Certificate Provisioning System API v2

Manage SSL and TLS certificates for your Akamai Secure Delivery Network applications with the CPS API.

Learn more:


Overview

The Certificate Provisioning System (CPS) provides full life cycle management of SSL/TLS certificates for your Akamai Secure Delivery Network applications. This includes ability to request new certificates, modify existing certificates, automatically renew certificates, and delete certificates. CPS also manages key Transport Layer Security (TLS) configurations, including cipher selection.

You can use this API as part of setting a secure website to ensure that the delivery of content to and from that site is secure. The SSL/TLS certificates that CPS provides authenticate the secure connection that the browser makes during secure delivery. CPS generates and secures the private key of each certificate.

NOTE: CPS no longer supports provisioning new GeoTrust certificates. Existing GeoTrust certificates will continue to be supported. Organizational Validation (OV) and Extended Validation (EV) certificates are exclusively Symantec Secure Site Pro certificates (validated and issued by DigiCert).

NOTE: The CPS API now supports UTF–8/16.

Who should use this API

Most common users of CPS API are developers and architects. By leveraging CPS API, users can request new certificates, modify existing certificates, and delete certificates. To use this API effectively, you must be familiar with the process for obtaining and managing certificates. To use this API, you should be familiar with the terminology and concepts specific to the Luna Control Center.

You can also use the CPS API with the Secure Provisioning Service (SPS) API. The SPS API provides a convenient mechanism to provision certificates and secure edge hostnames in a single API call. In addition, SPS can provision the most common certificate types and can add alternative names to a SAN certificate. To perform advanced operations with certificates, use the CPS API. CPS API is Akamai’s comprehensive toolbox for creating and modifying certificates. Since CPS and SPS both use the same set of identifiers for certificates, you can use the enrollmentId returned by one system as input on requests to the other system.

Developers using this API should be familiar with:

  • SSL/TLS certificates
  • Certificate authorities (CAs)
  • How Akamai obtains certificates on the requester’s behalf, which includes the generation of public/private key pairs and certificate signing requests (CSRs).
  • DNS

If you have questions about these concepts, contact your Akamai account representative.

Getting started

All users can get access to the CPS API without any additional contract changes. To get started with this API:

  • Review Get Started with APIs for details on how to set up client tokens to access any Akamai API. These tokens appear as custom hostnames that look like this: https://akzz-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX.luna.akamaiapis.net.

  • To enable this API, choose the API service named Certificate Provisioning System, and set the access level to READ-WRITE.

  • Get help from the developer community and provide feedback. You can also contact your account representative for support. We want to hear from you!

  • You need to determine the IDs for your contracts and groups prior to using this API. Both operations are available through the Property Manager API (PAPI) using its List contracts and List groups resources.

Internal versioning

Internal versioning of CPS API is managed by Content-Type and Accept headers. In order for a client to successfully reach a resource via HTTP request, the version header (or version header pair if both Content-Type and Accept are required) in the request needs to match exactly any of the versioned resources. Otherwise the API call will fail to map to an allowed resource.

The format of a typical CPS versioning header is: application/vnd.akamai.cps.${ENTITY_NAME}.${VERSION}+${MEDIA_TYPE}. E.g. application/vnd.akamai.cps.enrollment.v4+json.

API concepts

When using this API, you should be familiar with the following concepts:

X509 certificates

A digital certificate is an electronic document that includes a company’s identification information (such as the name and address of the company), a public key, and the digital signature of a Certification Authority (CA) based on that certification authority’s private key. You can think of a certificate as you would a license or passport that identifies your website. Having a certificate provides a way for a client browser to verify the authenticity of a website.

Authentication offers a way to establish the identity of a website to a browser. A certificate contains the common name (CN) you want to use for the certificate. This is the fully qualified domain name for which you plan to use your certificate. CPS supports the following types of certificates:

  • Single certificate: Associates a single domain with a single name.

  • Wildcard certificate: Secures an entire domain. A certificate for *.example.com secures www.example.com, mail.example.com, and any subdomain of example.com. If you do not know what domains you want to attach your certificate to, you should obtain a wildcard certificate, which offers greater flexibility.

  • SAN certificate: Supportes multiple domain names. These Subject Alternative Names (SANs) certificates allow you to secure up to 100 domain names with one certificate. These certificates address the need to secure multiple names across different domains. You can update a SAN certificate at any time to add more names, up to the capacity of the certificate.

  • Wildcard SAN certificate: Uses wildcard certificates with Subject Alternative Names. Wildcard SAN certificates in CPS are available only from Symantec.

  • Third party certificate: Uses a signed certificate that you obtain from a CA not integrated with CPS.

Certificate authorities

A Certificate Authority (CA) is a trusted entity that signs certificates and can vouch for the identity of a website. CPS integrates and automates certificate generation with two CAs:

If you want to use a different CA, you must use a third-party certificate and CA.

Validation

When a CA gets a request for a certificate and verifies your identity, it validates the certificate. There are four types of validation:

  • Domain Validation (DV): A lower level of validation. The CA validates that you have control of the domain. A typical CPS DV certificate expires in 90 days. The CA validates your authority over the domain by making automatic requests via HTTP, DNS or other methods to verify that domain is controlled by the requestor. When a domain has been CNAME’d to Akamai, Akamai can manage new requests and renewals automatically on your behalf.

  • Organization Validation (OV): A higher level of validation. The CA validates whether or not the company is valid, if it is registered, and if the business contact legitimately works at the company. An OV certificate generally expires in one year. Renewal of this type of certificate requires a manual reverification performed by the CA prior to issuing updated credentials.

  • Extended Validation (EV): The highest level of validation in which you must have signed letters and notaries sent to the CA before signing. Wildcard certificates cannot be EV certificates because an EV certificate requires you to be explicit about all the subject alternative names (SANs). An EV certificate generally expires in two years. Renewal of this type of certificate requires a manual reverification performed by the CA prior to issuing updated credentials.

  • Third Party Validation: This is used for third party certificates. The expiration date of third-party certificates varies, since these certificates are issued outside of CPS. The renewal of third party certificates is the responsibility of the customer. Akamai provides an updated CSR and the user must repeat the process of getting a signed certificate from their CA of their choice.

Advances in certificate validation require contact between the CAs and the organization for which the certificate is being requested. Depending on the validation mechanism and certificate authority, the process requires different levels of participation from the organization. The timeline for this process depends on many factors, including the number of domains and the responsiveness of the organization. While the process can take just a few days, it can extend to much longer periods. Customers should consider using Domain Validation for the most rapid provisioning.

Enrollments

A CPS enrollment is the collection of settings for:

  • One or more active and pending X509 certificate(s).
  • A reference to the key pairs for all X509 certificates.
  • The settings for how SSL connections utilizing this certificate collection managed by Akamai.
  • Information regarding contact information used in making validation requests.

A CPS enrollment is the most fundamental and definitive concept. It behaves as a core container for all the operations that clients can perform within CPS.

CPS is a certificate life cycle management tool and a CPS enrollment is the agent in this tool that allows users display all the information about the process that certificate goes through from the time it was requested, through renewal or removal. Once you obtain a certificate, you can—but not necessarily have to—use it until it expires, in most cases a year from the date the CA issued the certificate. That being said, you can start a renewal process whenever you want given CPS timeline allows it, i.e. not too close to expiration, already a renewal in process etc.

When expiration date of an active Akamai managed certificate in an enrollment approaches, CPS automatically starts the renewal process for users’ convenience in order to prevent Denial of Service (DoS) due to expired certificates. Start date of auto-renewal for an about-to-expire certificate depends on the validation type:

  • EV: 90 days before expiration
  • OV: 60 days before expiration
  • DV: 20 days before expiration

When an auto-renewal operation starts, CPS then automatically deploys the renewed certificate when it receives it from the CA, unless a scheduled deployment date is set to specify a particular target time and date..

Resources related to enrollments in the API

An enrollment, along with other operations, allows you to create and manage changes for an enrollment. Relevant parameters for enrollment operations are:

Property Type Description
ra Constant - Registration Authority Registration Authority.
validationType Constant - Validation Type Domain and Organization validation type.
certificateType Constant - Certificate Certificate Type.
networkType Constant - Network Type Network Type.
mustHaveCiphers String Akamai cipher profile name, e.g. ak-akamai-recommended.
preferredCiphers String Akamai cipher profile name, e.g. ak-akamai-recommended.
sni Group - sni Server Name Indication (SNI).
signatureAlgorithm Constant - Signature Algorithm Algorithm used to sign the certificate.
changeManagement Boolean When enabled, you need to intervene and approve the enrollment state before a certificate will be deployed with current configuration to the network.
csr Group - CSR Certificate Signing Request.
org Group - Organization Organization information for the CSR request.
adminContact Group - Contact Organization’s administrator contact information for the CSR request.
techContact Group - Contact Organization’s technical contact information for the CSR request.
thirdParty Group - ThirdParty Information for certificates signed by RAs other than Akamai’s integrated RAs.

About the CPS workflow

An enrollment displays all the information about the process that your certificate goes through from the time you request it, through renewal, and as you obtain subsequent versions. CPS is a certificate life cycle management tool. Once you obtain a certificate, you use it until it expires, in most cases a year from the date the CA issued the certificate. CPS automatically starts the renewal process before the old certificate expires, and then automatically deploys the renewed certificate when it receives it from the CA. The CPS workflow is as follows:

  1. Collect certificate details. This includes, the name, address, and phone number of your organization, and contact information for someone at your company and a representative from Akamai.

  2. Create the certificate signing request (CSR). You must use CPS to create a request for a certificate from your CA. CPS stores the private key for the certificate when you create the request.

  3. Pre-verify certificate. CPS may trigger pre-verification warnings that require acknowledgement through the API.

  4. Submit the CSR. CPS submits the certificate request to the certificate authority (CA) of your choice for signing. For Third-Party enrollments, you must call the API to extract the CSR to share with your CA for signing.

  5. Validate the certificate. The CA validates the certificate. For Let’s Encrypt, this may involve API calls and validation token configuration.

  6. Issue the certificate. The CA issues the certificate.

  7. Retrieve the certificate. CPS automatically retrieves the certificate and verifies that it is the correct certificate. For Third-Party enrollments, you must use the API to submit a signed certificate and trust chain to CPS.

  8. Post-verify certificate. CPS verifies the certificate against the CSR request, and may trigger post-verification warnings that require acknowledgement through the API.

  9. Confirm change management is enabled. CPS checks whether or not change management is on. If it is on, CPS deploys certificates to the staging network and prompts users to review and acknowledge Change Management before deploying to the production network. If Change Management is off, CPS automatically deploys the certificate to the network.

  10. Check when the certificate may deploy. CPS checks whether or not you set Change.statusInfo.deploymentSchedule to specify when the certificate can deploy, and CPS waits until after the date, if applicable, before deploying the certificate. If you did not set this information, CPS automatically deploys the certificate to the network.

  11. Deploy the certificate. CPS deploys the certificate on the network.

  12. Renew the certificate. CPS automatically restarts these steps to renew the certificate before certificate expires unless you schedule enrollment removal using Remove an Enrollment.

The enrollment should proceed to next steps in the workflow (for example to postverification warnings, if there are any, or change management, and so on.)

Change input content type mapping

A Change may allow for, or require updates to be made under certain conditions. The type of updates allowed is internal to the system, and is determined by the state of the change as well as the specific enrollment type. Clients have to inspect the Change.allowedInput[].type returned by Get Change Status to determine actions and headers supported, then use the Accept and Content-Type headers for the respective allowedInput value below to inspect or perform updates to the Change. The following table presents an overview of the different types and corresponding headers. The table helps you identify which headers you can use when performing Get Change Information and Update a Change operations.

Category Change.allowedInput[].type API type Description Content-Type header Accept header
Change-Management change-management-info info / GET Change Management information provides acknowledgement status, and may include warnings about potential conflicts that may occur if you proceed with acknowledgement. N/A application/vnd.akamai.cps.change-management-info.v4+json
Change-Management change-management-info info / GET The Deployment currently deployed to the staging network. Acknowledging change-management continues deploying this configuration to the production network. N/A application/vnd.akamai.cps.deployment.v1+json
Change-Management change-management-info update / POST Acknowledge Change Management is required to proceed deploying the certificate to the production network. application/vnd.akamai.cps.acknowledgement-with-hash.v1+json application/vnd.akamai.cps.change-id.v1+json
Let’s Encrypt lets-encrypt-challenges info / GET Get Let’s Encrypt DvChallenges for a given change. N/A application/vnd.akamai.cps.dv-challenges.v2+json
Let’s Encrypt lets-encrypt-challenges update / POST Submit an Acknowledgement after you place the HTTP or DNS tokens to inform CPS that Let’s Encrypt challenges have been made available and are ready for validation. You can also wait for CPS to check for the tokens, which it does on a regular schedule. application/vnd.akamai.cps.acknowledgement.v1+json application/vnd.akamai.cps.change-id.v1+json
Post-Verification post-verification-warnings info / GET Post-verification Warnings generated for a given change. Produced after CPS retrieves a certificate from a CA or when a client uploads a certificate. You must acknowledge post-verification warnings for the change to continue processing. N/A application/vnd.akamai.cps.warnings.v1+json
Post-Verification post-verification-warnings update / POST You must acknowledge post-verification warnings by submitting an Acknowledgement. application/vnd.akamai.cps.acknowledgement.v1+json application/vnd.akamai.cps.change-id.v1+json
Pre-Verification pre-verification-warnings info / GET Pre-verification Warnings can generate for a given change. CPS produces these after it retrieves a certificate from a CA or after a client uploads the certificate. Post-verification Warnings must be acknowledged for the change to continue processing. N/A application/vnd.akamai.cps.warnings.v1+json
Pre-Verification pre-verification-warnings update / POST You must acknowledge pre-Verification warnings by submitting an Acknowledgement. application/vnd.akamai.cps.acknowledgement.v1+json application/vnd.akamai.cps.change-id.v1+json
Third-Party third-party-csr info / GET Get Certificate Signing Request (CSR) for a Third-Party certificate. N/A application/vnd.akamai.cps.csr.v1+json
Third-Party third-party-csr update / POST Upload Third Party Certificate and Trust Chain. application/vnd.akamai.cps.certificate-and-trust-chain.v1+json application/vnd.akamai.cps.change-id.v1+json

Resources

The Certificate Provisioning System (CPS) provides full life cycle management of SSL certificates for your Akamai Secure Delivery Network applications. This includes allowing you to request new certificates, modify existing certificates, automatically renew certificates, and delete certificates. CPS also manages key Transport Layer Security (TLS) configuration including cipher selection.

