from CSRs are used. Invalid OUs from CSRs are ignored. The OU in the CSR is overridden by a valid “ou” from the input parameter, however if the OU is invalid, an “Unapproved OU” error is generated.

Reissued certificates: If the CSR is not specified when reissuing, then the OU from the CSR of the original certificate is used as the default OU. The OU is ignored if it is invalid.

If a new CSR is used when the certificate is reissued, the OU from the CSR is used as the default OU.

If a new CSR with no OU is used, the certificate is reissued without an OU. The original OU in the CSR is overridden by a valid “ou” or “[no ou]” from the input parameter, however if the OU is invalid an “Unapproved OU” error is generated.

Renewed certificates: If no CSR is specified when the certificate is renewed, the OU of the CSR from the original certificate is used. The OU is ignored if it is invalid.

If a new CSR is used and contains a valid OU, the OU from the CSR is used.

If the CSR is replaced and contains no OU, the certificate is renewed without an OU.

The original OU in the certificate is overridden by a valid “ou” or “[no ou]” from the input parameter, or by the OU in a replacement CSR, however if the OU is invalid an “Unapproved OU” error is generated.

`

Method details 19


ctLog Boolean

No Allows adding non-EV SSL certificates to Certificate Transparency logs when Entrust creates the certificates.

If ctLog is not specified, the certificate uses the account default. If ctLog is specified and the account settings allow override, ctLog overrides the account default.

- 0 means don’t log - 1 means send to CT logs

If ctLog is set to 0, but the account setting specifies always sending OV SSL certs to the CT logs, certificate generation fails.

To view your account setting, in the Certificate Services UI, navigate to Administration > Advanced Settings > CT Logging.

Notes:

• The maximum lifetime for new SSL certificates is 27 months (or 2 years, if you have a non-pooling account).

• On March 1 2018, Entrust began restricting all reissued and duplicated SSL certificates to the new maximum of 27 months. If you renew or duplicate a 3-year certificate, its lifetime will be truncated to a maximum of 2 years. Existing 3-year certificates will be unaffected.

• Users do not receive expiry notifications for smimeent certificates that are issued through this Web service.

• If you create an smimeent certificate using this Web Service you cannot renew or reissue it through the Certificate Services user interface. You must use the Web Service to renew or reissue smimeent certificates that were created using the Web Service. Certificates created using the Web Service can be revoked using either the Web Service or the Certificate Services user interface.

• Not supported for cs and evcs certificate types.

Response Array of anyType

ErrorID Should be empty

ErrorTitle Should be empty

ErrorDesc Should be empty


SerialNumber Serial number of the certificate in decimal format (if certificate generated)

ServerCert Certificate (if certificate generated), PEM-encoded

ChainCert This is always the chain certificate, PEM-encoded

CertExpiryDate Expiry date and time of the certificate in ODBC Date/Time format (if certificate generated)

TrackingID Internal tracking ID associated to the request

Pickup URL The pickup URL of the certificate

SmimePkcs12 S/MIME certificate and private key in PKCS12 format protected by the passphrase-–returned if no CSR is supplied for the smimeent certtype.

`

Method details 21

Revoking a certificate Method: deactivateCert This method revokes a certificate, identifying it by its serial number.

Syntax: remote array deactivatecert ( required string revreason, required string revtext, required string serialnumber )

Method parameters


revreason String Yes The reason for the revocation. One of: Key Compromised, Unspecified, Affiliation Changed, Superseded, Cessation of Operation.

revtext String If revreason is “Unspecified”

Additional text about reason for revocation.

serialnumber String Yes The serial number.

Notes:

• The Web service checks the status of a certificate to determine if it can be revoked. • SSL certificates in the ready, active, reissued, or renewed state only can be revoked.

Deactivating a reissued or renewed certificate in a pooling account does not return a license to the license pool.

• S/MIME certificates in the active state only can be revoked. • Not supported for cds_ind, cds_grp_man, cds_grp_auto, cds_grp_hsm, cs and evcs

certificate types.





RevokeSuccessful Yes if successful, otherwise array element will not be returned


Finding a list of certificates using the certificate status, a search field, and a regular expression Method: findCertList Syntax: remote array findCertList ( string status=”pending”, required string field=””, required string value=”regexp” )

Method parameters


status String No The status of the certificates in the list. The options are: Pending (default), Active, Ready, Expired, Deactivated, Declined, Reissued, Renewed, Suspended, All.

Default is “Pending”.

field String Yes The certificate field to search. The options are:

CertDN

CertificateType

CertExpiryDate

CreatorName

RequesterName

RequesterEmail

OrganizationUsed

DomainUsed

DefaultTracking

SubjectAltName

AdditionalEmails

CustomTracking

CustomTracking: [form field]

value String A regular expression supported by java

Notes:

`

Method details 23

• AdditionalEmails is a multi-value field. A certificate is returned if any of the additional email addresses in the certificate matches the RegExp value used.

