# Certificate Format
The Certificate Manager API service has an endpoint that generates the certificate based on a provided CSR:
POST
/cm/api/certificates
The returned certificate is in a format that resembles PEM, however it misses line breaks and PEM headers. Here's an example of the response:
MIIE/DCCA+SgAwIBAgIQPLqp36IXK6rSGoUSJG6VyDANBgkqhkiG9w0BAQsFADCBojELMAkGA1UEBhMCQ0gxDjAMBgNVBAcTBUJhZGVuMSQwIgYDVQQKExtBQkIgSW5mb3JtYXRpb24gU3lzdGVtcyBMdGQxDzANBgNVBAsTBlBHOTk2NDEfMB0GA1UECxMWRk9SIFRFU1QgUFVSUE9TRVMgT05MWTErMCkGA1UEAxMiQUJCIEFiaWxpdHkodG0pIElzc3VpbmcgVEVTVCBDQSAwMjAeFw0yMjAzMjMwMDAwMDBaFw0yMjA2MjEyMzU5NTlaMIGGMQswCQYDVQQGEwJDSDEPMA0GA1UEBwwGWnVyaWNoMSQwIgYDVQQKDBtBQkIgSW5mb3JtYXRpb24gU3lzdGVtcyBMdGQxETAPBgNVBAsMCEFCQiBUZXN0MS0wKwYDVQQDDCQ3ZWNhZTg2Ni0wMmE2LTRiZGEtYjVjOC1jYmJjN2UwZjU0NTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPvz5tNDUtef1VgbiX0ImJyBg6SBnQEvrhu85Fo7/lUtXutPrV0GOXu1fkeB7OaMXkB47blz2Zsfh3W7YN2dotALSm5vw+Z2RYQkY2LX79OrIkQg+MGdTRlLUnY862gKCkHxnLGOxkgxdFf6jz6HBsrTIN46Xm5Ti82BzHI6Wx4vBSnLR6txMTntDtI21OgimEF/z6+9txpFjWDS1UPTa+SG3ulh3Xa7PidY+QSq+oCHQtmU2yoqvYtfyNHBVp16y6j8YyOsmUoShkR3ajGOovZel3zgsoH7aVb7FrVCWcdpNVAyaPyDg99D3zIzyccsWudsB25ej7yMXtuvReVvi5AgMBAAGjggFGMIIBQjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUqYO4U0nlJXZNC1NmuL8kpiB6/qgwKwYKYIZIAYb4RQEQAwQdMBsGEmCGSAGG+EUBEAEDAQQBvNmZHxYFNjMyNzEwPQYKYIZIAYb4RQEQBQQvMC0CAQAWKGFIUjBjSE02THk5d2RHNXlMWEJyYVMxeVlTNWlZblJsYzNRdWJtVjAwHwYDVR0jBBgwFoAUYDQKMt0YbxznLKlvd1142zcE16owYQYDVR0fBFowWDBWoFSgUoZQaHR0cDovL3B0bnItZW50LWNybC5iYnRlc3QubmV0L2NhXzY0YWM0MTQzYjZkZTVlMDJiZGI4ZDU4NzIwNmVkYTgyL0xhdGVzdENSTC5jcmwwDQYJKoZIhvcNAQELBQADggEBAH4TZsRip3xz1VLBwWYMG3JIkzA59a5wUxrRvV5Vu9FV65mtR6HSR05P7wA6Hz2lbnFODS7I6c/Y1gssMRnQpySczdSABqYeft9Hm8lXhdeDnMAPOeu+vQmKRbOgMdFHxPgFNkUWAe52fZnr8vt9Q46CFl0VjH7eoss6ZJzzMpvGpqv31DVC7hW6PUCLWHb7EA62Glj8/5rdkof5cQS3vinrJtbqR9nJ6pO6wVPvRdDNdKa/hGR4wTqTyp9VQd3GlyGZwt0ZzmjTJjnkwD6UTGVSvP2QdDe9kxrdtRqjTKcUPlaCWhQ1NRMnE7MiybkA2eAZdj3CLug4Wa1D8dyrjmU=
Here's an example of a Python script that turns that "raw" output into a proper PEM format:
def fix_pem(one_line_pem):
result = "-----BEGIN CERTIFICATE-----" + split_cert(one_line_pem) + "-----END CERTIFICATE-----"
print(result)
def split_cert(cert):
import math
split_char = "\n"
result = split_char
for i in range(math.ceil(len(cert) / 64)):
end_index = i * 64 + 64;
end_index = len(cert) if end_index > len(cert) else end_index
result += cert[i * 64 : end_index] + split_char
return result
The fix_pem function accepts a single parameter - the raw certificate
obtained from the CM API.