API summary

Download the RAML descriptors for this API.

Operation Method Endpoint
List enrollments GET /cps/v2/enrollments{?contractId}
Create an enrollment POST /cps/v2/enrollments{?contractId,deploy-not-after,deploy-not-before}
Get an enrollment GET /cps/v2/enrollments/{enrollmentId}
Update an enrollment PUT /cps/v2/enrollments/{enrollmentId}{?allow-cancel-pending-changes,allow-staging-bypass,deploy-not-after,deploy-not-before,force-renewal,renewal-date-check-override}
Remove an enrollment DELETE /cps/v2/enrollments/{enrollmentId}{?allow-cancel-pending-changes,deploy-not-after,deploy-not-before}
Get change status GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}
Cancel a change DELETE /cps/v2/enrollments/{enrollmentId}/changes/{changeId}
Get a change GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/input/info/{allowedInputTypeParam}
Update a change POST /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/input/update/{allowedInputTypeParam}
Get a deployment schedule GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/deployment-schedule
Update a deployment schedule PUT /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/deployment-schedule
Get change history GET /cps/v2/enrollments/{enrollmentId}/history/changes
Get certificate history GET /cps/v2/enrollments/{enrollmentId}/history/certificates
Get DV history GET /cps/v2/enrollments/{enrollmentId}/dv-history
List deployments GET /cps/v2/enrollments/{enrollmentId}/deployments
Get staging deployment GET /cps/v2/enrollments/{enrollmentId}/deployments/staging
Get production deployment GET /cps/v2/enrollments/{enrollmentId}/deployments/production

List enrollments

A list of the names of each enrollment.

GET /cps/v2/enrollments{?contractId}

Sample: /cps/v2/enrollments?contractId=1-1TJZH5

Headers:

Accept: application/vnd.akamai.cps.enrollments.v7+json
Parameter Type Sample Description
Optional query parameters
contractId String 1-1TJZH5 Specify the contract on which to operate or view.

Status 200 application/vnd.akamai.cps.enrollments.v7+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollments.v7+json

Response Body:

{
    "enrollments": [
        {
            "location": "/cps-api/enrollments/10002",
            "ra": "third-party",
            "validationType": "third-party",
            "certificateType": "third-party",
            "certificateChainType": "default",
            "networkConfiguration": {
                "geography": "core",
                "secureNetwork": "enhanced-tls",
                "mustHaveCiphers": "ak-akamai-default-2016q1",
                "preferredCiphers": "ak-akamai-default-2016q3",
                "disallowedTlsVersions": [],
                "sniOnly": true,
                "quicEnabled": false,
                "dnsNameSettings": {
                    "cloneDnsNames": true,
                    "dnsNames": [
                        "san2.example.com",
                        "san1.example.com"
                    ]
                },
                "ocspStapling": "not-set"
            },
            "signatureAlgorithm": null,
            "changeManagement": false,
            "csr": {
                "cn": "www.example.com",
                "c": "US",
                "st": "MA",
                "l": "Cambridge",
                "o": "Akamai",
                "ou": "WebEx",
                "sans": [
                    "san1.example.com",
                    "san2.example.com",
                    "san3.example.com"
                ]
            },
            "org": {
                "name": "Akamai Technologies",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "region": "MA",
                "postalCode": "02142",
                "country": "US",
                "phone": "617-555-0111"
            },
            "adminContact": {
                "firstName": "R1",
                "lastName": "D1",
                "phone": "617-555-0111",
                "email": "r1d1@akamai.com",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "country": "US",
                "organizationName": "Akamai",
                "postalCode": "02142",
                "region": "MA",
                "title": "Adminstrator"
            },
            "techContact": {
                "firstName": "R2",
                "lastName": "D2",
                "phone": "617-555-0111",
                "email": "r2d2@akamai.com",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "country": "US",
                "organizationName": "Akamai",
                "postalCode": "02142",
                "region": "MA",
                "title": "Technical Engineer"
            },
            "thirdParty": {
                "excludeSans": false
            },
            "enableMultiStackedCertificates": false,
            "pendingChanges": [
                "/cps/v2/enrollments/10000/changes/10000"
            ],
            "maxAllowedSanNames": 100,
            "maxAllowedWildcardSanNames": 100
        },
        {
            "location": "/cps-api/enrollments/10000",
            "ra": "lets-encrypt",
            "validationType": "dv",
            "certificateType": "san",
            "certificateChainType": "default",
            "networkConfiguration": {
                "geography": "core",
                "secureNetwork": "enhanced-tls",
                "mustHaveCiphers": "ak-akamai-default-2016q3",
                "preferredCiphers": "ak-akamai-default-2016q3",
                "disallowedTlsVersions": [
                    "TLSv1_1"
                ],
                "sniOnly": true,
                "quicEnabled": false,
                "dnsNameSettings": {
                    "cloneDnsNames": true,
                    "dnsNames": [
                        "san1.example.com",
                        "san2.example.com"
                    ]
                },
                "ocspStapling": "not-set"
            },
            "signatureAlgorithm": "SHA-256",
            "changeManagement": true,
            "csr": {
                "cn": "se-0717-dv-sni.com",
                "c": "US",
                "st": "MA",
                "l": "Cambridge",
                "o": "se test",
                "ou": "se",
                "sans": [
                    "san1.example.com",
                    "san2.example.com"
                ]
            },
            "org": {
                "name": "Akamai Technologies",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "region": "MA",
                "postalCode": "02142",
                "country": "US",
                "phone": "617-555-0111"
            },
            "adminContact": {
                "firstName": "R1",
                "lastName": "D1",
                "phone": "617-555-0111",
                "email": "r1d1@akamai.com",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "country": "US",
                "organizationName": "Akamai",
                "postalCode": "02142",
                "region": "MA",
                "title": "Adminstrator"
            },
            "techContact": {
                "firstName": "R2",
                "lastName": "D2",
                "phone": "617-555-0111",
                "email": "r2d2@akamai.com",
                "addressLineOne": "150 Broadway",
                "addressLineTwo": null,
                "city": "Cambridge",
                "country": "US",
                "organizationName": "Akamai",
                "postalCode": "02142",
                "region": "MA",
                "title": "Technical Engineer"
            },
            "thirdParty": null,
            "enableMultiStackedCertificates": false,
            "pendingChanges": [
                "/cps/v2/enrollments/10000/changes/10002"
            ],
            "maxAllowedSanNames": 100,
            "maxAllowedWildcardSanNames": 25
        }
    ]
}
  1. Using the List contracts operation, lookup the contractId under which you want to provision the enrollment.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.enrollments.v7+json.

  3. Make a GET request to /cps/v2/enrollments{?contractId}.

  4. Enrollment objects are available within the response’s enrollments array.

Create an enrollment

Creates an enrollment that contains all the information about the process that your certificate goes through from the time you request it, through renewal, and as you obtain subsequent versions.

POST /cps/v2/enrollments{?contractId,deploy-not-after,deploy-not-before}

Sample: /cps/v2/enrollments?contractId=1-1TJZH5&deploy-not-after=2017-01-31&deploy-not-before=2017-01-31

Headers:

Content-Type: application/vnd.akamai.cps.enrollment.v7+json
Accept: application/vnd.akamai.cps.enrollment-status.v1+json

Content-Type: application/vnd.akamai.cps.enrollment.v7+json

Request Body:

{
    "ra": "third-party",
    "validationType": "third-party",
    "certificateType": "third-party",
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default2016q3",
        "preferredCiphers": "ak-akamai-default",
        "disallowedTlsVersions": [],
        "sni": {
            "cloneDnsNames": false,
            "dnsNames": [
                "san1.example.com",
                "san2.example.com"
            ]
        }
    },
    "signatureAlgorithm": "SHA-256",
    "changeManagement": true,
    "csr": {
        "cn": "www.example.com",
        "c": "US",
        "st": "MA",
        "l": "Cambridge",
        "o": "Akamai",
        "ou": "WebEx",
        "sans": [
            "san1.example.com",
            "san2.example.com",
            "san3.example.com",
            "san4.example.com"
        ]
    },
    "org": {
        "name": "Akamai Technologies",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "region": "MA",
        "postalCode": "02142",
        "country": "US",
        "phone": "617-555-0111"
    },
    "adminContact": {
        "firstName": "Darth",
        "lastName": "Vader",
        "phone": "617-555-0123",
        "email": "vader@example.com",
        "addressLineOne": "666 Evil Way",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Dark Side",
        "postalCode": "02142",
        "region": "MA",
        "title": "Lord"
    },
    "techContact": {
        "firstName": "R2",
        "lastName": "D2",
        "phone": "617-555-0111",
        "email": "r2d2@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Astromech Droid"
    },
    "thirdParty": {
        "excludeSans": false
    },
    "enableMultiStackedCertificates": false
}
Parameter Type Sample Description
Required query parameters
contractId String 1-1TJZH5 Specify the contract on which to operate or view.
Optional query parameters
deploy-not-after String 2017-01-31 Don’t deploy after this date (UTC).
deploy-not-before String 2017-01-31 Don’t deploy before this date (UTC).

Status 202 application/vnd.akamai.cps.enrollment-status.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment-status.v1+json

Response Body:

{
    "enrollment": "/cps/v2/enrollments/10002",
    "changes": [
        "/cps/v2/enrollments/10002/changes/10002"
    ]
}
  1. Using the List contracts operation, lookup the contractId under which you want to provision the enrollment.

  2. If you want to control when the enrollment deploys, set the deploy-not-before or deploy-not-after query parameters.

  3. Create an Enrollment object.

  4. Specify a Content-Type header versioned up to application/vnd.akamai.cps.enrollment.v7+json.

  5. Specify an Accept header of application/vnd.akamai.cps.enrollment-status.v1+json.

  6. POST the object to /cps/v2/enrollments{?contractId,deploy-not-after,deploy-not-before}.

Get an enrollment

Gets an enrollment.

GET /cps/v2/enrollments/{enrollmentId}

Sample: /cps/v2/enrollments/10000

Headers:

Accept: application/vnd.akamai.cps.enrollment.v7+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.enrollment.v7+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment.v7+json

Response Body:

{
    "location": "/cps/v2/enrollments/10002",
    "ra": "third-party",
    "validationType": "third-party",
    "certificateType": "third-party",
    "certificateChainType": "default",
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default",
        "preferredCiphers": "ak-akamai-default-interim",
        "disallowedTlsVersions": [],
        "sniOnly": true,
        "quicEnabled": false,
        "dnsNameSettings": {
            "cloneDnsNames": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        },
        "ocspStapling": "not-set"
    },
    "signatureAlgorithm": null,
    "changeManagement": true,
    "csr": {
        "cn": "www.example.com",
        "c": "US",
        "st": "MA",
        "l": "Cambridge",
        "o": "Akamai",
        "ou": "WebEx",
        "sans": [
            "san1.example.com",
            "san2.example.com",
            "san3.example.com"
        ]
    },
    "org": {
        "name": "Akamai Technologies",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "region": "MA",
        "postalCode": "02142",
        "country": "US",
        "phone": "617-555-0111"
    },
    "adminContact": {
        "firstName": "R1",
        "lastName": "D1",
        "phone": "617-555-0111",
        "email": "r1d1@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Adminstrator"
    },
    "techContact": {
        "firstName": "R2",
        "lastName": "D2",
        "phone": "617-555-0111",
        "email": "r2d2@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Technical Engineer"
    },
    "thirdParty": {
        "excludeSans": false
    },
    "enableMultiStackedCertificates": false,
    "pendingChanges": [
        "/cps/v2/enrollments/10002/changes/10002"
    ],
    "maxAllowedSanNames": 100,
    "maxAllowedWildcardSanNames": 100
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Strip all text up to the final segment of the object’s location and store it as the enrollmentId.

  3. Specify an Accept header versioned up to application/vnd.akamai.cps.enrollment.v7+json.

  4. Make a GET request to /cps/v2/enrollments/{enrollmentId}.

  5. The response provides an Enrollment object.

Update an enrollment

Updates an enrollment with changes. Response type will vary depending on the type and impact of change. For example, changing SANs list may return HTTP 202 Accepted since the operation require a new certificate and network deployment operations, and thus cannot be completed without a change. On the contrary, for example a Technical Contact name change may return HTTP 200 OK assuming there are no active change and when the operation does not require a new certificate.

