Unable to update a user certificate via the REST Management API
search cancel

Unable to update a user certificate via the REST Management API


Article ID: 42970


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway




The CA API Gateway introduced a REST-based management API as of version 8.2.00 of the product suite. This API allows an administrator to manage a Gateway cluster with HTTP requests to a REST service. This API can allow an administrator to create, read, or delete user certificates from user accounts present in the internal identity provider. The process for adding a certificate may fail if the user account already has a certificate attached. This article will prescribe the steps to avoid that failure.


The Gateway may return an HTTP 400 error?response as follows:

<l7:Error xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">?
<l7:Link rel="self" uri="https:/gateway.domain.com:8443/restman/1.0/users/05aaaff0669511e498030800200c9a66/certificate"/>?
<l7:Detail>this user is currently not allowed to generate a new cert: John Doe (34049006)</l7:Detail>?


This error occurs when an HTTP PUT request is sent to the REST Management API for a user account that already has a certificate assigned to it. An HTTP DELETE request should be sent to the REST Management API for the desired user account. That will revoke the stored certificate and allow a new certificate to be stored. To revoke the existing certificate, send the following HTTP request:


Please note that the user ID in the HTTP URI above needs to reflect the user ID of the existing user account. An HTTP DELETE will result in a blank HTTP 200 response indicating a success. If the certificate is successfully revoked and deleted the the following XML request will assign a new certificate to an existing user.

PUT 1.0/users/05aaaff0669511e498030800200c9a66/certificate
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<l7:CertificateData xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">

Please note that the user ID in the HTTP URI and the Encoded?element need to reflect the applicable data for the user being updated. The user ID should match the existing user ID and the value of the Encoded element should be a valid base-64 encoded certificate.


Component: APIGTW