• The method “getTrackingFields” can be used to obtain a list of custom tracking fields {display name, form field }

• CustomTracking is a multi-value field. A certificate is returned if any of the custom tracking fields of the certificate matches the RegExp value used.

• To search for a specific custom tracking field, the search field must be specified by prefixing “Custom Tracking:” followed by the “text<number>”. For example, if the form field of a custom tracking field returned by the getTrackingFields method is “text2”, then the custom tracking field in the search must be specified as “CustomTracking:text2”.

• Use of the “Custom Tracking: [form field]” format to specify a specific custom tracking field. It must be consistent with the input parameter used in the certRequest() extendedtrackingInfo where the [form field] is used.

• If you use a regular expression to query a custom field, be aware that the wildcard value has changed from * to %. This is only true for custom field information.

• Organization Unit is part of the certDN. To search for Organization Unit used in their certificates, search on the CertDN. For example, “.*ou=SomeOU.*”

• For a “date type” attribute search, such as the “CertExpiryDate” field, the search is based on the date value stored in the database rather than the date displayed in the Certificate Services Enterprise interface. The date field stored in the database takes the format of “yyyy-MM-dd HH:mm:ss.SSS ”, for example “2014-04-02 23:08:59.000”. To search for certificates with the expiry date of “Apr 2, 2014”, for example, the search regexp can be specified as “2014-04-02.*”





Array of Array One row per certificate

[1] CertDN [2] Tracking ID [3] CertificateType [4] Certificate Expiry Date [5] Certificate Serial Number [6] Status


Retrieving certificate information Method: getCert This method retrieves information about a specific certificate using its tracking ID.

Syntax: remote array getcert ( required numeric trackingid="0" )

Method parameters


trackingid Numeric Yes The tracking ID of the certificate.





Array [1] CertDN

[2] Tracking ID

[3] CertificateType

[4] Certificate Expiry Date YYYY-MM-DDTHH:MM:SS

[5] Certificate Serial Number

[6] PEM Encoded Certificate

[7] Certificate Status

[8] Signing Algorithm

`

Method details 25

Retrieving a certificate list (with some associated information) Method: getCertList This method retrieves a list of certificates with a specified status type.

Syntax: remote array getCertList ( string status="pending" )

Method Parameters


status String No The status type of the certificates in the list. The options are: Pending (default), Approved, Active, Ready, Expired, Deactivated, Declined, Reissued, Renewed, Suspended, All.





Array of Array One row per certificate. [1] CertDN

[2] Tracking ID

[3] CertificateType

[4] Certificate Expiry Date






Retrieving a certificate list (with additional information) Method: getExtCertList This method retrieves a list of certificates with a specified status type. This Method returns more details about each entry than getCertList.

Syntax: remote array getExtCertList ( string status="pending" )

Method Parameters


status String No The status type of the certificates in the list. The options are: Pending (default), Approved, Active, Ready, Expired, Deactivated, Declined, Reissued, Renewed, Suspended, All.





Array of Array One row per certificate

[1] CertDN

[2] Tracking ID

[3] CertificateType





[8] csr

[9] creator name (or DN if created through a web service)

[10] Date certificate Issued

[11] Requester name

[12] Requester email

`

Method details 27

[13] Deactivate status 0 or 1 (1=True, 0=False)

[14] Date Deactivated (Populated only if Deactivate Status is true)

[15] Organization/Client used

[16] Domain used

[17] Default Tracking

[18] Customer Tracking (queryBean) Complex Type: A QueryBean is an object that contains a one-dimensional array of column names and a two-dimensional array containing the associated data

[19] Decline Reason

[20] Third Party Flag

[21] Number of Servers

[22] Organizational Unit

[23] SubjectAltNames

[24] Certificate Keysize


[26] Key Type

[27] Additional Emails Returns a comma-separated list of additional email addresses that receive expiry notifications for this certificate.

Notes: Certificate Services places an upper limit on the number of certificates queried using this method. Customers with a large number of certificates should limit the number to no more than 5000 certificates at a time. Use the findCertList and getCertList methods as alternatives for a very large number of certificates.


Retrieving a list of certificates using their tracking IDs Method: getExtCertListByTrackingIds This method allows the caller to pass a list of tracking IDs and retrieve a list of specific certificates with extended information.

Syntax: remote array getExtCertListByTrackingIds ( required string trackingids="0" )

Method Parameters


trackingids string Yes Comma separated list of tracking IDs for the specified certificates.

Note: By default, the maximum number of tracking IDs is 100. If more than 100 certificates are found, error LIS010 is returned.





