RA API integration

Overview

This guide describes the integration flow with the Redtrust RA API: authentication, certificate issuance and renewal. It is intended for developers at partners with certificate issuance capabilities.

Authentication

The RA API supports two authentication mechanisms.

Direct login

Server-to-server authentication via POST /raapi/v1/auth/login with the application user's credentials. Returns an accessToken and a refreshToken.

See the full endpoint in the RA API reference.

HMAC redirect

Redirect flow for integrations where the user authenticates through the Redtrust web interface. The browser is redirected to:

https://YOUR_REDTRUST_IP:PORT/authclient/auth/loginrequest?Consumer=RA_API&Domain=YOUR_DOMAIN&RedirectUrl=REDIRECT_URL&timestamp=TIMESTAMP&partner=PARTNER_NAME&hmac=HMAC_SIGNATURE

Where:

• YOUR_REDTRUST_IP is the IP address or host name of the Redtrust server.
• PORT is the port used to access the service (default 8082).
• YOUR_DOMAIN is the users' domain (optional).
• REDIRECT_URL is the return URL after authentication. Apply UrlEncode.
• TIMESTAMP is the timestamp in UNIX format.
• PARTNER_NAME is the client application name in uppercase.
• HMAC_SIGNATURE is the HMAC-SHA256 signature generated with the shared key.

After authentication, Redtrust redirects to the configured URL with a temporary token in the tkn parameter. This token must be exchanged for an access token via POST /authapi/v1/login_by_temp_token. See the endpoint in the RA API reference.

In both cases, the accessToken obtained is included as a Bearer token in all calls to protected endpoints.

Certificate issuance

Issuance requires two consecutive calls:

1. POST /raapi/v1/csr/create — generates the key pair on the server and returns the CSR and a requestCode.
2. PUT /raapi/v1/csr/finalize — completes the issuance using the requestCode. Returns the idCertificate and thumbprint of the issued certificate.

The provider field in the call to POST /raapi/v1/csr/create identifies the certificate provider. See the provider's documentation for the correct value.

See the full description of both endpoints in the RA API reference. For a complete example with Camerfirma, see the Camerfirma integration tutorial.

Certificate renewal

The renewal flow uses the same endpoints as issuance. The only difference is the thumbprintToRenew field in the body of POST /raapi/v1/csr/create, which identifies the certificate to renew. The new certificate replaces the previous one, preserving its configuration and associations.