PUT /cps/v2/enrollments/{enrollmentId}{?allow-cancel-pending-changes,allow-staging-bypass,deploy-not-after,deploy-not-before,force-renewal,renewal-date-check-override}

Sample: /cps/v2/enrollments/10000?allow-cancel-pending-changes=true&allow-staging-bypass=true&deploy-not-after=2017-01-31&deploy-not-before=2017-01-31&force-renewal=true&renewal-date-check-override=true

Headers:

Content-Type: application/vnd.akamai.cps.enrollment.v7+json
Accept: application/vnd.akamai.cps.enrollment-status.v1+json

Content-Type: application/vnd.akamai.cps.enrollment.v7+json

Request Body:

{
    "location": "/cps/v2/enrollments/10002",
    "ra": "third-party",
    "validationType": "third-party",
    "certificateType": "third-party",
    "certificateChainType": "default",
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default",
        "preferredCiphers": "ak-akamai-default-interim",
        "disallowedTlsVersions": [],
        "sniOnly": true,
        "quicEnabled": false,
        "dnsNameSettings": {
            "cloneDnsNames": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        },
        "ocspStapling": "not-set"
    },
    "signatureAlgorithm": null,
    "changeManagement": true,
    "csr": {
        "cn": "www.example.com",
        "c": "US",
        "st": "MA",
        "l": "Cambridge",
        "o": "Akamai",
        "ou": "WebEx",
        "sans": [
            "san1.example.com",
            "san2.example.com",
            "san3.example.com"
        ]
    },
    "org": {
        "name": "Akamai Technologies",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "region": "MA",
        "postalCode": "02142",
        "country": "US",
        "phone": "617-555-0111"
    },
    "adminContact": {
        "firstName": "R1",
        "lastName": "D1",
        "phone": "617-555-0111",
        "email": "r1d1@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Adminstrator"
    },
    "techContact": {
        "firstName": "R2",
        "lastName": "D2",
        "phone": "617-555-0111",
        "email": "r2d2@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Technical Engineer"
    },
    "thirdParty": {
        "excludeSans": false
    },
    "enableMultiStackedCertificates": false,
    "pendingChanges": [
        "/cps/v2/enrollments/10002/changes/10002"
    ],
    "maxAllowedSanNames": 100,
    "maxAllowedWildcardSanNames": 100
}
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
Optional query parameters
allow-cancel-pending-changes Boolean true All pending changes to be cancelled when updating an enrollment.
allow-staging-bypass Boolean true Bypass staging and push meta-data updates directly to production network. Current change will also be updated with the same changes.
deploy-not-after String 2017-01-31 Don’t deploy after this date (UTC).
deploy-not-before String 2017-01-31 Don’t deploy before this date (UTC).
force-renewal Boolean true Force certificate renewal for Enrollment.
renewal-date-check-override Boolean true CPS will automatically start a Change to renew certificates in time before they expire. This automatic Change is started when Certificate’s expiration is within a renewal window, and system will protect against other changes started during this renewal window. Setting renewal-date-check-override=true will allow creating a Change during the renewal window, potentially running the risk of ending up with an expired certificate on the network.

Status 200 application/vnd.akamai.cps.enrollment-status.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment-status.v1+json

Response Body:

{
    "enrollment": "/cps/v2/enrollments/10002",
    "changes": [
        "/cps/v2/enrollments/10002/changes/10002"
    ]
}

Status 202 application/vnd.akamai.cps.enrollment-status.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment-status.v1+json

Response Body:

{
    "enrollment": "/cps/v2/enrollments/10002",
    "changes": [
        "/cps/v2/enrollments/10002/changes/10002"
    ]
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. If you want to update an enrollment while changes are still pending, set the allow-cancel-pending-changes query parameter.

  3. If you want to control when the enrollment deploys, set the deploy-not-before or deploy-not-after query parameters.

  4. Run the Get an Enrollment operation.

  5. Modify the Enrollment object.

  6. Specify a Content-Type header versioned up to application/vnd.akamai.cps.enrollment.v7+json.

  7. Specify an Accept header of application/vnd.akamai.cps.enrollment-status.v1+json.

  8. PUT the object using the Enrollment’s location hypermedia URL: location{?allow-cancel-pending-changes,deploy-not-after,deploy-not-before}.

Remove an enrollment

Removes an enrollment from CPS. Response type will vary depending on the state of the enrollment. Deleting an enrollment in the future or deleting when the enrollment has a certificate deployed to the network may return HTTP 202 Accepted. Deleting an enrollment which has not yet deployed certificate to the network will complete immediately and return HTTP 200 OK.

DELETE /cps/v2/enrollments/{enrollmentId}{?allow-cancel-pending-changes,deploy-not-after,deploy-not-before}

Sample: /cps/v2/enrollments/10000?allow-cancel-pending-changes=true&deploy-not-after=2017-01-01&deploy-not-before=2017-01-01

Headers:

Accept: application/vnd.akamai.cps.enrollment-status.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
Optional query parameters
allow-cancel-pending-changes Boolean true All pending changes to be cancelled when updating an enrollment.
deploy-not-after String 2017-01-01 Don’t deploy after this date (UTC).
deploy-not-before String 2017-01-01 Don’t deploy before this date (UTC).

Status 200 application/vnd.akamai.cps.enrollment-status.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment-status.v1+json

Response Body:

{
    "enrollment": "/cps/v2/enrollments/10002",
    "changes": [
        "/cps/v2/enrollments/10002/changes/10002"
    ]
}

Status 202 application/vnd.akamai.cps.enrollment-status.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.enrollment-status.v1+json

Response Body:

{
    "enrollment": "/cps/v2/enrollments/10002",
    "changes": [
        "/cps/v2/enrollments/10002/changes/10002"
    ]
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. If you want to update an enrollment while changes are pending, set the allow-cancel-pending-changes query parameter.

  3. If you want to control when CPS removes the enrollment, set the deploy-not-before or deploy-not-after query parameters.

  4. Specify an Accept header of application/vnd.akamai.cps.enrollment-status.v1+json.

  5. Make a DELETE request to the Enrollment’s location hypermedia URL.

Get change status

Gets the status of a pending change.

GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}

Sample: /cps/v2/enrollments/10000/changes/10000

Headers:

Accept: application/vnd.akamai.cps.change.v2+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.change.v2+json

Headers:

Content-Type: application/vnd.akamai.cps.change.v2+json

Response Body:

{
    "statusInfo": {
        "status": "wait-upload-third-party",
        "state": "awaiting-input",
        "description": "Waiting for you to upload and submit your third party certificate and trust chain.",
        "deploymentSchedule": {
            "notBefore": null,
            "notAfter": null
        },
        "error": null
    },
    "allowedInput": [
        {
            "type": "third-party-certificate",
            "requiredToProceed": true,
            "info": "/cps/v2/enrollments/10002/changes/10002/input/info/third-party-csr",
            "update": "/cps/v2/enrollments/10002/changes/10002/input/update/third-party-cert-and-trust-chain"
        }
    ]
}

An enrollment may have a change associated with it while CPS prepares the certificate for deployment. You can only complete these operations for an enrollment which has a pending change.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment

  2. Specify an Accept header of application/vnd.akamai.cps.change.v1+json.

  3. For an Enrollment which has pendingChanges present, make a GET request to the Enrollment’s last pendingChanges.location hypermedia URL. Otherwise you cannot run this operation.

  4. The response provides a Change object.

Cancel a change

Cancels a pending change.

DELETE /cps/v2/enrollments/{enrollmentId}/changes/{changeId}

Sample: /cps/v2/enrollments/10000/changes/10000

Headers:

Accept: application/vnd.akamai.cps.change-id.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.change-id.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.change-id.v1+json

Response Body:

{
    "change": "/cps/v2/enrollments/10002/changes/10002"
}

An enrollment may have a change associated with it while CPS prepares a certificate or metadata for deployment. You can only complete these operations for an enrollment that has a pending change.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment.

  2. Specify an Accept header of application/vnd.akamai.cps.change.v2+json.

  3. For an Enrollment which has pendingChanges present, make a DELETE request to the Enrollment’s last pendingChanges.location hypermedia URL. Otherwise you cannot run this operation.

  4. The response provides a Change object.

Get a change

Get detailed information of a pending change. Below is a sample where Change.allowedInput[].type has the value third-party-csr. The acceptable Accept header depends on the value of the allowedInput.type for the Change instance. See Change Input Content Type Mapping for details.

GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/input/info/{allowedInputTypeParam}

Sample: /cps/v2/enrollments/10000/changes/10000/input/info/third-party-csr

Headers:

Accept: application/vnd.akamai.cps.csr.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.
allowedInputTypeParam Enumeration third-party-csr Found as last part of Change.allowedInput[].info hypermedia URL. See Change Input Content Type Mapping for details. Current supported types include change-management-info, lets-encrypt-challenges, post-verification-warnings, pre-verification-warnings and third-party-csr.

Status 200

Headers:

Content-Type: application/vnd.akamai.cps.csr.v1+json

These are sample steps for a change where Change.allowedInput[].type equals third-party-csr.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment.

  2. Specify an Accept header of application/vnd.akamai.cps.change.v1+json.

  3. For a Third-Party Enrollment which has pendingChanges present, make a GET request to the Enrollment’s last pendingChanges.location hypermedia URL. Otherwise you cannot run this operation.

  4. The response provides a Change object.

  5. Specify an Accept header of application/vnd.akamai.cps.csr.v1+json.

  6. For a Change object where the Change.allowedInput[].type is third-party-csr, make a GET request to the Change’s last Change.allowedInput[].info hypermedia URL. Otherwise you cannot run this operation.

  7. The response provides a CSR object.

Update a change

Updates a pending change. Below is a sample where Change.allowedInput[].type has the value third-party-csr. The acceptable Content-Type and Accept headers depends on the value of the allowedInput.type for the Change instance. See Change Input Content Type Mapping for details.

POST /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/input/update/{allowedInputTypeParam}

Sample: /cps/v2/enrollments/10000/changes/10000/input/update/third-party-cert-and-trust-chain

Headers:

Content-Type: application/vnd.akamai.cps.certificate-and-trust-chain.v1+json
Accept: application/vnd.akamai.cps.change-id.v1+json

Content-Type: application/vnd.akamai.cps.certificate-and-trust-chain.v1+json

Request Body:

{
    "certificate": "-----BEGIN CERTIFICATE-----\nMIID2DCCAsCgAwIBAgIQ661To2+zTDiFLyyARAaFXTANBgkqhkiG9w0BAQsFADBn\nMSowKAYDVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0xDjAM\nBgNVBAsMBVdlYkV4MQ8wDQYDVQQKDAZBa2FtYWkxCzAJBgNVBAgMAk1BMQswCQYD\nVQQGEwJVUzAeFw0xNzA1MTgyMTEwMTFaFw0xODA1MTkyMTEwMTFaMG0xHDAaBgNV\nBAMME3d3dy5jcHMtZXhhbXBsZS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJN\nQTESMBAGA1UEBwwJQ2FtYnJpZGdlMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsM\nBVdlYkV4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQeIJ2yfOC8P\nYQp6NjiCYSCkuS0z9a61v+k+KTDYQKIa8jDkwP0OITzvTnjMHuUd8JbSz5jNb22Z\nWxH/1F2p71rlSdBReBkZGLMLcQZPt5ju7ea7ZPz+MOWrwuc6YUafRMQk3qMeo3Sz\nIZQbmLKXkZeYriqy9s9yHJSUnWX1jOa51w6YM/Xar/2pZp2pyguaCNVGp7AAo38R\nAepaGcFwyjJse6dc+7dHOvDnjQ+Cg2lO8DSc12sFLllOhdOULldZRWbtfTLs9uet\niR8ZVpHJ1TtzEz3X9RqBBCvnqykQvMmiQKOkfYEd6LN4Tk6/HJw2/MZhIgAEXtUU\ndQMnD6OMcwIDAQABo3oweDB2BgNVHREEbzBtghRzYW4xLmNwcy1leGFtcGxlLmNv\nbYIUc2FuMi5jcHMtZXhhbXBsZS5jb22CFHNhbjMuY3BzLWV4YW1wbGUuY29tghRz\nYW40LmNwcy1leGFtcGxlLmNvbYITd3d3LmNwcy1leGFtcGxlLmNvbTANBgkqhkiG\n9w0BAQsFAAOCAQEAm9krrTxqDwUaO8J7P7CcrHfwXeWiDG3d9uHqCvHRGrcs46pI\ny8umThgOEba0QHi6CwM6O0+chcHsn6qf+uVKg2u1SKlE6qMIJ1Ppc8MJky1xo0M5\ncrtRpSXjaoF9S2zZZK1lwOJoK93BtC/lNfRc682TxlQ58jtBI6qnmLXUhF8Yo67v\n0UfHiBIv1pZFPIdk90/48vjWM54haNxm/PhxNb6AdzawR4zImUhMKsISP7uOTURQ\nfFfeNgMvHyI8Id1VPLN+e2y4FtnTVdW2e+PTBvOJ1M+YoFU7M04/2SmKJHqnHljh\nVQBpto9JgDmt0yqsdFdLrZlpsIQwpLqdgKZlSw==\n-----END CERTIFICATE-----",
    "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDTDCCAjQCEB1FmMGD0kjutSE218ho23wwDQYJKoZIhvcNAQELBQAwYjElMCMG\nA1UEAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTEOMAwGA1UECwwFV2Vi\nRXgxDzANBgNVBAoMBkFrYW1haTELMAkGA1UECAwCTUExCzAJBgNVBAYTAlVTMB4X\nDTE3MDUxODIxMTAxMVoXDTE4MDUxOTIxMTAxMVowZzELMAkGA1UEBhMCVVMxCzAJ\nBgNVBAgMAk1BMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsMBVdlYkV4MSowKAYD\nVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyxuHi0zL03f+3ZTKLV1lMHvS2LkUwCKEd\nApJw/v+yPPBTuamvikHQ8L5QM1p7BevavdeBMUAoGGXXQkrRtotCkL4S6N9cgH47\n+cUeXCT0D2BaOkR15N7qDVtkYeAtC7eKUI7+j99iZXAFr8Nel9wqNn/9804HyF+F\nZ/YS5oPBuJVGcTQhd8bmUx5wBgr3n6EhqvOHEEAa5whb5PoP/hFi0xO0SFG/LA/+\nK2NMvaE/9Y9j48/ONAFavf80s/y55SudZyBsjowtnZLIeJ4bM6nCN5DMAljH5U3O\nPFjSFKlbPxQgIcP9wLbQTV6b47tNK8c9jPg+U4jK2xtncJ2ijxSXAgMBAAEwDQYJ\nKoZIhvcNAQELBQADggEBACVVWGcirfBhkDwIuNELh1rzKPmhxwhx9hAsYz2B2FDn\n7q82c85hXLfFSZ/9I3bzotVDh4YucCV+vxUXQcYt5tEDbg96uHNzRzXQUTdJSNIe\nbQ5Yn86ELLrzaXAD3+t6ztj8Z9dIVfG7LrAOg3UX5GjfEUrjNfZaiiUcBqLKibJ5\nOqOJcPlbjKZ1kOqrCqlOugcQrZPgpzHkwssUR7v0VtHBHWnzjDTGaMXmvy1LsULA\n3N35SDGFI/Zpw56R4z95UwpmDYg3IKwAGY8XL/oMqTORWyYDUpy1dpcAln5HcZK3\nthju6KdIwCwmthk1iIUAri6avIrh7Mg2SHFho/4p5mA=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDQzCCAi0CEO7lWBUwDEEclty6iX7gCMcwCwYJKoZIhvcNAQELMGIxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UECgwGQWthbWFpMQ4wDAYDVQQLDAVX\nZWJFeDElMCMGA1UEAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTAeFw0x\nNzA1MTgyMTEwMTFaFw0yMjA1MTgyMTEwMTFaMGIxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEPMA0GA1UECgwGQWthbWFpMQ4wDAYDVQQLDAVXZWJFeDElMCMGA1UE\nAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAJCbd5QpPJr0I48G4VE0JF5N719Wsspc8lEEgf2oM4BL\n6pAyxU6hm8YzSfCx/NBpU2MYMa96FDoYWUVfj4iilpV4IpLdsDtXjMJ2fnVXP4iI\n9n5EhF3oKGx2bAgBKpXIWXwPo3fqg/MGsdwIgrYyab3xJuwHP3V/2MSxzcHpxQrU\nE8jaemBXv6v0oTx50Ph0zJP+wYwvaDf+KVFzM3E42Ww9VLuP3lt5RAtasNctqlRr\nSlpH3RrZ0Gkpmz6xGr2LvLw12nkTylws/bafCSFAs7+x2ip6pP3yEaYxKdMpeOIE\nWaVU1RsJiWVYgq+b6gc9wrRpfZLyJYdAa50DuEv8jm0CAwEAATALBgkqhkiG9w0B\nAQsDggEBAFbv9+6pQBXDiFOxoYmu1/xiI1/mSGqooJtzNZjoni6HsruGxSqRbbKa\n3GdaPVInZwWY7p8T1RM8+YDTrRrjbfRuRPqdgUBv8iDbcldJNXsqD1CylxLi0lul\ndnHgQD9TmcrTs3ELeT277PE2f8AX3YjhYK8IIGBmDomc1KRTka3nZtexIwfiEQJr\nRzsFL+1vwPoSJFKb1NzeOGikkPNmipQvYKGY9A/q2XeqrEWKGHizPwvcIu7EC8wL\nRooQ3ztqAV3Wul5dI5+AEE8WQzUyzCq7BEgOgNaX403g8An5QueSjhogbYdRd3BM\n+OWJc8qePy3KgqY44s3kbrPR6sJuAIQ=\n-----END CERTIFICATE-----"
}
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.
allowedInputTypeParam Enumeration third-party-cert-and-trust-chain Found as the last part of Change.allowedInput[].update hypermedia URL. See Change Input Content Type Mapping for details. Currently supported values include change-management-ack, lets-encrypt-challenges-completed, post-verification-warnings-ack, pre-verification-warnings-ack, third-party-cert-and-trust-chain.

