Camerfirma certificate management
Overview
In this tutorial you learn how to integrate with the Redtrust RA API to issue and renew Camerfirma certificates: authenticate your application, generate the key pair and CSR on the server, and complete the issuance.
This tutorial is aimed at developers at Redtrust partners with Camerfirma certificate issuance capabilities. To follow it, you need basic knowledge of HTTP APIs and bearer token authentication.
By the end of this tutorial you will have issued a Camerfirma certificate stored on the Redtrust server.
Before you begin
You need the following information provided by the Redtrust client:
- IP address or host name of the Redtrust server.
- The port used to access the service (the default value is
8082). - Application user credentials for the service.
- (Optional) Domain name.
If you use the HMAC redirect flow, you also need:
- A redirect URL where Redtrust sends the temporary token after authentication. An admin must register it in Redtrust before you start.
Step 1: Get an access token
The RA API supports two authentication methods. Choose the one that fits your integration.
- Direct login
- HMAC redirect
Use this option for server-to-server integrations and Postman testing.
Send a POST request to /raapi/v1/auth/login with your username, password, and, if applicable, the domain name. The response contains an accessToken and a refreshToken.
Include the accessToken as a Bearer token in all subsequent requests and proceed to Step 2.
Use this option when users authenticate through the Redtrust web interface.
Redirect the user's browser to:
https://YOUR_REDTRUST_IP:PORT/authclient/auth/loginrequest?Consumer=RA_API&Domain=YOUR_DOMAIN&RedirectUrl=REDIRECT_URL×tamp=TIMESTAMP&partner=PARTNER_NAME&hmac=HMAC_SIGNATURE
Where:
YOUR_REDTRUST_IPis the IP address or host name of your Redtrust server.PORTis the port used to access the service (default8082).YOUR_DOMAINis the users' domain (optional).REDIRECT_URLis the URL to redirect to after authentication. ApplyUrlEncode.TIMESTAMPis the timestamp in UNIX format.PARTNER_NAMEis the client application name in uppercase.HMAC_SIGNATUREis the HMAC-SHA256 signature generated with the shared key.
When authentication completes, Redtrust redirects the user to your URL with a temporary token in the tkn parameter. Exchange it for an access token by sending a POST request to /authapi/v1/login_by_temp_token with the value of tkn in the temporalToken field. The response contains the accessToken.
Include the accessToken as a Bearer token in all subsequent requests and proceed to Step 2.
Step 2: Issue a certificate
Issuance is done in two consecutive calls.
1. Create the CSR
Call POST /raapi/v1/csr/create with the holder's details. Include "provider": "CAMERFIRMA":
{
"dn": [
{ "attribute": "cn", "value": "HOLDER_NAME" }
],
"hashType": "SHA384",
"keyLength": 2048,
"keyType": "RSA",
"provider": "CAMERFIRMA"
}
Where HOLDER_NAME is the full name of the certificate holder.
Redtrust generates the key pair on the server and returns the CSR along with a requestCode. Save the requestCode — you need it in the next step.
For the full list of body fields, see the RA API reference.
2. Finalize the issuance
Call PUT /raapi/v1/csr/finalize with the requestCode obtained in the previous step. The response contains the idCertificate and the thumbprint of the issued certificate, which is stored in Redtrust.
Step 3: Renew a certificate
The renewal flow is identical to issuance. The only difference is that you must include the thumbprint of the existing certificate in the thumbprintToRenew field of the call to POST /raapi/v1/csr/create. The new certificate replaces the previous one, preserving its configuration and associations.
Summary
You have completed the Camerfirma integration flow through the RA API: you authenticated your application, generated the key pair and CSR on the Redtrust server, and finalized the issuance. The certificate is stored in Redtrust and available for use.
Next steps
- RA API endpoint reference — complete documentation of all endpoints, fields, and examples
- Camerfirma integration