Here's an example of the output:
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgIQPLqp36IXK6rSGoUSJG6VyDANBgkqhkiG9w0BAQsFADCB
ojELMAkGA1UEBhMCQ0gxDjAMBgNVBAcTBUJhZGVuMSQwIgYDVQQKExtBQkIgSW5m
b3JtYXRpb24gU3lzdGVtcyBMdGQxDzANBgNVBAsTBlBHOTk2NDEfMB0GA1UECxMW
Rk9SIFRFU1QgUFVSUE9TRVMgT05MWTErMCkGA1UEAxMiQUJCIEFiaWxpdHkodG0p
IElzc3VpbmcgVEVTVCBDQSAwMjAeFw0yMjAzMjMwMDAwMDBaFw0yMjA2MjEyMzU5
NTlaMIGGMQswCQYDVQQGEwJDSDEPMA0GA1UEBwwGWnVyaWNoMSQwIgYDVQQKDBtB
QkIgSW5mb3JtYXRpb24gU3lzdGVtcyBMdGQxETAPBgNVBAsMCEFCQiBUZXN0MS0w
KwYDVQQDDCQ3ZWNhZTg2Ni0wMmE2LTRiZGEtYjVjOC1jYmJjN2UwZjU0NTAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPvz5tNDUtef1VgbiX0ImJyBg6
SBnQEvrhu85Fo7/lUtXutPrV0GOXu1fkeB7OaMXkB47blz2Zsfh3W7YN2dotALSm
5vw+Z2RYQkY2LX79OrIkQg+MGdTRlLUnY862gKCkHxnLGOxkgxdFf6jz6HBsrTIN
46Xm5Ti82BzHI6Wx4vBSnLR6txMTntDtI21OgimEF/z6+9txpFjWDS1UPTa+SG3u
lh3Xa7PidY+QSq+oCHQtmU2yoqvYtfyNHBVp16y6j8YyOsmUoShkR3ajGOovZel3
zgsoH7aVb7FrVCWcdpNVAyaPyDg99D3zIzyccsWudsB25ej7yMXtuvReVvi5AgMB
AAGjggFGMIIBQjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE
DDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUqYO4U0nlJXZNC1NmuL8kpiB6/qgwKwYK
YIZIAYb4RQEQAwQdMBsGEmCGSAGG+EUBEAEDAQQBvNmZHxYFNjMyNzEwPQYKYIZI
AYb4RQEQBQQvMC0CAQAWKGFIUjBjSE02THk5d2RHNXlMWEJyYVMxeVlTNWlZblJs
YzNRdWJtVjAwHwYDVR0jBBgwFoAUYDQKMt0YbxznLKlvd1142zcE16owYQYDVR0f
BFowWDBWoFSgUoZQaHR0cDovL3B0bnItZW50LWNybC5iYnRlc3QubmV0L2NhXzY0
YWM0MTQzYjZkZTVlMDJiZGI4ZDU4NzIwNmVkYTgyL0xhdGVzdENSTC5jcmwwDQYJ
KoZIhvcNAQELBQADggEBAH4TZsRip3xz1VLBwWYMG3JIkzA59a5wUxrRvV5Vu9FV
65mtR6HSR05P7wA6Hz2lbnFODS7I6c/Y1gssMRnQpySczdSABqYeft9Hm8lXhdeD
nMAPOeu+vQmKRbOgMdFHxPgFNkUWAe52fZnr8vt9Q46CFl0VjH7eoss6ZJzzMpvG
pqv31DVC7hW6PUCLWHb7EA62Glj8/5rdkof5cQS3vinrJtbqR9nJ6pO6wVPvRdDN
dKa/hGR4wTqTyp9VQd3GlyGZwt0ZzmjTJjnkwD6UTGVSvP2QdDe9kxrdtRqjTKcU
PlaCWhQ1NRMnE7MiybkA2eAZdj3CLug4Wa1D8dyrjmU=
-----END CERTIFICATE-----
This is a proper certificate that is readable by clients expecting PEM.