Status 200 application/vnd.akamai.cps.change-id.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.change-id.v1+json

Response Body:

{
    "change": "/cps/v2/enrollments/10002/changes/10002"
}

These are sample steps for a change where Change.allowedInput[].type equals third-party-csr.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment

  2. Specify an Accept header of application/vnd.akamai.cps.change.v1+json.

  3. For an Enrollment which has pendingChanges present, make a GET request to the Enrollment’s last pendingChanges.location hypermedia URL. Otherwise you cannot run this operation. The response provides a Change object.

  4. Create a Certificate object.

  5. Specify a Content-Type header of application/vnd.akamai.cps.certificate-and-trust-chain.v1+json.

  6. Specify an Accept header of application/vnd.akamai.cps.change-id.v1+json.

  7. For a Change object where the Change.allowedInput[].type is third-party-csr, make a POST request to the Change’s last Change.allowedInput[].update hypermedia URL. Otherwise you cannot run this operation.

Get a deployment schedule

Gets the current deployment schedule settings describing when a change deploys to the network.

GET /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/deployment-schedule

Sample: /cps/v2/enrollments/10000/changes/10000/deployment-schedule

Headers:

Accept: application/vnd.akamai.cps.deployment-schedule.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.deployment-schedule.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.deployment-schedule.v1+json

Response Body:

{
    "notBefore": "2017-05-19T16:00:00Z",
    "notAfter": null
}

An enrollment may have a change associated with it while CPS prepares the certificate or metadata for deployment. You can only complete these operations for an enrollment that has a pending change.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment

  2. Specify an Accept header of application/vnd.akamai.cps.deployment-schedule.v1+json.

  3. For an Enrollment which has pendingChanges present, using the Enrollment’s last pendingChanges.location hypermedia URL, make a GET request to a URL composed of pendingChanges.location/deployment-schedule. Otherwise you cannot run this operation.

  4. The response provides a DeploymentSchedule object.

Update a deployment schedule

Updates the current deployment schedule.

PUT /cps/v2/enrollments/{enrollmentId}/changes/{changeId}/deployment-schedule

Sample: /cps/v2/enrollments/10000/changes/10000/deployment-schedule

Headers:

Content-Type: application/vnd.akamai.cps.deployment-schedule.v1+json
Accept: application/vnd.akamai.cps.change-id.v1+json

Content-Type: application/vnd.akamai.cps.deployment-schedule.v1+json

Request Body:

{
    "notBefore": "2017-05-19T16:00:00Z",
    "notAfter": null
}
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.
changeId Integer 10000 The change for this enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.change-id.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.change-id.v1+json

Response Body:

{
    "change": "/cps/v2/enrollments/10002/changes/10002"
}

An enrollment may have a change associated with it while CPS prepares a certificate or metadata for deployment. You can only complete these operations for an enrollment which has a pending change.

  1. If you do not have an enrollment, run the List Enrollments operation and select an Enrollment.

  2. Run the Get a Deployment Schedule operation and store the response object.

  3. Modify the DeploymentSchedule object.

  4. Specify a Content-Type header of application/vnd.akamai.cps.deployment-schedule.v1+json.

  5. Specify an Accept header of application/vnd.akamai.cps.change-id.v1+json.

  6. Form a new request URL by appending deployment-schedule to the Enrollment’s last pendingChanges.location hypermedia URL.

  7. PUT the object to the revised URL.

Get change history

Change history of an enrollment.

GET /cps/v2/enrollments/{enrollmentId}/history/changes

Sample: /cps/v2/enrollments/10000/history/changes

Headers:

Accept: application/vnd.akamai.cps.change-history.v3+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.change-history.v3+json

Headers:

Content-Type: application/vnd.akamai.cps.change-history.v3+json

Response Body:

{
    "changes": [
        {
            "action": "renew",
            "actionDescription": "Renew Certificate",
            "status": "completed",
            "lastUpdated": "2018-06-12T12:56:55Z",
            "createdBy": "<auto-renewal>",
            "createdOn": "2018-05-09T19:26:59Z",
            "ra": "symantec",
            "primaryCertificate": {
                "certificate": "-----BEGIN CERTIFICATE-----\nMIIFH ... <sample - removed for readability> .... b+kIw==\n-----END CERTIFICATE-----\n",
                "trustChain": "-----BEGIN CERTIFICATE-----\nMIIEdj ... <sample - removed for readability> .... oqzb5Ct\n-----END CERTIFICATE-----",
                "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
            },
            "multiStackedCertificates": [
                {
                    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDu ... <sample - removed for readability> .... 3JpAg==\n-----END CERTIFICATE-----\n",
                    "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDzD ... <sample - removed for readability> .... F3+fA==\n-----END CERTIFICATE-----",
                    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
                }
            ],
            "primaryCertificateOrderDetails": {
                "partnerOrderId": "abcdefM6Gw3WvN2p12345",
                "geotrustOrderId": 1234567,
                "originalPartnerOrderId": "abcdefM6Gw3WvN2p12345"
            },
            "businessCaseId": "5005B00000XYZA1234"
        },
        {
            "action": "renew",
            "actionDescription": "Renew Certificate",
            "status": "cancelled",
            "lastUpdated": "2018-02-05T19:57:14Z",
            "createdBy": "scheng",
            "createdOn": "2018-02-02T18:21:17Z",
            "ra": "symantec",
            "primaryCertificate": {
                "certificate": "-----BEGIN CERTIFICATE-----\nMIIFH ... <sample - removed for readability> .... b+kIw==\n-----END CERTIFICATE-----\n",
                "trustChain": "-----BEGIN CERTIFICATE-----\nMIIEdj ... <sample - removed for readability> .... oqzb5Ct\n-----END CERTIFICATE-----",
                "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
            },
            "multiStackedCertificates": [
                {
                    "certificate": null,
                    "trustChain": null,
                    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
                }
            ],
            "primaryCertificateOrderDetails": {
                "partnerOrderId": "abcdeHvg8F7caXW312345",
                "geotrustOrderId": 2345678,
                "originalPartnerOrderId": "abcdeHvg8F7caXW312345"
            },
            "businessCaseId": "5005B00000DEFG1234"
        },
        {
            "action": "renew",
            "actionDescription": "Renew Certificate",
            "status": "cancelled",
            "lastUpdated": null,
            "createdBy": "<auto-renewal>",
            "createdOn": "2018-02-01T17:16:35Z",
            "ra": "symantec",
            "primaryCertificate": null,
            "multiStackedCertificates": [],
            "primaryCertificateOrderDetails": null,
            "businessCaseId": null
        },
        {
            "action": "new-certificate",
            "actionDescription": "Create New Certificate",
            "status": "completed",
            "lastUpdated": "2018-02-01T17:16:37Z",
            "createdBy": "testuser",
            "createdOn": "2018-02-01T16:30:58Z",
            "ra": "symantec",
            "primaryCertificate": {
                "certificate": "-----BEGIN CERTIFICATE-----\nMIIFH ... <sample - removed for readability> .... b+kIw==\n-----END CERTIFICATE-----\n",
                "trustChain": "-----BEGIN CERTIFICATE-----\nMIIEdj ... <sample - removed for readability> .... oqzb5Ct\n-----END CERTIFICATE-----",
                "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
            },
            "multiStackedCertificates": [
                {
                    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDu ... <sample - removed for readability> .... 3JpAg==\n-----END CERTIFICATE-----\n",
                    "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDzD ... <sample - removed for readability> .... F3+fA==\n-----END CERTIFICATE-----",
                    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC2 ... <sample - removed for readability> .... mdnsaw=\n-----END CERTIFICATE REQUEST-----\n"
                }
            ],
            "primaryCertificateOrderDetails": {
                "partnerOrderId": "abcdex7zh8wspr4m12345",
                "geotrustOrderId": 3456789,
                "originalPartnerOrderId": "abcdex7zh8wspr4m12345"
            },
            "businessCaseId": "5005B00000ABCD1234"
        }
    ]
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.change-history.v3+json.

  3. Make a GET request to /cps/v2/enrollments/{enrollmentId}/history/changes.

  4. The response provides a Changes object.

Get certificate history

View the certificate history.

GET /cps/v2/enrollments/{enrollmentId}/history/certificates

Sample: /cps/v2/enrollments/10000/history/certificates

Headers:

Accept: application/vnd.akamai.cps.certificate-history.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.certificate-history.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.certificate-history.v1+json

Response Body:

[
    {
        "certificateType": "wildcard",
        "status": "active",
        "slot": "10348",
        "network": "core",
        "expirationDate": {
            "nano": 0,
            "epochSecond": 1490831999
        },
        "certificateAuthority": "symantec-symantec",
        "certificate": {
            "cn": "*.ov-wildcard-test-regression-3-22-pulsar.com",
            "sanDomains": [
                "*.ov-wildcard-test-regression-3-22-pulsar.com",
                "ov-wildcard-test-regression-3-22-pulsar.com"
            ],
            "notBefore": "2017-03-22 00:00:00",
            "notAfter": "2017-03-29 23:59:59",
            "issuer": "CN=Symantec Class 3 Secure Server TEST CA - G4,OU=Symantec Trust Network,OU=FOR TEST PURPOSES ONLY,O=Symantec Corporation,C=US",
            "subject": "CN=*.ov-wildcard-test-regression-3-22-pulsar.com,OU=Vasudha Test Dept,O=Vasudha Tech Inc,L=Cambridge,ST=Massachusetts,C=US",
            "certificateType": "wildcard-san",
            "fullCertificate": "-----BEGIN CERTIFICATE-----\nMIIGkDCCBXigAwIBAgIQUsVY2uIS61las3QYeCpR0TANBgkqhkiG9w0BAQsFADCB\npDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8w\nHQYDVQQLExZGT1IgVEVTVCBQVVJQT1NFUyBPTkxZMR8wHQYDVQQLExZTeW1hbnRl\nYyBUcnVzdCBOZXR3b3JrMTQwMgYDVQQDEytTeW1hbnRlYyBDbGFzcyAzIFNlY3Vy\nZSBTZXJ2ZXIgVEVTVCBDQSAtIEc0MB4XDTE3MDMyMjAwMDAwMFoXDTE3MDMyOTIz\nNTk1OVowgagxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIw\nEAYDVQQHDAlDYW1icmlkZ2UxGTAXBgNVBAoMEFZhc3VkaGEgVGVjaCBJbmMxGjAY\nBgNVBAsMEVZhc3VkaGEgVGVzdCBEZXB0MTYwNAYDVQQDDC0qLm92LXdpbGRjYXJk\nLXRlc3QtcmVncmVzc2lvbi0zLTIyLXB1bHNhci5jb20wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQCkM7D2jSQOMwa1yPIf6MSvVS0odLHx74VVZ0Sqxpa4\nhQl0bTXZ3liwMm0jK+Y/7zYWGlu+O+mTftxe2x11TmlBxUeUAjy9Pt/HGguMX8LY\nmP2gdgL0rQqO6F1/NIWXu4Y5mDrkPlEvbLvLitP59BjagK7J88lC2vsB2DQUpQtI\nAZ7bd3DauRUSq/jlTfvrEcJDvwYYQ+oIYW2xCxjK7NsyP75yNDRooRuKgCRBJdhz\ngtKQsNGOTo+rwQEWUxTINoa4HVWmPqvQW2DuvPa5ioYehuRTWsCmTBumYQqI4SGW\niIJFG+6fYG1GheceAhoU3fPhnzKJuqS4iTZcc3CIhjqpAgMBAAGjggK2MIICsjBl\nBgNVHREEXjBcgi0qLm92LXdpbGRjYXJkLXRlc3QtcmVncmVzc2lvbi0zLTIyLXB1\nbHNhci5jb22CK292LXdpbGRjYXJkLXRlc3QtcmVncmVzc2lvbi0zLTIyLXB1bHNh\nci5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwYQYDVR0gBFowWDBWBgZn\ngQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYI\nKwYBBQUHAgIwGQwXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwKwYDVR0fBCQwIjAg\noB6gHIYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcmwwHQYDVR0lBBYwFAYIKwYB\nBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFDSPVLU/Ch9SupyyZe26iwhnGeAE\nMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3NzLnN5bWNkLmNv\nbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9zcy5jcnQwggEDBgor\nBgEEAdZ5AgQCBIH0BIHxAO8AdQAR0wud4RKWE7VpXG+auxQlNw9ew3QWYeKO2GKv\n4jEwuQAAAVr2uojnAAAEAwBGMEQCIBUBMeIxpR5eXsK8ZOyxbYEJ9poUx42eO9iA\nhN6jdDtMAiAKLVJq2SI4ghNvZavyWbD7aEeJmHmqO+Sx36YLP0AQkQB2AJEuf45d\nNfLvez9WW5i5gLlXJpVTFOIWRgvX7FOqXuzBAAABWva6iOcAAAQDAEcwRQIhAKQF\nhrk/pQ0TfKqqiWa6f96ViewKycGzxE2Wb+2wnImSAiA/2MrJ0qTIv5ZgvrJdGatk\nexCVYXK9JcuGeHuEs2OcLjANBgkqhkiG9w0BAQsFAAOCAQEAqp7JgIZv4UFy/RKu\nA4wcrdNyNv87mlTX7eBp9OcRAQmI6mvEqHPLNxDk9kufhFYGg+TRYfHMZ3tpVAAE\nItFa9s/ROHlODUj3EmgIbl8YWcWa77JZatlZI+KeY7EVljUKqe+xYXCniHonMEFX\nnVJgdqQqMbR+5Gx9Xl20UjROi0qMF9pORDtu7r/yuL5Kg5lw9xHmGFRdF3rZa/0L\nQrW600sndBVkkVwfnO9sexCHF/pfXFc5zP3CbNMDBAheC6qvGFkCuq1C49H/kG62\nbDLb+/8a165AeBnNCsapdbRvD72PTl/tP68jYt0TiR8y+WQMFm4mgo4JFO2yVdTY\nStaqjg==\n-----END CERTIFICATE-----\n",
            "serialNumber": "52:c5:58:da:e2:12:eb:59:5a:b3:74:18:78:2a:51:d1",
            "keyLength": 2048,
            "signatureAlgorithm": "SHA256withRSA"
        },
        "trustChain": [
            {
                "cn": "Symantec Class 3 Secure Server TEST CA - G4",
                "sanDomains": null,
                "notBefore": "2013-11-01 00:00:00",
                "notAfter": "2023-10-31 23:59:59",
                "issuer": "OU=For Test Purposes Only,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/cps/testca/ (c)06,OU=Class 3 TEST Public Primary Certification Authority - G5,O=VeriSign\\, Inc.,C=US",
                "subject": "CN=Symantec Class 3 Secure Server TEST CA - G4,OU=Symantec Trust Network,OU=FOR TEST PURPOSES ONLY,O=Symantec Corporation,C=US",
                "certificateType": "single",
                "fullCertificate": "-----BEGIN CERTIFICATE-----\nMIIFRjCCBC6gAwIBAgIQQZHe5Tx+vHOpblUNqE91fDANBgkqhkiG9w0BAQsFADCB\n8DELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMUEwPwYDVQQL\nEzhDbGFzcyAzIFRFU1QgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRo\nb3JpdHkgLSBHNTFDMEEGA1UECxM6VGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3\nLnZlcmlzaWduLmNvbS9jcHMvdGVzdGNhLyAoYykwNjEfMB0GA1UECxMWVmVyaVNp\nZ24gVHJ1c3QgTmV0d29yazEfMB0GA1UECxMWRm9yIFRlc3QgUHVycG9zZXMgT25s\neTAeFw0xMzExMDEwMDAwMDBaFw0yMzEwMzEyMzU5NTlaMIGkMQswCQYDVQQGEwJV\nUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFkZPUiBU\nRVNUIFBVUlBPU0VTIE9OTFkxHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv\ncmsxNDAyBgNVBAMTK1N5bWFudGVjIENsYXNzIDMgU2VjdXJlIFNlcnZlciBURVNU\nIENBIC0gRzQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8IEQCiCFh\nXEGq7fPCS02MFmc5JOe3Zka/dk6on8lxQHh/zNC1B3iCviaJ1yCnKHoRNxHQ3ijV\nyMAumPKFGy58WllbybiSfutr8oKcxWRRqpWpwd6HiiA2a4FFLn6JLOzq5EsDl/Ig\nafQUyv03MT8Y+3dexH0Drl9EaR/tMHWY0yza85YFI/cOKh/54wL4w3xFsKs4JSb3\nqejfiEF6mo5MHb9FODckQbQCxFFaCWkdp4jUTdO2HBDlqt9PBE6TOBH51GAnnAY1\n4bgVdI7RkVh7Vdq60FgQJx5Vzbdu70ZjaEB295quBoRMQEgM7EsOSoekq8+SVW19\noSC05HQ3f11bAgMBAAGjggEkMIIBIDASBgNVHRMBAf8ECDAGAQH/AgEAME0GA1Ud\nHwRGMEQwQqBAoD6GPGh0dHA6Ly9waWxvdG9uc2l0ZWNybC52ZXJpc2lnbi5jb20v\nT2ZmbGluZUNBL3Rlc3RwY2EzLWc1LmNybDAOBgNVHQ8BAf8EBAMCAQYwawYDVR0g\nBGQwYjBgBgpghkgBhvhFAQcVMFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3lt\nYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5j\nb20vcnBhMB0GA1UdDgQWBBQ0j1S1PwofUrqcsmXtuosIZxngBDAfBgNVHSMEGDAW\ngBQGm7coPdjsn2sBD5MF+YV+nxLmQjANBgkqhkiG9w0BAQsFAAOCAQEADl/Oz8+h\nywxK/p+Sf3Cs6KL3IQQI6UE8ApbIXZHZXuh8ifu5gQWcDgrgJIfVC4APCkfborNj\nPdSaWOZ9n+1HuY+1kydbn36cG4ezisEk6Zc7M2ZLXVYrvslB/djAelUsxs1zO7Df\nwaApmn9zzNCpanFlOjckPl4QWUA56erZJxwBcFrhIt26hYz8sHxRF1tbjbK5hiI9\nGVrL2Uw0uy6xXODJkks+LU1gXH6oBaXFF3sU4LSEVcOc/H0AqAb9NMJmoWsvny0j\nImt4Ue3NKups+Xe/gySepWO0R3i4VafDHKB8zNvBcbCzBO58oZ9gYnsC0wvpl2ic\n+tnzpSkAVzpC5w==\n-----END CERTIFICATE-----",
                "serialNumber": "41:91:de:e5:3c:7e:bc:73:a9:6e:55:0d:a8:4f:75:7c",
                "keyLength": 2048,
                "signatureAlgorithm": "SHA256withRSA"
            },
            null
        ],
        "certificateParseFailed": null,
        "uid": -1123178494
    }
]
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.certificate-history.v1+json.

  3. Make a GET request to /cps/v2/enrollments/{enrollmentId}/history/certificates.

Get DV history

Domain name Validation history for the enrollment.

GET /cps/v2/enrollments/{enrollmentId}/dv-history

Sample: /cps/v2/enrollments/10000/dv-history

Headers:

Accept: application/vnd.akamai.cps.dv-history.v1+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.dv-history.v1+json

Headers:

Content-Type: application/vnd.akamai.cps.dv-history.v1+json

Response Body:

{
    "data": [
        {
            "domain": "www.cps-example-dv.com",
            "domainHistory": [
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T18:15:07z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": "http://dcv.akamai.com/.well-known/acme-challenge/abcdefghijklmno-KuzBi3q5Dr6TU8ViHSDSf-c9Iyg",
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T18:24:16z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T18:33:26z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": "http://dcv.akamai.com/.well-known/acme-challenge/abcdefghijklmno-KuzBi3q5Dr6TU8ViHSDSf-c9Iyg",
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T18:42:39z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": "http://dcv.akamai.com/.well-known/acme-challenge/abcdefghijklmno-KuzBi3q5Dr6TU8ViHSDSf-c9Iyg",
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T18:51:46z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T19:00:54z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T19:10:23z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                },
                {
                    "domain": "www.cps-example-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-11T19:19:32z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                }
            ]
        },
        {
            "domain": "www.cps-example-2-dv.com",
            "domainHistory": [
                {
                    "domain": "www.cps-example-2-dv.com",
                    "responseBody": null,
                    "fullPath": null,
                    "token": null,
                    "status": "Preparing",
                    "error": "Error getting challenges. Error Message: Lets Encrypt Exception message: Unable to load Lets Encrypt support tools.",
                    "validationStatus": null,
                    "requestTimestamp": "2018-04-12T19:19:32z",
                    "validatedTimestamp": null,
                    "expires": null,
                    "redirectFullPath": null,
                    "validationRecords": [],
                    "challenges": []
                }
            ]
        }
    ]
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.dv-history.v1+json.

  3. Make a GET request to /cps/v2/enrollments/{enrollmentId}/dv-history.

List deployments

Lists the deployments for an enrollment.

GET /cps/v2/enrollments/{enrollmentId}/deployments

Sample: /cps/v2/enrollments/10000/deployments

Headers:

Accept: application/vnd.akamai.cps.deployments.v6+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.deployments.v6+json

Headers:

Content-Type: application/vnd.akamai.cps.deployments.v6+json

Response Body:

{
    "production": {
        "networkConfiguration": {
            "geography": "core",
            "secureNetwork": "standard-tls",
            "mustHaveCiphers": "ak-akamai-default-2017q3",
            "preferredCiphers": "ak-akamai-default-2017q3",
            "disallowedTlsVersions": [],
            "ocspStapling": "not-set",
            "sniOnly": true,
            "quicEnabled": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        },
        "primaryCertificate": {
            "signatureAlgorithm": "SHA-256",
            "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
            "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
            "expiry": "2019-06-10T12:00:00Z"
        },
        "multiStackedCertificates": [
            {
                "signatureAlgorithm": "SHA-256",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
                "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
                "expiry": "2019-06-10T12:00:00Z"
            }
        ],
        "ocspUris": [
            "http://ocsp.example.com"
        ],
        "ocspStapled": true
    },
    "staging": {
        "networkConfiguration": {
            "geography": "core",
            "secureNetwork": "standard-tls",
            "mustHaveCiphers": "ak-akamai-default-2017q3",
            "preferredCiphers": "ak-akamai-default-2017q3",
            "disallowedTlsVersions": [],
            "ocspStapling": "not-set",
            "sniOnly": true,
            "quicEnabled": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        },
        "primaryCertificate": {
            "signatureAlgorithm": "SHA-256",
            "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
            "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
            "expiry": "2019-06-10T12:00:00Z"
        },
        "multiStackedCertificates": [
            {
                "signatureAlgorithm": "SHA-256",
                "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
                "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
                "expiry": "2019-06-10T12:00:00Z"
            }
        ],
        "ocspUris": [
            "http://ocsp.example.com"
        ],
        "ocspStapled": true
    }
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.deployments.v6+json.

  3. Using the Enrollment location hypermedia URL, make a GET request to location/deployments.

  4. The response provides an object with each Deployment available within top-level staging and production members.

Get staging deployment

Gets the enrollments deployed on the staging network.

GET /cps/v2/enrollments/{enrollmentId}/deployments/staging

Sample: /cps/v2/enrollments/10000/deployments/staging

Headers:

Accept: application/vnd.akamai.cps.deployment.v6+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.deployment.v6+json

Headers:

Content-Type: application/vnd.akamai.cps.deployment.v6+json

Response Body:

{
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "standard-tls",
        "mustHaveCiphers": "ak-akamai-default-2017q3",
        "preferredCiphers": "ak-akamai-default-2017q3",
        "disallowedTlsVersions": [],
        "ocspStapling": "not-set",
        "sniOnly": true,
        "quicEnabled": false,
        "dnsNames": [
            "san2.example.com",
            "san1.example.com"
        ]
    },
    "primaryCertificate": {
        "signatureAlgorithm": "SHA-256",
        "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
        "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
        "expiry": "2019-06-10T12:00:00Z"
    },
    "multiStackedCertificates": [
        {
            "signatureAlgorithm": "SHA-256",
            "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
            "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
            "expiry": "2019-06-10T12:00:00Z"
        }
    ],
    "ocspUris": [
        "http://ocsp.example.com"
    ],
    "ocspStapled": true
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.deployments.v6+json.

  3. Using the Enrollment location hypermedia URL, make a GET request to location/deployments/staging.

  4. The response provides a Deployment object.

Get production deployment

Gets the enrollments deployed on the production network.

GET /cps/v2/enrollments/{enrollmentId}/deployments/production

Sample: /cps/v2/enrollments/10000/deployments/production

Headers:

Accept: application/vnd.akamai.cps.deployment.v6+json
Parameter Type Sample Description
URL parameters
enrollmentId Integer 10000 Enrollment on which to perform the desired operation.