Array of Array One row per certificate. [1] CertDN

[2] Tracking ID

[3] CertificateType





[8] csr

[9] creator name (or DN if created through a web service)

[10] Date certificate Issued

[11] Requester name

`

Method details 29

[12] Requester email

[13] Deactivate Status (True, False)

[14] Date Deactivated (Populated only if Deactivate Status is true)

[15] Organization/Client used

[16] Domain used

[17] Default Tracking

[18] Customer Tracking (queryBean) Complex Type: A QueryBean is an object that contains a one-dimensional array of column names and a two-dimensional array containing the associated data

[19] Decline Reason

[20] Third Party Flag

[21] Number of Servers

[22] Organizational Unit

[23] SubjectAltNames

[24] Certificate Keysize


[26] Key Type

[27] Additional Emails Returns a comma-separated list of additional email addresses that receive expiry notifications for this certificate.

Notes: This method returns a maximum of 100 certificates with extended information.


Retrieving a client list (and associated information) Method: getClientList This method retrieves a list of clients associated with the account.

Syntax: remote array getClientList ( )

No method parameters. All client information associated with the account is returned.





Array of Array One row per client. [1] Client ID

[2] Client Name

[3] Verification status:

APPROVED

DECLINED

PENDING

PENDING_FINAL_APPROVAL

[4] EV verification status:

APPROVED – at least one domain is approved for EV

PENDING – not APPROVED and at least one domain is pending for EV

NONE – no domains are marked as EV

[5] EV information expiry date – blank if EV verification status is not APPROVED

`

Method details 31

Retrieving a domain list (and associated information) Method: getDomainList This method retrieves a list of domains assigned to the specified client.

Syntax: remote array getDomainList (required numeric clientID="1")

Method Parameters


clientID numeric Yes The client ID for the specified client.

Response Array of Array




Array of Array One row per domain

[1] Domain name

[2] Verification status

Approved

Declined

Revoked

Pending Verification

[3] Is it EV enabled – 1 (yes) or 0 (no)

[4] EV verification status

Approved

Declined

Revoked

Pending Verification

[5] EV information expiry date


Retrieving an organization list Method: getOrgList This method retrieves list of organizations associated with the account.

Syntax: remote array getOrgList ( )

No method parameters. All organization information associated with the account is returned.





Array [1] Organization Name

[2] Verification status:

APPROVED

DECLINED

PENDING

PENDING_FINAL_APPROVAL

`

Method details 33

Retrieving an approved organization list Method: getOrgUnitList This method retrieves list of approved organizations associated with the account.

Syntax: remote array getOrgUnitList (clientid=”1”)

Method Parameters


clientID numeric Yes The client ID for the specified client.





Array Organization Unit


Retrieving inventory information Method: getInventory This method retrieves the inventory information associated with the account.

Syntax: remote query getInventory ( )

No method parameters. All inventory information associated with the account is returned.





QueryBean Returns the following columns:

DATE_INTERFACE_START

DATE_INTERFACE_END

NONPOOLING

STANDARD_REM

STANDARD_TOTAL

ADVANTAGE_REM

ADVANTAGE_TOTAL

EV_REM

EV_TOTAL

UCC_REM

UCC_TOTAL

WC_TOTAL

WC_REM

CDS_IND_REM

CDS_IND_TOTAL

CDS_GRP_MAN_REM

CDS_GRP_MAN_TOTAL

CDS_GRP_AUTO_REM

`

Method details 35

CDS_GRP_AUTO_TOTAL

CDS_GRP_HSM_REM

CDS_GRP_HSM_TOTAL

CS_REM

CS_TOTAL

UCC_SAN_REM

UCC_SAN_TOTAL

EV_SAN_REM

EV_SAN_TOTAL

SMIMEENT_REM

SMIMEENT_TOTAL

IC_TOTAL

IC_REM

DC_TOTAL (see note)

DC_REM (see note)

Note: DC_REM and DC_TOTAL will return 0 as they are reserved for future use.


Retrieving custom tracking field information Method: getTrackingFields This method retrieves a list of custom tracking fields.

Syntax: remote array getTrackingFields ( )

No method parameters. All tracking field information associated with the account is returned.





Array of Array One row per certificate [1] Display name

[2] Form Field

[3] Enabled

[4] Visible on eform

[5] Mandatory on eform

[6] Mandatory on Admin/API

Notes:

• Entries in each row appear in the order of the columns displayed in Certificate Services (Admin) interface.

• If you are using the tracking field parameter in a query, use this method to obtain the value in the tracking field. The field label value will be in the format text<number>, for example text1. There are 15 possible text fields.

• Enabled, Visible on eform, Mandatory on eform, and Mandatory on Admin/API appear as 1 (yes) or 0 (no).

• Information in the Multi-line, Dropdown Values, Email, Number, and Date Values columns/fields is not currently returned.

`

Method details 37

Suspending a certificate Method: suspendCert This method places a Certificate Services Enterprise certificate that is an Active or Ready state into a Suspended state. This does not affect certificate inventory.

