Issue a new Certificate Authority

Path parameters

name

string required

Body required

application/json

Certificate Authority enrollment request

string required

csr

string required

template

object (CertificateAuthorityTemplate) required

Responses

200 Certificate Authority successfully issued

type

string required

The type of Certificate Authority

Value managed

enroll

boolean required

If true, this Certificate Authority can emit certificates

enforceKeyUnicity

boolean required

If true, each enrollment request must have a unique key

name

string required

The name of the Certificate Authority

trustedForClientAuthentication

boolean required

If true, certificates emitted by this Certificate Authority can be used for client authentication on Stream

trustedForServerAuthentication

boolean required

If true, certificates emitted by this Certificate Authority can be used for server authentication by Stream

string | null

This Certificate Authority's Distinguished Name

queue

string | null

The queue to apply on this Certificate Authority's operations

crldps

array of string | null

The urls of this Certificate Authority's CRL Distribution Points

aia

object | null (Authority Information Access)

AIAs to add to the certificate

certificate

array of string | null

List of URIs on which the Certificate Authority certificate can be found

ocsp

array of string | null

List of URIs on which the OCSP Responder of the Certificate Authority can be accessed

policy

array of objects | null (Certificate Policy)

This Certificate Authority's Certificate Policies

Array [

oid

string required

Object Identifier of the Policy

cpsPointer

string | null

URI to a Certification Practice Statement document

organization

string | null

Organization of the user notice. Introduced in 2.0.12

noticeNumbers

array of integer | null

Notice numbers of the policy. Introduced in 2.0.12

explicitText

string | null

The text of the user notice. Introduced in 2.0.12

]

qcStatement

object | null (Qualified Certificate Statements)

The Qualified Certificate Statements to add to the emitted certificates

eTSIQCCompliance

boolean required

If true, the certificate is a Qualified Certificate

eTSIQCSSCD

boolean required

If true, the private key of the certificate resides in a Secure Signature Creation Device

eTSIRetentionPeriod

integer required

This indicates the duration of the retention period of material information in years

eTSIQCType

object required

This indicates which type of document can be signed by the certificate. One of eseal, esign, web or none

eTSIPDS

object | null

The PKI Disclosure Statements URI for a specified language

eTSITransactionLimit

object | null (Transaction Limit Statement)

This indicates the limits of the transactions the certificate is qualified for. The maximum amount is calculated by: valueLimit * 10^(valueLimitExp)

eTSILegislation

array of string | null

The alpha-2 ISO-3166 country codes where the certificate is qualified

overridePermissions

object | null (Override Permissions)

This indicates which properties can be overriden in the enrollment request

boolean | null

If true, the Key Usages can be redefined in the enrollment request

eku

boolean | null

If true, the Extended Key Usages can be redefined in the enrollment request

emptyExtensions

boolean | null

If true, the Empty Extensions can be redefined in the enrollment request

crldps

boolean | null

If true, the CRL Distribution Points can be redefined in the enrollment request

aia

boolean | null

If true, the Authority Information Access can be redefined in the enrollment request

policy

boolean | null

If true, the Certificate Policy can be redefined in the enrollment request

pathlen

boolean | null

If true, the length of the certification path can be redefined in the enrollment request

lifetime

boolean | null

If true, the certificate's lifetime can be redefined in the enrollment request

backdate

boolean | null

If true, the certificate's backdate can be redefined in the enrollment request

checkPoP

boolean | null

If true, the need to check the proof of possession can be redefined in the enrollment request

crlPolicy

object | null (CRL Generation Policy)

Define how to generate the CRL fot his Certificate Authority

validity

string required

The duration of the CRL's validity

eidas

boolean required

If true, the CRL will be EIDAS compliant

hardGeneration

string | null

The CRL will be generated at each period

lazyGeneration

string | null

The CRL will be checked at each period and generated if a new entry was added

triggers

object | null (TriggersManagedCertificateAuthority)

Triggers that apply on events on this CA

onCRLGeneration

array of string | null

Name of the triggers to execute when this CA's CRL are generated (manually or via cron)

onCRLGenerationError

array of string | null

Name of the triggers to execute when an error occurs when this CA's CRL are generated (manually or via cron)

onCRLGenerationRecover

array of string | null

Name of the triggers to execute when this CA's CRL are successfully generated when the last status was error

onCRLSync

array of string | null

Name of the triggers to execute when this CA's CRL are synced

onCRLExpiration

array of string | null

Name of the triggers to execute when this CA's CRL expire

onCAExpiration

array of string | null

Name of the triggers to execute when this CA expires

revoked

boolean | null

If true, the Certificate Authority is revoked

revocationDate

string | null

The revocation date of this Certificate Authority

revocationReason

string | null (Revocation Reason)

The revocation reason of this Certificate Authority

enableOCSP

boolean | null

Enable OCSP on this CA

ocspSigner

string | null

Name of the OCSP signer associated with this CA

compromised

boolean | null

Define this CA as compromised for OCSP responses

archiveCutoff

object (Archive Cutoff)

OCSP Archive Cutoff configuration

mode

string required

Archive cutoff mode. issuer uses the CA's expiration date and retention uses the retentionPeriod defined below

Enum issuer retention

retentionPeriod

string | null

retention mode: The time during which the certificate will be kept in retention after expiration

altPrivateKey

object | null (Signer Private Key)

This signer's private key

keystore

string required

The Keystore in which the key is stored

name

string required

The name of the key in the keystore

hashAlgorithm

string | null (Hash Algorithm)

The Hash Algorithm to use when signing with this key

Enum SHA1 SHA224 SHA256 SHA384 SHA512 SHA3_224 SHA3_256 SHA3_384 SHA3_512

usePSS

boolean | null

For RSA Keys in PKCS11 Keystores only: use the PSS signature algorithm

privateKey

object (Signer Private Key)

This signer's private key

keystore

string required

The Keystore in which the key is stored

name

string required

The name of the key in the keystore

hashAlgorithm

string | null (Hash Algorithm)

The Hash Algorithm to use when signing with this key

Enum SHA1 SHA224 SHA256 SHA384 SHA512 SHA3_224 SHA3_256 SHA3_384 SHA3_512

usePSS

boolean | null

For RSA Keys in PKCS11 Keystores only: use the PSS signature algorithm

400 Bad Request

401 Unauthorized request

403 Forbidden action

404 Not Found

500 Internal Server error

post

/api/v1/cas/{name}/issue

{

"ca": "string" ,

"csr": "string" ,

"template":

{ ... }

}

{

"type": "managed" ,

"enroll": true ,

"dn": "CN=MyCA,O=EVERTRUST,C=FR" ,

"queue": "Slow-queue" ,

"enforceKeyUnicity": true ,

"crldps":

[ ... ] ,

"aia":

{ ... } ,

"policy":

[ ... ] ,

"qcStatement":

{ ... } ,

"overridePermissions":

{ ... } ,

"crlPolicy":

{ ... } ,

"triggers":

{ ... } ,

"name": "MyCA" ,

"trustedForClientAuthentication": true ,

"trustedForServerAuthentication": true ,

"revoked": false ,

"revocationDate": "2025-09-17T21:35:52.654Z" ,

"revocationReason": "string" ,

"enableOCSP": true ,

"ocspSigner": "string" ,

"compromised": true ,

"archiveCutoff":

{ ... } ,

"altPrivateKey":

{ ... } ,

"privateKey":

{ ... }

}