Status 200 application/vnd.akamai.cps.deployment.v6+json

Headers:

Content-Type: application/vnd.akamai.cps.deployment.v6+json

Response Body:

{
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "standard-tls",
        "mustHaveCiphers": "ak-akamai-default-2017q3",
        "preferredCiphers": "ak-akamai-default-2017q3",
        "disallowedTlsVersions": [],
        "ocspStapling": "not-set",
        "sniOnly": true,
        "quicEnabled": false,
        "dnsNames": [
            "san2.example.com",
            "san1.example.com"
        ]
    },
    "primaryCertificate": {
        "signatureAlgorithm": "SHA-256",
        "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
        "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
        "expiry": "2019-06-10T12:00:00Z"
    },
    "multiStackedCertificates": [
        {
            "signatureAlgorithm": "SHA-256",
            "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
            "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----",
            "expiry": "2019-06-10T12:00:00Z"
        }
    ],
    "ocspUris": [
        "http://ocsp.example.com"
    ],
    "ocspStapled": true
}
  1. Run the List Enrollments operation and select the appropriate Enrollment object from the enrollments array.

  2. Specify an Accept header versioned up to application/vnd.akamai.cps.deployments.v3+json.

  3. Using the Enrollment location hypermedia URL, make a GET request to location/deployments/production.

  4. The response provides a Deployment object.

Data

This section details the most recent version of the CPS API’s various data objects.

Download the JSON schemas for this API.

The data schema tables below list membership requirements as follows:

Member is required in requests, or always present in responses, even if its value is empty or null.
Member is optional, and may be omitted in some cases.
Member is out of scope, and irrelevant to the specified interaction context. If you include the member in that context, it either triggers an error, or is ignored.

Acknowledgement

Encapsulates information needed to acknowledge an enrollment change.

Download schema: acknowledgement.v1.json

Sample v1 object:

{
    "acknowledgement": "acknowledge"
}

Acknowledgement members

Member Type Required Description
acknowledgement Enumeration The state for which this Acknowledgement is submitted, either acknowledge, deny.

AcknowledgementWithHash

Encapsulates information needed to acknowledge an enrollment change.

Download schema: acknowledgement-with-hash.v1.json

Sample v1 object:

{
    "acknowledgement": "acknowledge",
    "hash": "24fb6fb91d290370c13a39e76afc1b26"
}

AcknowledgementWithHash members

Member Type Required Description
acknowledgement Enumeration The state for which this Acknowledgement is submitted, either acknowledge, deny.
hash String A hash is the state that this request acknowledges. You use this when you want to be explicit about what state you’re acknowledging in order to prevent race conditions, such as when the state changes while the acknowledgement POST operation is in progress.

Certificate

A digital certificate contains an electronic document that includes a company’s identification information (such as the name of the company and address), a public key, and the digital signature of a certification authority (CA) based on that certification authority’s private key. Digital certificates are verified using a chain of trust, which is a certificate hierarchy that allows individuals to verify the validity of a certificate’s issuer.

Download schema: certificate-and-trust-chain.v1.json

Sample v1 object:

{
    "certificate": "-----BEGIN CERTIFICATE-----\nMIID2DCCAsCgAwIBAgIQ661To2+zTDiFLyyARAaFXTANBgkqhkiG9w0BAQsFADBn\nMSowKAYDVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0xDjAM\nBgNVBAsMBVdlYkV4MQ8wDQYDVQQKDAZBa2FtYWkxCzAJBgNVBAgMAk1BMQswCQYD\nVQQGEwJVUzAeFw0xNzA1MTgyMTEwMTFaFw0xODA1MTkyMTEwMTFaMG0xHDAaBgNV\nBAMME3d3dy5jcHMtZXhhbXBsZS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJN\nQTESMBAGA1UEBwwJQ2FtYnJpZGdlMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsM\nBVdlYkV4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQeIJ2yfOC8P\nYQp6NjiCYSCkuS0z9a61v+k+KTDYQKIa8jDkwP0OITzvTnjMHuUd8JbSz5jNb22Z\nWxH/1F2p71rlSdBReBkZGLMLcQZPt5ju7ea7ZPz+MOWrwuc6YUafRMQk3qMeo3Sz\nIZQbmLKXkZeYriqy9s9yHJSUnWX1jOa51w6YM/Xar/2pZp2pyguaCNVGp7AAo38R\nAepaGcFwyjJse6dc+7dHOvDnjQ+Cg2lO8DSc12sFLllOhdOULldZRWbtfTLs9uet\niR8ZVpHJ1TtzEz3X9RqBBCvnqykQvMmiQKOkfYEd6LN4Tk6/HJw2/MZhIgAEXtUU\ndQMnD6OMcwIDAQABo3oweDB2BgNVHREEbzBtghRzYW4xLmNwcy1leGFtcGxlLmNv\nbYIUc2FuMi5jcHMtZXhhbXBsZS5jb22CFHNhbjMuY3BzLWV4YW1wbGUuY29tghRz\nYW40LmNwcy1leGFtcGxlLmNvbYITd3d3LmNwcy1leGFtcGxlLmNvbTANBgkqhkiG\n9w0BAQsFAAOCAQEAm9krrTxqDwUaO8J7P7CcrHfwXeWiDG3d9uHqCvHRGrcs46pI\ny8umThgOEba0QHi6CwM6O0+chcHsn6qf+uVKg2u1SKlE6qMIJ1Ppc8MJky1xo0M5\ncrtRpSXjaoF9S2zZZK1lwOJoK93BtC/lNfRc682TxlQ58jtBI6qnmLXUhF8Yo67v\n0UfHiBIv1pZFPIdk90/48vjWM54haNxm/PhxNb6AdzawR4zImUhMKsISP7uOTURQ\nfFfeNgMvHyI8Id1VPLN+e2y4FtnTVdW2e+PTBvOJ1M+YoFU7M04/2SmKJHqnHljh\nVQBpto9JgDmt0yqsdFdLrZlpsIQwpLqdgKZlSw==\n-----END CERTIFICATE-----",
    "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDTDCCAjQCEB1FmMGD0kjutSE218ho23wwDQYJKoZIhvcNAQELBQAwYjElMCMG\nA1UEAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTEOMAwGA1UECwwFV2Vi\nRXgxDzANBgNVBAoMBkFrYW1haTELMAkGA1UECAwCTUExCzAJBgNVBAYTAlVTMB4X\nDTE3MDUxODIxMTAxMVoXDTE4MDUxOTIxMTAxMVowZzELMAkGA1UEBhMCVVMxCzAJ\nBgNVBAgMAk1BMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsMBVdlYkV4MSowKAYD\nVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyxuHi0zL03f+3ZTKLV1lMHvS2LkUwCKEd\nApJw/v+yPPBTuamvikHQ8L5QM1p7BevavdeBMUAoGGXXQkrRtotCkL4S6N9cgH47\n+cUeXCT0D2BaOkR15N7qDVtkYeAtC7eKUI7+j99iZXAFr8Nel9wqNn/9804HyF+F\nZ/YS5oPBuJVGcTQhd8bmUx5wBgr3n6EhqvOHEEAa5whb5PoP/hFi0xO0SFG/LA/+\nK2NMvaE/9Y9j48/ONAFavf80s/y55SudZyBsjowtnZLIeJ4bM6nCN5DMAljH5U3O\nPFjSFKlbPxQgIcP9wLbQTV6b47tNK8c9jPg+U4jK2xtncJ2ijxSXAgMBAAEwDQYJ\nKoZIhvcNAQELBQADggEBACVVWGcirfBhkDwIuNELh1rzKPmhxwhx9hAsYz2B2FDn\n7q82c85hXLfFSZ/9I3bzotVDh4YucCV+vxUXQcYt5tEDbg96uHNzRzXQUTdJSNIe\nbQ5Yn86ELLrzaXAD3+t6ztj8Z9dIVfG7LrAOg3UX5GjfEUrjNfZaiiUcBqLKibJ5\nOqOJcPlbjKZ1kOqrCqlOugcQrZPgpzHkwssUR7v0VtHBHWnzjDTGaMXmvy1LsULA\n3N35SDGFI/Zpw56R4z95UwpmDYg3IKwAGY8XL/oMqTORWyYDUpy1dpcAln5HcZK3\nthju6KdIwCwmthk1iIUAri6avIrh7Mg2SHFho/4p5mA=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDQzCCAi0CEO7lWBUwDEEclty6iX7gCMcwCwYJKoZIhvcNAQELMGIxCzAJBgNV\nBAYTAlVTMQswCQYDVQQIDAJNQTEPMA0GA1UECgwGQWthbWFpMQ4wDAYDVQQLDAVX\nZWJFeDElMCMGA1UEAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTAeFw0x\nNzA1MTgyMTEwMTFaFw0yMjA1MTgyMTEwMTFaMGIxCzAJBgNVBAYTAlVTMQswCQYD\nVQQIDAJNQTEPMA0GA1UECgwGQWthbWFpMQ4wDAYDVQQLDAVXZWJFeDElMCMGA1UE\nAwwcd3d3LkNQUy1Ba2FtYWktVGVzdC1Sb290LmNvbTCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAJCbd5QpPJr0I48G4VE0JF5N719Wsspc8lEEgf2oM4BL\n6pAyxU6hm8YzSfCx/NBpU2MYMa96FDoYWUVfj4iilpV4IpLdsDtXjMJ2fnVXP4iI\n9n5EhF3oKGx2bAgBKpXIWXwPo3fqg/MGsdwIgrYyab3xJuwHP3V/2MSxzcHpxQrU\nE8jaemBXv6v0oTx50Ph0zJP+wYwvaDf+KVFzM3E42Ww9VLuP3lt5RAtasNctqlRr\nSlpH3RrZ0Gkpmz6xGr2LvLw12nkTylws/bafCSFAs7+x2ip6pP3yEaYxKdMpeOIE\nWaVU1RsJiWVYgq+b6gc9wrRpfZLyJYdAa50DuEv8jm0CAwEAATALBgkqhkiG9w0B\nAQsDggEBAFbv9+6pQBXDiFOxoYmu1/xiI1/mSGqooJtzNZjoni6HsruGxSqRbbKa\n3GdaPVInZwWY7p8T1RM8+YDTrRrjbfRuRPqdgUBv8iDbcldJNXsqD1CylxLi0lul\ndnHgQD9TmcrTs3ELeT277PE2f8AX3YjhYK8IIGBmDomc1KRTka3nZtexIwfiEQJr\nRzsFL+1vwPoSJFKb1NzeOGikkPNmipQvYKGY9A/q2XeqrEWKGHizPwvcIu7EC8wL\nRooQ3ztqAV3Wul5dI5+AEE8WQzUyzCq7BEgOgNaX403g8An5QueSjhogbYdRd3BM\n+OWJc8qePy3KgqY44s3kbrPR6sJuAIQ=\n-----END CERTIFICATE-----"
}

Certificate members

Member Type Required Description
certificate String The certificate text.
trustChain String, Null The trust chain text. You may have no trust chains or multiple trust chains.

Change

Any change that you want to make to the network deployment of an enrollment.

Download schema: change.v1.json

Sample v1 object:

{
    "statusInfo": {
        "status": "wait-upload-third-party",
        "state": "awaiting-input",
        "description": "Waiting for you to upload and submit your third party certificate and trust chain.",
        "deploymentSchedule": {
            "notBefore": null,
            "notAfter": null
        },
        "error": null
    },
    "allowedInput": [
        {
            "type": "third-party-certificate",
            "requiredToProceed": true,
            "info": "/cps/v2/enrollments/10002/changes/10002/input/info/third-party-csr",
            "update": "/cps/v2/enrollments/10002/changes/10002/input/update/third-party-cert-and-trust-chain"
        }
    ]
}

Change members

Member Type Required Description
allowedInput Change.allowedInput[] The resource locations (path) of data inputs allowed by this change. These could be required or optional for this change to proceed.
statusInfo Change.statusInfo The status for this Change at this time.
Change.allowedInput[]: The resource locations (path) of data inputs allowed by this change. These could be required or optional for this change to proceed.
info String The resource location for the description of the allowed input.
requiredToProceed Boolean If true, this input is required for the Change to proceed.
type String The type input. For more information see the Overview.
update String The resource location that you can use to make a call for this input.
Change.statusInfo: The status for this Change at this time.
deploymentSchedule Change.statusInfo.deploymentSchedule The schedule for when you want this change deploy.
description String A description of the current status of the change.
error Change.statusInfo.error, Null Error information for this change.
state String The current sub-state of the change. It represents detailed information regarding to the status of the change, such is if the change is in progress, in error state, awaiting user input, and so on.
status String The general status of the change. This is a high level of description of the status for the change.
Change.statusInfo.deploymentSchedule: The schedule for when you want this change deploy.
notAfter String, Null Do not deploy the certificate after this date.
notBefore String, Null Do not deploy the certifiacte before this date.
Change.statusInfo.error: Error information for this change.
code String The unique identifier code for this error.
description String The detailed description for this error.
timestamp String The timestamp of the occurrence for this error.

ChangeManagement

After you create an enrollment, you can have CPS halt deployment when the certificate becomes available, so that you can test and view the certificate on a staging server prior to deployment in the production network. If you do not want CPS to automatically deploy the certificate to the production network after it receives the signed certificate from the CA, you can turn change management on for the enrollment. This stops CPS from deploying the certificate to the network until you acknowledge that you are ready to deploy the certificate.