Syntax: remote array suspendCert ( required numeric trackingID )

Method Parameters


trackingID numeric Yes The tracking ID of the certificate.

Notes: Not supported for cs and evcs certificate types.





SuspensionSuccessful True


Restoring a certificate Method: restoreCert This method places an SSL certificate that is a Suspended state back into its original Active or Ready state. This does not affect certificate inventory.

Syntax: remote array restoreCert ( required numeric trackingID )

Method Parameters


trackingID numeric Yes The tracking ID of the certificate.






RestoreSuccessful True

`

Method details 39

Approving pending certificate requests Method: certApprove The method approves certificates in the “pending approval” queue generating a Certificate Services Enterprise managed certificate.

Notes:

• This method is not applicable to the following certificate types: cds_ind, cds_grp_man, cds_grp_auto, cds_grp_hsm, and cs.

• When the certApprove method is used to approve a pending SSL certificate reissue request submitted through the eForm, the certificate status is updated to Reissued and the previous certificate is flagged for revocation in 30 days. This gives you time to update your servers with the new certificate before the original certificate expires.

• Certificates created using the Entrust Turbo auto-installation feature do not have an associated CSR in the pending state and cannot be approved using this method. The Web service generates error code INP131 for these certificates.

Syntax: remote array certApprove (required trackingid, string appname, string appemail, string apptelephone)

Method Parameters


trackingID numeric yes The tracking ID of the certificate.

appname String no The name of the approver.

appemail String no The email address of the approver.

apptelephone string no The telephone number of the approver.







SerialNumber Serial number of the certificate in decimal format (if certificate generated)

ServerCert Certificate (if certificate generated), PEM-encoded

ChainCert This is always the chain certificate, PEM-encoded

CertExpiryDate Expiry date and time of the certificate in ODBC Date/Time format (if certificate generated)


Pickup URL The pickup URL of the certificate

`

Method details 41

Declining pending certificate requests Method: certDecline This method rejects specified certificates in the pending approval queue.

Syntax: remote array certDecline ( numeric trackingid="0", string reason="", required string appname, required string appemail )

Method Parameters


trackingID numeric yes The tracking ID of the certificate.

reason String yes The reason for declining the pending certificate request.

appname String yes The name of the approver.

appemail String yes The email address of the approver.








Adding a client Method: addClient This method adds a client to Certificate Services.

Syntax: remote array addClient ( required string domain, required string friendlyClientName, required string clientName, required string address, required string city, optional string stateProvince, optional string zipPostalCode, required string country, required string contactName, required string contactTitle, required string contactPhone, required string contactEmail )

Method Parameters


domain string Yes The client’s initial domain. Additional domains can be added later using addDomain.

friendlyClientName string Yes A friendly label for the client’s organization. This name is for your convenience and does not appear in the certificate.

clientName string Yes The name of the client.

Note: Be sure that the company name is the legal registered name of the company.

address string Yes The address of the client’s headquarters.

city string Yes The city where the client’s headquarters is located.

stateProvince string Only mandatory for United States and Canada

The state or province where the client’s headquarters is located.

`

Method details 43


zipPostalCode string Only mandatory for United States and Canada

The zip or postal code of the client’s headquarters.

country string Yes The country where the client’s headquarters is located.

contactName string Yes The name of the person to contact to authenticate the request. This must be the name of a person in the client company with the authority to verify the request. It must be the person’s proper name rather than their title or management positon.

contactTitle string Yes The title of the person to contact to authenticate the request.

contactPhone string Yes The phone number of the person to contact to authenticate the request.

contactEmail string Yes The email address of the person to contact to authenticate the request.

Note: Entrust will ask the client to complete an Authorization letter after receiving the request.





clientAdded 1 – yes

clientAddedResponse “Client Added”


Adding a domain Method: addDomain This method adds a domain to a specified client.

Syntax: remote array addDomain ( required numeric clientID="1", required string domain="", required string appname )

Method Parameters


ClientID numeric Yes The ID of the client to which the domain is being added.

domain string Yes The domain being added.

appname string Yes Not currently used.





DomainAdded 1 – yes

DomainAddedResponse “Domain Added”

Updating a certificate record Method: certChange This method updates a Certificate Services Enterprise managed certificate. Syntax:

`

Method details 45

remote array certChange (boolean testMode, string trackinginfo, string extendedTrackinginfo, string appname, string appemail, string apptelephone, required numeric trackingid, string additionalEmails )

Method parameters

Parameter Type Req’d?

Description

testMode Boolean No If the testMode is set to true, the API input parameters are verified, but the certificate fields will not be changed. If the testMode is set to false, the API input parameters are verified, and the certificate fields will be updated.

trackinginfo String No Free form tracking info to attach to the record for the certificate.

extendedTrackinginfo

String No URL Encoded custom information to be attached to the record for the certificate. Format:

text1=value1&text2=value2

The updated values will override the original values in the corresponding fields of the Extended Tracking Info. Set a value to an empty string to delete the original value in a field. There is a 255 character limit for this field.