Here's the output from openssl x509 -in cert.crt -text -noout:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:ba:a9:df:a2:17:2b:aa:d2:1a:85:12:24:6e:95:c8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CH, L=Baden, O=ABB Information Systems Ltd, OU=PG9964, OU=FOR TEST PURPOSES ONLY, CN=ABB Ability(tm) Issuing TEST CA 02
Validity
Not Before: Mar 23 00:00:00 2022 GMT
Not After : Jun 21 23:59:59 2022 GMT
Subject: C=CH, L=Zurich, O=ABB Information Systems Ltd, OU=ABB Test, CN=7ecae866-02a6-4bda-b5c8-cbbc7e0f5450
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cf:bf:3e:6d:34:35:2d:79:fd:55:81:b8:97:d0:
89:89:c8:18:3a:48:19:d0:12:fa:e1:bb:ce:45:a3:
bf:e5:52:d5:ee:b4:fa:d5:d0:63:97:bb:57:e4:78:
1e:ce:68:c5:e4:07:8e:db:97:3d:99:b1:f8:77:5b:
b6:0d:d9:da:2d:00:b4:a6:e6:fc:3e:67:64:58:42:
46:36:2d:7e:fd:3a:b2:24:42:0f:8c:19:d4:d1:94:
b5:27:63:ce:b6:80:a0:a4:1f:19:cb:18:ec:64:83:
17:45:7f:a8:f3:e8:70:6c:ad:32:0d:e3:a5:e6:e5:
38:bc:d8:1c:c7:23:a5:b1:e2:f0:52:9c:b4:7a:b7:
13:13:9e:d0:ed:23:6d:4e:82:29:84:17:fc:fa:fb:
db:71:a4:58:d6:0d:2d:54:3d:36:be:48:6d:ee:96:
1d:d7:6b:b3:e2:75:8f:90:4a:af:a8:08:74:2d:99:
4d:b2:a2:ab:d8:b5:fc:8d:1c:15:69:d7:ac:ba:8f:
c6:32:3a:c9:94:a1:28:64:47:76:a3:18:ea:2f:65:
e9:77:ce:0b:28:1f:b6:95:6f:b1:6b:54:25:9c:76:
93:55:03:26:8f:c8:38:3d:f4:3d:f3:23:3c:9c:72:
c5:ae:76:c0:76:e5:e8:fb:c8:c5:ed:ba:f4:5e:56:
f8:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Key Identifier:
A9:83:B8:53:49:E5:25:76:4D:0B:53:66:B8:BF:24:A6:20:7A:FE:A8
2.16.840.1.113733.1.16.3:
0...`.H...E.............63271
2.16.840.1.113733.1.16.5:
0-....(aHR0cHM6Ly9wdG5yLXBraS1yYS5iYnRlc3QubmV0
X509v3 Authority Key Identifier:
keyid:60:34:0A:32:DD:18:6F:1C:E7:2C:A9:6F:77:5D:78:DB:37:04:D7:AA
X509v3 CRL Distribution Points:
Full Name:
URI:http://ptnr-ent-crl.bbtest.net/ca_64ac4143b6de5e02bdb8d587206eda82/LatestCRL.crl
Signature Algorithm: sha256WithRSAEncryption
7e:13:66:c4:62:a7:7c:73:d5:52:c1:c1:66:0c:1b:72:48:93:
30:39:f5:ae:70:53:1a:d1:bd:5e:55:bb:d1:55:eb:99:ad:47:
a1:d2:47:4e:4f:ef:00:3a:1f:3d:a5:6e:71:4e:0d:2e:c8:e9:
cf:d8:d6:0b:2c:31:19:d0:a7:24:9c:cd:d4:80:06:a6:1e:7e:
df:47:9b:c9:57:85:d7:83:9c:c0:0f:39:eb:be:bd:09:8a:45:
b3:a0:31:d1:47:c4:f8:05:36:45:16:01:ee:76:7d:99:eb:f2:
fb:7d:43:8e:82:16:5d:15:8c:7e:de:a2:cb:3a:64:9c:f3:32:
9b:c6:a6:ab:f7:d4:35:42:ee:15:ba:3d:40:8b:58:76:fb:10:
0e:b6:1a:58:fc:ff:9a:dd:92:87:f9:71:04:b7:be:29:eb:26:
d6:ea:47:d9:c9:ea:93:ba:c1:53:ef:45:d0:cd:74:a6:bf:84:
64:78:c1:3a:93:ca:9f:55:41:dd:c6:97:21:99:c2:dd:19:ce:
68:d3:26:39:e4:c0:3e:94:4c:65:52:bc:fd:90:74:37:bd:93:
1a:dd:b5:1a:a3:4c:a7:14:3e:56:82:5a:14:35:35:13:27:13:
b3:22:c9:b9:00:d9:e0:19:76:3d:c2:2e:e8:38:59:ad:43:f1:
dc:ab:8e:65
# Remarks
The provided Python script is just an example, it has not been tested in production scenarios.