Download schema: change-management-info.v1.json, change-management-info.v2.json, change-management-info.v4.json

Sample v2 object:

{
    "acknowledgementDeadline": null,
    "pendingState": {
        "pendingCertificate": {
            "certificateType": "third-party",
            "signatureAlgorithm": "SHA-256",
            "fullCertificate": "-----BEGIN CERTIFICATE-----\nMIID2DCCAsCgAwIBAgIQ661To2+zTDiFLyyARAaFXTANBgkqhkiG9w0BAQsFADBn\nMSowKAYDVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0xDjAM\nBgNVBAsMBVdlYkV4MQ8wDQYDVQQKDAZBa2FtYWkxCzAJBgNVBAgMAk1BMQswCQYD\nVQQGEwJVUzAeFw0xNzA1MTgyMTEwMTFaFw0xODA1MTkyMTEwMTFaMG0xHDAaBgNV\nBAMME3d3dy5jcHMtZXhhbXBsZS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJN\nQTESMBAGA1UEBwwJQ2FtYnJpZGdlMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsM\nBVdlYkV4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQeIJ2yfOC8P\nYQp6NjiCYSCkuS0z9a61v+k+KTDYQKIa8jDkwP0OITzvTnjMHuUd8JbSz5jNb22Z\nWxH/1F2p71rlSdBReBkZGLMLcQZPt5ju7ea7ZPz+MOWrwuc6YUafRMQk3qMeo3Sz\nIZQbmLKXkZeYriqy9s9yHJSUnWX1jOa51w6YM/Xar/2pZp2pyguaCNVGp7AAo38R\nAepaGcFwyjJse6dc+7dHOvDnjQ+Cg2lO8DSc12sFLllOhdOULldZRWbtfTLs9uet\niR8ZVpHJ1TtzEz3X9RqBBCvnqykQvMmiQKOkfYEd6LN4Tk6/HJw2/MZhIgAEXtUU\ndQMnD6OMcwIDAQABo3oweDB2BgNVHREEbzBtghRzYW4xLmNwcy1leGFtcGxlLmNv\nbYIUc2FuMi5jcHMtZXhhbXBsZS5jb22CFHNhbjMuY3BzLWV4YW1wbGUuY29tghRz\nYW40LmNwcy1leGFtcGxlLmNvbYITd3d3LmNwcy1leGFtcGxlLmNvbTANBgkqhkiG\n9w0BAQsFAAOCAQEAm9krrTxqDwUaO8J7P7CcrHfwXeWiDG3d9uHqCvHRGrcs46pI\ny8umThgOEba0QHi6CwM6O0+chcHsn6qf+uVKg2u1SKlE6qMIJ1Ppc8MJky1xo0M5\ncrtRpSXjaoF9S2zZZK1lwOJoK93BtC/lNfRc682TxlQ58jtBI6qnmLXUhF8Yo67v\n0UfHiBIv1pZFPIdk90/48vjWM54haNxm/PhxNb6AdzawR4zImUhMKsISP7uOTURQ\nfFfeNgMvHyI8Id1VPLN+e2y4FtnTVdW2e+PTBvOJ1M+YoFU7M04/2SmKJHqnHljh\nVQBpto9JgDmt0yqsdFdLrZlpsIQwpLqdgKZlSw==\n-----END CERTIFICATE-----"
        },
        "pendingNetworkConfiguration": {
            "networkType": null,
            "mustHaveCiphers": "ak-akamai-default2016q3",
            "preferredCiphers": "ak-akamai-default",
            "disallowedTlsVersions": [
                "TLSv1_2"
            ],
            "sni": null
        }
    },
    "validationResult": null,
    "validationResult": {
        "warnings": [
            {
                "messageCode": "no-code",
                "message": "[SAN name [san9.example.com] removed from certificate is still live on the network., SAN name [san8.example.com] removed from certificate is still live on the network.]"
            }
        ],
        "errors": null
    },
    "validationResultHash": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
}

Sample v4 object:

{
    "acknowledgementDeadline": null,
    "pendingState": {
        "pendingCertificate": {
            "certificateType": "third-party",
            "signatureAlgorithm": "SHA-256",
            "fullCertificate": "-----BEGIN CERTIFICATE-----\nMIID2DCCAsCgAwIBAgIQ661To2+zTDiFLyyARAaFXTANBgkqhkiG9w0BAQsFADBn\nMSowKAYDVQQDDCFBS0FNQUkgVEVTVCBJTlRFUk1FRElBVEUgQ0VSVCBbMV0xDjAM\nBgNVBAsMBVdlYkV4MQ8wDQYDVQQKDAZBa2FtYWkxCzAJBgNVBAgMAk1BMQswCQYD\nVQQGEwJVUzAeFw0xNzA1MTgyMTEwMTFaFw0xODA1MTkyMTEwMTFaMG0xHDAaBgNV\nBAMME3d3dy5jcHMtZXhhbXBsZS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJN\nQTESMBAGA1UEBwwJQ2FtYnJpZGdlMQ8wDQYDVQQKDAZBa2FtYWkxDjAMBgNVBAsM\nBVdlYkV4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvQeIJ2yfOC8P\nYQp6NjiCYSCkuS0z9a61v+k+KTDYQKIa8jDkwP0OITzvTnjMHuUd8JbSz5jNb22Z\nWxH/1F2p71rlSdBReBkZGLMLcQZPt5ju7ea7ZPz+MOWrwuc6YUafRMQk3qMeo3Sz\nIZQbmLKXkZeYriqy9s9yHJSUnWX1jOa51w6YM/Xar/2pZp2pyguaCNVGp7AAo38R\nAepaGcFwyjJse6dc+7dHOvDnjQ+Cg2lO8DSc12sFLllOhdOULldZRWbtfTLs9uet\niR8ZVpHJ1TtzEz3X9RqBBCvnqykQvMmiQKOkfYEd6LN4Tk6/HJw2/MZhIgAEXtUU\ndQMnD6OMcwIDAQABo3oweDB2BgNVHREEbzBtghRzYW4xLmNwcy1leGFtcGxlLmNv\nbYIUc2FuMi5jcHMtZXhhbXBsZS5jb22CFHNhbjMuY3BzLWV4YW1wbGUuY29tghRz\nYW40LmNwcy1leGFtcGxlLmNvbYITd3d3LmNwcy1leGFtcGxlLmNvbTANBgkqhkiG\n9w0BAQsFAAOCAQEAm9krrTxqDwUaO8J7P7CcrHfwXeWiDG3d9uHqCvHRGrcs46pI\ny8umThgOEba0QHi6CwM6O0+chcHsn6qf+uVKg2u1SKlE6qMIJ1Ppc8MJky1xo0M5\ncrtRpSXjaoF9S2zZZK1lwOJoK93BtC/lNfRc682TxlQ58jtBI6qnmLXUhF8Yo67v\n0UfHiBIv1pZFPIdk90/48vjWM54haNxm/PhxNb6AdzawR4zImUhMKsISP7uOTURQ\nfFfeNgMvHyI8Id1VPLN+e2y4FtnTVdW2e+PTBvOJ1M+YoFU7M04/2SmKJHqnHljh\nVQBpto9JgDmt0yqsdFdLrZlpsIQwpLqdgKZlSw==\n-----END CERTIFICATE-----",
            "ocspUris": null,
            "ocspStapled": "false"
        },
        "pendingNetworkConfiguration": {
            "networkType": null,
            "mustHaveCiphers": "ak-akamai-default2016q3",
            "preferredCiphers": "ak-akamai-default",
            "disallowedTlsVersions": [
                "TLSv1_2"
            ],
            "ocspStapling": "not-set",
            "sniOnly": "false",
            "quicEnabled": "false",
            "dnsNameSettings": null
        }
    },
    "validationResult": null,
    "validationResult": {
        "warnings": [
            {
                "messageCode": "no-code",
                "message": "[SAN name [san9.example.com] removed from certificate is still live on the network., SAN name [san8.example.com] removed from certificate is still live on the network.]"
            }
        ],
        "errors": null
    },
    "validationResultHash": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
}

ChangeManagement members

Member Type v1 v2 v4 Description
acknowledgementDeadline String, Null The timestamp of the deadline for the user to acknowledge the change management validation result, before CPS automatically proceeds with attempting to deploy the pending state to the live network. The format of the timestamp is ISO–8601. This field is only populated when there’s an existing certificate on network for the current enrollment, it’s null otherwise.
pendingState ChangeManagement.pendingState The snapshot of the pending state for the enrollment when this change takes effect.
validationResult ChangeManagement.validationResult, Null The hash of validationResult. It always has a value, even when validationResult is null. The hash result of the validation result as of the time of the most recent validation check. It is used in the change-management-ack API call to further specify the state of the change that is being acknowledged. We recommend you use the change-management-info API call, review the validationResult with its hash, and then acknowledge change-management using the same hash retrieved when running the Change Management Acknowledgement operation.
validationResultHash String The hash of validationResult.
ChangeManagement.pendingState: The snapshot of the pending state for the enrollment when this change takes effect.
pendingCertificate ChangeManagement.pendingState.pendingCertificate, Null The snapshot of the pending certificate for the enrollment when this change takes effect.
pendingNetworkConfiguration ChangeManagement.pendingState.pendingNetworkConfiguration The snapshot of the pending network configuration for the enrollment when this change takes effect.
ChangeManagement.pendingState.pendingCertificate: The snapshot of the pending certificate for the enrollment when this change takes effect.
certificateType String Either san, single, wildcard, wildcard-san, or third-party.
fullCertificate String Displays the contents of the certificate.
ocspStapled Boolean, Null OCSP Stapling improves performance by including a valid OCSP response in every TLS handshake. We recommend all customers enable this feature.
ocspUris Array, Null URI used for OCSP stapling validation.
signatureAlgorithm String Displays the signature algorithm.
ChangeManagement.pendingState.pendingNetworkConfiguration: The snapshot of the pending network configuration for the enrollment when this change takes effect.
disallowedTlsVersions Array, Null Disallowed TLS protocols.
dnsNameSettings ChangeManagement.pendingState.pendingNetworkConfiguration.dnsNameSettings, Null DNS name settings.
mustHaveCiphers String Ciphers that you want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set.
networkType String, Null Enrollment network type.
ocspStapling String, Null OCSP stapling setting for the deployment.
preferredCiphers String Ciphers that you preferably want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set.
quicEnabled Boolean QUIC transport layer network protocol.
sni ChangeManagement.pendingState.pendingNetworkConfiguration.sni, Null Server Name Indication (SNI) setting for this Enrollment.
sniOnly Boolean Server Name Indication (SNI) setting for this Enrollment.
ChangeManagement.pendingState.pendingNetworkConfiguration.dnsNameSettings: DNS name settings.
cloneDnsNames Boolean All certificate SANs are included in dnsNames when cloneDnsNames is true.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
ChangeManagement.pendingState.pendingNetworkConfiguration.sni: Server Name Indication (SNI) setting for this Enrollment.
cloneDnsNames Boolean All certificate SANs are included in dnsNames when cloneDnsNames is true.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
ChangeManagement.validationResult: The hash of validationResult. It always has a value, even when validationResult is null. The hash result of the validation result as of the time of the most recent validation check. It is used in the change-management-ack API call to further specify the state of the change that is being acknowledged. We recommend you use the change-management-info API call, review the validationResult with its hash, and then acknowledge change-management using the same hash retrieved when running the Change Management Acknowledgement operation.
errors ChangeManagement.validationResult.errors[] Validation errors of the current job state. Errors prevent a change from proceeding until you resolve them. They are optional and only appear if there are any errors.
warnings ChangeManagement.validationResult.warnings[] Validation warnings of the current job state. Warnings suspend the execution of a change. You can acknowledge or deny warnings. If you acknowledge them, the change proceeds with its operation. They are optional and only appear if there are any warnings.
ChangeManagement.validationResult.errors[]: Validation errors of the current job state. Errors prevent a change from proceeding until you resolve them. They are optional and only appear if there are any errors.
message String The description of the message.
messageCode String The unique code of the message.
ChangeManagement.validationResult.warnings[]: Validation warnings of the current job state. Warnings suspend the execution of a change. You can acknowledge or deny warnings. If you acknowledge them, the change proceeds with its operation. They are optional and only appear if there are any warnings.
message String The description of the message.
messageCode String The unique code of the message.

CSR

Certificate Signing Request (CSR).

Download schema: csr.v1.json

Sample v1 object:

{
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDPT ... <sample - removed for readability> .... hA9jc=\n-----END CERTIFICATE REQUEST-----"
}

CSR members

Member Type Required Description
csr String, Null String with PEM formatted CSR.

DeploymentSchedule

If you want CPS to automatically deploy your certificate, but you do not want the deployment to occur before a certain date and time, you can set a deploy after date. You can only set a deploy after date and time for the renewal of a certificate or for a certificate that is active on the network. The certificate may not deploy the certificate at the exact time and date you specify, but it will not deploy it before that time and date.

Download schema: deployment-schedule.v1.json

Sample v1 object:

{
    "notBefore": "2017-05-19T16:00:00Z",
    "notAfter": null
}

DeploymentSchedule members

Member Type Required Description
notAfter String, Null The time after when the change will no longer be in effect. This value is an ISO–8601 timestamp.
notBefore String, Null The time that you want change to take effect. If you do not set this, the change occurs immediately, although most changes take some time to take effect even when they are immediately effective. This value is an ISO–8601 timestamp.

Deployment

Deploys your certificate to a network.