- Use the getTrackingFields method to obtain the text<number> of the tracking field before using it in this method. If you have hard-coded the numeric string identifiers returned in prior releases, these will no longer be valid and must be replaced.

- Only fields marked “text<number>” in the interface are valid fields. Non-text custom fields that are configured in the Certificate Services interface are ignored by the Web service. Multiline fields are not allowed.

appname String No Requester Name.

appemail String No Requester Email

apptelephone String No Requester Phone number

trackingid Numeric Yes The tracking ID of the certificate record that is being changed.

additionalEmails

String No A comma-separated list of the additional email addresses to receive an expiry notification for the certificate.


Note: The API currently only supports overriding. To add an additional email address for the certificate, the API caller needs to include all existing email addresses in the change request.

Notes:

• If a field is not specified in the change request, the corresponding field of the target certificate record is not updated.

• The mandatory fields to use the certChange API are: o trackingid:

The tracking ID of the certificate record being changed. o One or more fields to be changed.

• The following fields cannot be changed to an empty value: o trackinginfo o appname o appemail o Not supported for evcs certificates.

Response

Array of any Type




InputMessage Echo of an array of input messages in key/value pairs. Only non-null value messages are echoed.

ChangeSuccessful True/false

`

Web service error response 47

Web service error response ErrorID String Error code as outlined below

ErrorTitle String Title associated to the error

ErrorDesc String Detailed description of the error

Example

struct

ErrorID ACC102

ErrorTitle Cannot Locate Account

ErrorDesc The account you are attempting to access cannot be found in our database. Please contact Entrust Certificate Services for assistance.

Error codes Error codes have a 3-letter prefix followed by 3 numbers. Each different category has its own 3-letter prefix. Categories and prefixes are as follows:

Category Prefix

Account ACC

Certificate Suspension SUS

CSR CSR

Database SQL

E2G service E2G

General GEN

Input Variables INP

Lists LIS

Pickup PUP

Revocation REV


Category Prefix

Server SVR

errorid errordesc

ACC100 The account has produced an error. Please contact Entrust Certificate Services for support.

ACC101 The account has insufficient certificate inventory or inventory is allocated to sub admins.

ACC102 The account cannot be found.

ACC103 The account has expired.

ACC104 The domain and organization name in the certificate signing request (CSR) have not been approved by Entrust Certificate Services.

ACC105 The domain name in the certificate signing request (CSR) has not been approved by Entrust Certificate Services.

ACC106 The organization name in the certificate signing request (CSR) has not been approved by Entrust Certificate Services.

ACC107 The subjectAltName is not an approved domain.

ACC108 The domain is not an approved EV domain.

ACC109 The domain in the Document Signing email address is not approved.

ACC110 The certificate being reissued was issued more than 30 days ago.

ACC111 The account has insufficient SAN inventory or inventory is allocated to sub admins.

ACC112 You do not have sufficient privileges to perform this action.

ACC113 HTTP Basic Authentication is required for this account. Please contact Entrust Certificate Services for support.

ACC114 HTTP Basic Authentication failed for this account. Please contact Entrust Certificate Services for support.

ACC115 Credentials not in Basic Authentication format. Please contact Entrust Certificate Services for support.

ACC116 Your user account is not provisioned for HTTP Basic Authentication. Please contact Entrust Certificate Services for support.

`


errorid errordesc

ACC117 The organization name "{0}" is not approved for account number "{1}".

ACC119 For Wildcard certificates, total number of SANs in the certificate cannot exceed the maximum number allowed.

ACC120 The certificate being reissued is in invalid status.

ACC121 The certificate cannot be reissued within 60 days of expiry.

ACC122 Unapproved OU. The organization unit in the certificate signing request (CSR) has not been approved by Entrust Certificate Services. The OU CSR OU is not allowed for account <account_name> and client ID <string>.

ACC123 Exceeded WC SAN Limit. For Wildcard certificates, total number of wildcard SANs in the certificate cannot exceed the maximum number allowed.

ACC124 Unable to renew. The certificate has been marked for migration and cannot be renewed through this interface.

ACC125 Unable to create. The client has been marked for migration and {0} certificate types can no longer be created.

ACC126 Unable to renew. The certificate being renewed is in invalid status.

ACC127 Unapproved OU. The organization unit in the certificate request has not been approved by Entrust Certificate Services.

ACC128 Unable to renew. The certificate being renewed is in an invalid status.

CSR100

The certificate signing request (CSR) is invalid. It does not have the proper begin tags. A CSR is encapsulated in -----Begin Certificate Request----- and -----End Certificate Request----- tags or in -----Begin New Certificate Request----- and -----End New Certificate Request----- tags.

CSR101 The certificate signing request (CSR) is invalid. An email address was found as part of the DN.

CSR102 The certificate signing request (CSR) is invalid. Common Name (CN) is a required attribute.

CSR103 The certificate signing request (CSR) is invalid. The common name is invalid. The common name must be a fully qualified domain name (FQDN). A FQDN cannot contain spaces.

CSR104 The certificate signing request (CSR) is invalid. The Organizational Unit (OU) attribute is invalid.


errorid errordesc

CSR105 The certificate signing request (CSR) is invalid. The country (C) attribute is invalid. The value supplied is not a valid ISO country code. For example, GB must be used in place of UK.

CSR106

The certificate signing request (CSR) is invalid. It does not have the proper end tags. A CSR is encapsulated in -----Begin Certificate Request----- and -----End Certificate Request----- tags or in -----Begin New Certificate Request----- and -----End New Certificate Request----- tags.

CSR107

The certificate signing request (CSR) is invalid. The CSR is too short. A CSR is encapsulated in -----Begin Certificate Request----- and -----End Certificate Request----- tags or in -----Begin New Certificate Request----- and -----End New Certificate Request----- tags.

CSR108

The certificate signing request (CSR) is invalid. The CSR is not in the proper format. It must be in PKCS#10 format and encapsulated in -----Begin Certificate Request----- and -----End Certificate Request----- tags or in -----Begin New Certificate Request----- and -----End New Certificate Request----- tags.

CSR109 The certificate signing request (CSR) attributes could not be determined.

CSR110 The certificate signing request (CSR) is invalid.

CSR111 The certificate signing request (CSR) is invalid. The Common Name (CN) attribute is not formatted correctly. It must be a properly formatted IP address or domain name.

CSR112 The certificate signing request (CSR) is invalid. The key type must be RSA and the key size must be at least 1024 bits.

CSR113 The certificate signing request (CSR) is invalid. The key size for EV certificates must be at least 2048 bits.

CSR114 The certificate signing request (CSR) is invalid. The Common Name for a VPN certificate must have a minimum of 3 parts (without the *).

CSR115 The certificate signing request (CSR) is invalid. The key size for certificates expiring past 12/31/2013 must be at least 2048 bits.

CSR116 The certificate signing request (CSR) is invalid. The signature could not be verified.

CSR117 The SubjectAltName “my_bad_hostname” is not valid.

CSR118 The certificate signing request (CSR) is invalid. The key size for certificates expiring past 12/31/2013 must be at least 2048 bits.

CSR119 The certificate signing request (CSR) is invalid. The key size for non-EV certificates expiring before 12/31/2013 must be at least 1024 bits.

`


errorid errordesc

CSR120 The certificate signing request (CSR) is invalid. The key size must be 1024, 1536, 2048, 3072 or 4096 bits.

CSR121 The Elliptic Curve in the CSR is not valid.

CSR122 The CSR may not contain a SubjectAltName extension when certtype is smimeent. Remove the SubjectAltName extension from your CSR and re-submit your request.

E2G100 An unexpected exception occurred in an E2G service. Please contact Entrust Certificate Services for support.

GEN001 Unable to locate account. Please contact Entrust Certificate Services for support.

GEN002 Account validation failed. Please contact Entrust Certificate Services for support.

GEN003 Account inventory check failed. Please contact Entrust Certificate Services for support.

GEN004 Unable to validate certificate signing request (CSR) attributes. Please contact Entrust Certificate Services for support.

GEN005 Certificate generation failed. Please contact Entrust Certificate Services for support.

GEN006 Unable to update the database. Please contact Entrust Certificate Services for support.

GEN007 Certificate revocation failed. Please contact Entrust Certificate Services for support.

GEN008 Unable to update the database. Please contact Entrust Certificate Services for support.

GEN009 Unable to parse client certificate. Please contact Entrust Certificate Services for support.

GEN010 Unable to validate the certificate signing request (CSR). Please contact Entrust Certificate Services for support.

GEN011 Error parsing license string and serial number. Please contact Entrust Certificate Services for support.

GEN012 Supplied license string applies to multiple certificates, please contact Entrust Certificate Services for support.

GEN013 An error occurred attempting to check for an active duplicate Distinguished Name.

GEN014 Account Number not returned on License String validation.


errorid errordesc

GEN015 ECMS not returned on License String validation.

GEN050 Certificate generation failed. Please contact Entrust Certificate Services for support.

GEN100 A communication error occurred. Please contact Entrust Certificate Services for support.

GEN101 A connection failure occurred. Please contact Entrust Certificate Services for support.

GEN102 A connection timeout occurred. Please contact Entrust Certificate Services for support.

GEN104 The certificate generation failed.

GEN105 A maximum of 10 SubjectAltNames are permitted in a UC Multi-Domain Certificate Request

GEN106 Invalid certificate signing algorithm selected. The certificate you are trying to create is 1024-bit which is incompatible with the SHA2 signing algorithm.

INP100 Missing client certificate. Please contact Entrust Certificate Services for support.

INP102 The certificate type is invalid. Valid certificate types include: standard,mutual,advantage,ev,ucc,cds_ind,cds_grp_man,cds_grp_auto,cds_grp_hsm,wc,smimeent, ic

INP103 The expiry date is invalid. The certificate lifetime must be between 2 months and 27 months.

INP104 The email address is invalid.

INP105 TrackingID is required to pick up a certificate. One has not been supplied.

INP106 The license string supplied has already been activated. You must revoke the mutual certificate associated to it in Entrust Certificate Administrator to proceed with the install.

INP107 The license string supplied cannot be found. Please contact Entrust Certificate Services for support.

INP108 The license string supplied exists more than once; please contact Entrust Certificate Services for support.

INP109 The license string supplied has not been activated; please contact Entrust Certificate Services for support.

INP110 The certificate submitted contains a Distinguished Name (DN) that matches an existing active certificate.

`


errorid errordesc

INP111 The parameter certyears is invalid. It must be set to 1, 2, or 3 years, or, for EV certificates, 1 or 2 years.

INP112 The parameter certexpdate is invalid. It must be set to a valid date.

INP113 SubjectAltName parameter only expected for certificates of type Advantage or EV

INP114 Expected parameters for certificate type standard are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail

INP115 Expected parameters for certificate type advantage are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail, subjectaltname

INP116 Expected parameters for certificate type ev are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail, subjectaltname

INP117 Expected parameters for certificate type ucc are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail, subjectaltname

INP118 Expected parameters for certificate type cds_ind are: clientid, certtype, certyears, appname, appemail, cds_passphrase, cds_email, cds_cn, cds_ou (optional)

INP119 Expected parameters for certificate type cds_grp_man are: clientid, certtype, certyears, appname, appemail, cds_passphrase, cds_email, cds_cn, cds_ou (optional)

INP120 Expected parameters for certificate type cds_grp_auto are: csr, clientid, certtype, certyears, appname, appemail, cds_passphrase, cds_email, cds_cn, cds_ou (optional)

INP121 Expected parameters for certificate type cds_grp_hsm are: csr, clientid, certtype, certyears, appname, appemail, cds_email, cds_cn, cds_ou (optional)

INP122 Expected parameters for certificate type wc are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail

INP125 A maximum of 2 SubjectAltNames is permitted for certificate type advantage.

INP126 Missing mandatory tracking field. A tracking field that is configured to be mandatory for the Interface was not provided.

INP127 The certificate identified by this tracking ID is not eligible for reissue.

INP128 Invalid request type. Valid request types are new, renew, reissue.

INP129 Unexpected TrackingID. TrackingID is only used with request types renew and reissue.


errorid errordesc

INP130 Invalid TrackingID. TrackingID must be a positive integer.

INP131 The certificate identified by this tracking ID is not eligible for approval.

INP132 The parameter certyears is invalid. It must be set to 1, 2 or 3 years for Code Signing, Document Signing, and Secure Email certificates.

INP133 Unexpected Organization. The Organization parameter is only used with client ID 1 (the primary client).

INP134 The Organization name is not valid.

INP135 The Client ID is not valid.

INP136 Auto-approve and approval requests are not allowed for this certificate type.

INP137 This account does not allow certificate approvals to be done via the web service.

INP138 Invalid Server Number. Server Number must be a positive integer.

INP139 Only auto-approved requests are allowed for the certificate type smimeent.

INP140 Expected parameters for certificate type smimeent are: csr(optional), clientid, certtype, certyears, appname, appemail, apptelephone, passphrase(optional), email, cn. One of csr or passphrase is required.

INP142 eku parameter is allowed only for certificate types advantage and ucc

INP143 Valid eku parameter values are: ServerAuth, ClientAuth, and ServerAndClientAuth.

INP144 Invalid Parameter

The certificate at the current state does not allow making change for the specified parameter.


The certificate mandatory field cannot be changed to empty.


At least one field to be changed needs to be specified in the request.

INP147 Invalid TrackingID

The certificate identified by this tracking ID is not an eligible certificate to change.

`


errorid errordesc

INP148 Invalid TrackingID

The certificate identified by this tracking ID is not eligible for change at current state.


An invalid tracking field is specified.

INP150 Invalid Domain

The domain is an ICANN registered top level domain.

INP151 Invalid Domain

The domain is not a valid domain.


Expected parameters for certificate type ic are: csr, clientid, certtype, certexpdate (pooling), certyears (non-pooling), appname, appemail, subjectaltname

INP153 The User Principal Name (UPN) is invalid.

A UPN looks like an email address but might not be exactly the same as your email address. Contact your account administrator if you do not know your UPN.

INP154 At most one SAN (www SAN related) can be specified for a standard certificate.

INP155 The certificate identified by this tracking ID is not eligible for renewal.

INP156 Action Not Supported, This action is not supported for members of a duplicate certificate group.

INP157 Missing Parameters, The following parameters are missing or have no value: <list of parameters>

INP158 Invalid Parameter, <parameter> is not a valid two-letter code for country.

INP159 Invalid Parameter, <parameter> is a country which is under Canadian export restrictions.

INP160 Invalid Parameter, <parameter> is not a valid two-letter code for state or province.

INP161 Invalid Parameter, <parameter> is not a unique friendly client name.

INP162 Invalid Parameter, Extended tracking field is invalid because it exceeds the character limit.


errorid errordesc

INP163 This certificate cannot be revoked through the API with reason Key Compromised, because the public key in this certificate (Tracking ID: {1}) is also used by {2} other certificate(s) on this account (Tracking IDs: {3}). You must log on to the UI to do this action.

INP164 The expiry date is invalid. The certificate lifetime must be between {0} days and {1} months for the requested "{2}" certificate type.

INP165 The parameter certyear is invalid. Is {0}, but must be a digit greater than 0 and less than or equal to {1} years for the requested {2} certificate.

INP166 This error code may specify any of several errors that are generated if a domain is not added correctly.

INP167 ctLog cannot be false when the account is set to “always send OV SSL certificates to CT logs”.

LIS001 Invalid status type was passed. Valid status types are: Active, Ready, Pending, Expired, Revoked, Declined, Suspended, Reissued, Renewed, Approved, All

LIS002 No certificates found with that status type.

LIS003 No certificates found with that tracking ID.

LIS004 Invalid TrackingID. TrackingID must be a positive integer.

LIS005 The account has no active clients.

LIS006 The client has no domains.

LIS007 The domain already exists for this client.

LIS008 Your account has an insufficient number of unused Domain Names.

LIS009 Invalid Client ID.

LIS010 Number of tracking IDs is greater than the maximum limit.

LIS011 Invalid search field was passed.

LIS012 Invalid search value was passed. The search value needs to be a valid RegExp.

LIS013 No Certificates found with that search criteria.

LIS014 Certificates found exceeds the maximum number allowed by the system. Please use the findCertList API instead, or contact Entrust Certificate Services for support.

`


errorid errordesc

LIS015 Insufficient Client Inventory, Your account has an insufficient number of unused Clients.

PUP100 The certificate requested to be retrieved cannot be found.

PUP101 The certificate requested to be retrieved exists more than once.

PUP102 The certificate requested to be retrieved has not been generated. The certificate request is pending approval.

PUP103 The certificate requested to be retrieved was not generated. The certificate request was declined.

PUP104 The certificate requested to be retrieved has expired.

PUP105 The pickup password is missing.

PUP106 The pickup password is invalid. Passwords must be at least 8 characters, at least 1 upper case letter, at least 1 lower case letter, at least one number, and at least 1 special character.

REV100 The certificate requested to be revoked cannot be found.

REV101 The certificate requested to be revoked exists more than once.

REV102 The revocation reason is invalid. Valid revocation reasons are: Key Compromised, Unspecified, Affiliation Changed, Superseded, and Cessation of Operation.

REV103 The revocation reason "Unspecified" must be accompanied by a description outlining in more detail the reason for revocation.

REV104 In order to revoke a certificate a serial number must be provided.

REV105 The certificate's CA is not recognized.

REV106 The certificate requested to be revoked is not in a valid status to revoke.

SQL100 An error occurred retrieving data. Please contact Entrust Certificate Services for support.

SQL101 Unknown TrackingID.

SQL102 A database communication error occurred. Please contact Entrust Certificate Services for support.


errorid errordesc

SQL103 A database error occurred updating the certificate inventory. Please contact Entrust Certificate Services for support.

SQL104 A database error occurred updating the account transaction log. Please contact Entrust Certificate Services for support.

SQL105 An error occurred enabling the certificate for Entrust Certificate Manager in the Entrust database, please contact Entrust Certificate Services for support.

SQL106 Error occurred accessing license information.

SQL107 Error occurred updating license information.

SQL108 Error occurred accessing pending license information.

SQL109 Multiple pending license updates encountered.

SQL110 Certificate Update Error

A database error occurred updating the certificate record. Please contact Entrust Certificate Services for support.

SQL111 Add Client Error, An error occurred adding the new client.

SUS100 The certificate requested to be suspended cannot be found.

SUS101 The certificate requested to be suspended exists more than once.

SUS102 This certificate type cannot be suspended.

SVR100 An error occurred sending the necessary emails. Please contact Entrust Certificate Services for support.

certificate services 12.4 web service guide - entrust · must use an approved domain for your...

Documents