Download schema: deployment.v1.json, deployment.v2.json, deployment.v3.json, deployment.v6.json

Sample v3 object:

{
    "networkConfiguration": {
        "geography": "standard-worldwide",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default2016q3",
        "preferredCiphers": "ak-akamai-default",
        "disallowedTlsVersions": [],
        "sni": {
            "cloneDnsNames": true,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        }
    },
    "signatureAlgorithm": "SHA-256",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIID2 ... <sample - removed for readability> .... ZlSw==\n-----END CERTIFICATE-----",
    "trustChain": "-----BEGIN CERTIFICATE-----\nMIIDT ... <sample - removed for readability> .... JuAIQ=\n-----END CERTIFICATE-----"
}

Deployment members

Member Type v1 v2 v3 v6 Description
certificate String The certificate text.
multiStackedCertificates Deployment.multiStackedCertificates[] Deployment may include multiple dual-stacked certificates.
networkConfiguration Deployment.networkConfiguration Information about how you want to deploy your certificate.
ocspStapled Boolean, Null OCSP Stapling improves performance by including a valid OCSP response in every TLS handshake. We recommend all customers enable this feature.
ocspUris Array, Null URI used for OCSP stapling validation.
primaryCertificate Deployment.primaryCertificate Primary certificate of the enrollment.
signatureAlgorithm String, Null The SHA (Secure Hash Algorithm) function. Current values include SHA-1 & SHA-256.
trustChain String The trust chain text. You may have any number of trust chains.
Deployment.multiStackedCertificates[]: Deployment may include multiple dual-stacked certificates.
certificate String The certificate text.
expiry String, Null The expiration date for the certificate.
signatureAlgorithm Enumeration, Null The SHA (Secure Hash Algorithm) function. Current values include SHA-1 & SHA-256.
trustChain String The trust chain for the certificate.
Deployment.networkConfiguration: Network configuration properties.
disallowedTlsVersions Array, Null Disallowed TLS protocols.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
geography Enumeration, Enum Type of the network that you want to deploy your certificate. core is worldwide (includes China and Russia). china+core is worldwide and China. russia+core is worldwide and Russia.
mustHaveCiphers String, Null Ciphers that you definitely want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set.
networkType String, Null Type of the network that you want to deploy your certificate in, either standard-worldwide, worldwide-russia, or worldwide.
ocspStapling String, Null OCSP stapling setting for the deployment.
preferredCiphers String, Null Ciphers that you preferably want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set.
quicEnabled Boolean QUIC transport layer network protocol.
secureNetwork String, Enum The type of deployment network you want to use. Specify Standard TLS as the enum standard-tls to deploy your certificate to Akamai’s standard secure network. It is not PCI compliant. Specify Enhanced TLS as the enum enhanced-tls to deploy your certificate to Akamai’s more secure network with PCI compliance capability.
sni Deployment.networkConfiguration.sni, Null SNI settings for your enrollment. When set to null, the enrollment becomes non-SNI. When it is non-null, enrollment is SNI-only. This setting cannot be changed once an enrollment is created.
sniOnly Boolean Server Name Indication (SNI) is an extension of the Transport Layer Security (TLS) networking protocol. It allows a server to present multiple certificates on the same IP address. All modern web browsers support the SNI extension. If you have the same SAN on two or more certificates with the SNI-only option set, Akamai may serve traffic using any certificate which matches the requested SNI hostname. You should avoid multiple certificates with overlapping SAN names when using SNI-only.
Deployment.networkConfiguration.sni: SNI settings for your enrollment. When set to null, the enrollment becomes non-SNI. When it is non-null, enrollment is SNI-only. This setting cannot be changed once an enrollment is created.
cloneDnsNames Boolean Enable if you want CPS to direct traffic using all the SANs listed in the SANs parameter when you created your enrollment.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
Deployment.primaryCertificate: Primary certificate of the enrollment.
certificate String The certificate text.
expiry String, Null The expiration date for the certificate.
signatureAlgorithm Enumeration, Null The SHA (Secure Hash Algorithm) function. Current values include SHA-1 & SHA-256.
trustChain String The trust chain for the certificate.

DvChallenges

When using certificates with domain validation, you prove that you have control over each of the domains listed in the certificate. When you create a new DV enrollment that generates a certificate signing request (CSR). CPS automatically sends it to Let’s Encrypt for signing. Let’s Encrypt sends back a challenge for each domain listed on your certificate. You prove that you have control over the domains listed in the CSR by redirecting your traffic to Akamai, or placing a token in the domain’s DNS zone. This allows Akamai to complete the challenge process for you by detecting the redirect or DNS token, and answering Let’s Encrypt’s challenge. You must complete one of the challenges for each domain to validate the certificate. To validate a domain, only one challenge for each domain must be complete. Let’s Encrypt automatically verifies the domain after it receives an answer to the challenge, and marks the domain as validated.

Download schema: dv-challenges.v1.json, dv-challenges.v2.json

Sample v1 object:

{
    "challenges": [
        {
            "domain": "www.cps-example-dv.com",
            "responseBody": "12345-...-abcdef",
            "fullPath": "http://www.cps-example-dv.com/.well-known/acme-challenge/abcdefghijklmno-KuzBi3q5Dr6TU8ViHSDSf-c9Iyg",
            "token": "abcdefghijklmno-123453q5Dr6TU8ViHSDSf-c9Iyg",
            "status": "Awaiting user",
            "error": "The domain is not ready for validation.",
            "requestTimestamp": "2017-05-19T17:20:00Z",
            "validatedTimestamp": "2017-05-19T17:35:22Z",
            "expires": "2017-05-19T18:00:00Z",
            "redirectFullPath": "http://dcv.akamai.com/.well-known/acme-challenge/abcdefghijklmno-KuzBi3q5Dr6TU8ViHSDSf-c9Iyg"
        }
    ]
}

Sample v2 object:

{
    "dv": [
        {
            "domain": "www.cps-example-dv.com",
            "status": "Awaiting user",
            "error": "The domain is not ready for validation.",
            "validationStatus": "RESPONSE_ERROR",
            "requestTimestamp": "2018-09-05T15:55:49Z",
            "validatedTimestamp": "2018-09-05T17:53:22Z",
            "expires": "2018-09-06T17:55:17Z",
            "challenges": [
                {
                    "type": "http-01",
                    "status": "pending",
                    "error": null,
                    "token": "abcdefghijklmno-123453q5Dr6TU8ViHSDSf-c9Iyg",
                    "responseBody": "AAA-dvq11111CmSWBzwIFpc4G2OCh5YXoHK56VccGmU.-BBBBBD3eQiu1uf5vf4xp-ZJv71AiycGGMuLtf06BnA",
                    "fullPath": "http://www.cps-example-dv.com/.well-known/acme-challenge/abcdefghijklmno-123453q5Dr6TU8ViHSDSf-c9Iyg",
                    "redirectFullPath": "http://dcv.akamai.com/.well-known/acme-challenge/abcdefghijklmno-123453q5Dr6TU8ViHSDSf-c9Iyg",
                    "validationRecords": []
                },
                {
                    "type": "dns-01",
                    "status": "pending",
                    "error": null,
                    "token": "cGBnw-3YO7rUhq61EuuHqcGrYkaQWALAgi8szTqRoHA",
                    "responseBody": "0yVISDJjpXR7BXzR5QgfA51tt-I6aKremGnPwK_lvH4",
                    "fullPath": "_acme-challenge.www.cps-example-dv.com.",
                    "redirectFullPath": "",
                    "validationRecords": []
                }
            ]
        }
    ]
}

DvChallenges members

Member Type v1 v2 Description
challenges DvChallenges.challenges[] Domains that need to be validated for this Enrollment. V1 only supports and displays http–01 challenge.
dv DvChallenges.dv[] Domain Validation entity.
DvChallenges.challenges[]: Domains that need to be validated for this Enrollment. V1 only supports and displays http–01 challenge.
domain String, Null Domain which is being validated.
error String, Null Current validation status for domains not yet validated.
expires String, Null Timestamp when this token or validation will expire. Sample 2014–08–12T18:57:07z.
fullPath String, Null URL where Let’s Encrypt will request and expect to find ‘token’ as content.
redirectFullPath String, Null The URL where Akamai publishes responseBody for Let’s Encrypt to validate. The client can configure a redirect at fullPath to redirect requests to this redirectFullPath URL, keeping in mind that the token may change over time.
requestTimestamp String, Null Timestamp Akamai received validation token from Let’s Encrypt. Sample 2014-08-12T18:57:07z.
responseBody String, Null The data Let’s Encrypt expects to find served at fullPath URL.
status String, Null The domain validation status.
token String, Null The validation token issued by Let’s Encrypt.
validatedTimestamp String, Null Timestamp when domain was successfully validated. Sample 2014–08–12T18:57:07z.
DvChallenges.dv[]: Domain Validation entity.
challenges DvChallenges.dv[].challenges[] Domains that need to be validated for this Enrollment. V1 only supports and displays http–01 challenge. V2 allows HTTP and DNS challenge types. Each domain in the enrollment can have multiple challenges and can use a different challenge types. To validate a domain, only one challenge for each domain must be complete.
domain String, Null Domain which is being validated.
error String, Null Current validation status for domains not yet validated.
expires String, Null Timestamp when this token or validation will expire. Sample 2017–12–05T18:57:07z.
requestTimestamp String, Null Timestamp Akamai received validation token from Let’s Encrypt. Sample 2017-12-12T18:57:07z.
status String, Null Let’s Encrypt validation status. Required Valid for certificate generation.
validatedTimestamp String, Null Timestamp when domain was successfully validated. Sample 2017–12–12T18:57:07z.
validationStatus String, Null Status of the domain validation process.
DvChallenges.dv[].challenges[]: Domains that need to be validated for this Enrollment. V1 only supports and displays http–01 challenge. V2 allows HTTP and DNS challenge types. Each domain in the enrollment can have multiple challenges and can use a different challenge types. To validate a domain, only one challenge for each domain must be complete.
error String, Null Error message describing failure to validate domain control.
fullPath String, Null URL where Let’s Encrypt will request and expect to find ‘token’ as content.
redirectFullPath String, Null The URL where Akamai publishes responseBody for Let’s Encrypt to validate. The client can configure a redirect at fullPath to redirect requests to this redirectFullPath URL, keeping in mind that the token may change over time.
responseBody String, Null The data Let’s Encrypt expects to find served at fullPath URL.
status Enumeration, Null The domain validation status. Current values include Preparing, Pending, Awaiting user, Valid, Invalid, Error & Ready for Validation.
token String, Null The validation token issued by Let’s Encrypt.
type Enumeration, Null Validation type. Currently supported types include dns-01 & http-01.
validationRecords DvChallenges.dv[].challenges[].validationRecords[] Validation attempt.
DvChallenges.dv[].challenges[].validationRecords[]: Validation attempt.
authorities Array, Null Validation authorities.
hostname String, Null Domain name being validated.
port String, Null Port used for validation.
resolvedIp Array, Null IPs resolved for name being validated.
triedIp String, Null IP from resolvedIp tried for this validation.
url String, Null URL attempted validated.
usedIp String, Null IP from resolvedIp used for this validation.

Enrollment

An enrollment displays all the information about the process that your certificate goes through from the time you request it, through renewal, and as you obtain subsequent versions. CPS is a certificate life cycle management tool. Once you obtain a certificate, you use it until it expires, in most cases a year from the date the CA issued the certificate. CPS automatically starts the renewal process 90 days before the old certificate expires. It then automatically deploys the renewed certificate when it receives it from the CA.

Download schema: enrollment.v1.json, enrollment.v2.json, enrollment.v3.json, enrollment.v4.json, enrollment.v7.json

Sample v4 object:

{
    "location": "/cps/v2/enrollments/10002",
    "ra": "third-party",
    "validationType": "third-party",
    "certificateType": "third-party",
    "certificateChainType": "default",
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default-2016q3",
        "preferredCiphers": "ak-akamai-default",
        "disallowedTlsVersions": [],
        "sni": {
            "cloneDnsNames": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        }
    },
    "signatureAlgorithm": null,
    "changeManagement": true,
    "csr": {
        "cn": "www.example.com",
        "c": "US",
        "st": "MA",
        "l": "Cambridge",
        "o": "Akamai",
        "ou": "WebEx",
        "sans": [
            "san1.example.com",
            "san2.example.com",
            "san3.example.com",
            "san4.example.com",
            "www.example.com"
        ]
    },
    "org": {
        "name": "Akamai Technologies",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "region": "MA",
        "postalCode": "02142",
        "country": "US",
        "phone": "617-555-0111"
    },
    "adminContact": {
        "firstName": "R1",
        "lastName": "D1",
        "phone": "617-555-0111",
        "email": "r1d1@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Adminstrator"
    },
    "techContact": {
        "firstName": "R2",
        "lastName": "D2",
        "phone": "617-555-0111",
        "email": "r2d2@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Astromech Droid"
    },
    "thirdParty": {
        "excludeSans": false
    },
    "enableMultiStackedCertificates": false,
    "pendingChanges": []
}

Sample v7 object:

{
    "location": "/cps/v2/enrollments/10002",
    "ra": "third-party",
    "validationType": "third-party",
    "certificateType": "third-party",
    "certificateChainType": "default",
    "networkConfiguration": {
        "geography": "core",
        "secureNetwork": "enhanced-tls",
        "mustHaveCiphers": "ak-akamai-default",
        "preferredCiphers": "ak-akamai-default-interim",
        "disallowedTlsVersions": [],
        "sniOnly": true,
        "quicEnabled": false,
        "dnsNameSettings": {
            "cloneDnsNames": false,
            "dnsNames": [
                "san2.example.com",
                "san1.example.com"
            ]
        },
        "ocspStapling": "not-set"
    },
    "signatureAlgorithm": null,
    "changeManagement": true,
    "csr": {
        "cn": "www.example.com",
        "c": "US",
        "st": "MA",
        "l": "Cambridge",
        "o": "Akamai",
        "ou": "WebEx",
        "sans": [
            "san1.example.com",
            "san2.example.com",
            "san3.example.com"
        ]
    },
    "org": {
        "name": "Akamai Technologies",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "region": "MA",
        "postalCode": "02142",
        "country": "US",
        "phone": "617-555-0111"
    },
    "adminContact": {
        "firstName": "R1",
        "lastName": "D1",
        "phone": "617-555-0111",
        "email": "r1d1@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Adminstrator"
    },
    "techContact": {
        "firstName": "R2",
        "lastName": "D2",
        "phone": "617-555-0111",
        "email": "r2d2@akamai.com",
        "addressLineOne": "150 Broadway",
        "addressLineTwo": null,
        "city": "Cambridge",
        "country": "US",
        "organizationName": "Akamai",
        "postalCode": "02142",
        "region": "MA",
        "title": "Technical Engineer"
    },
    "thirdParty": {
        "excludeSans": false
    },
    "enableMultiStackedCertificates": false,
    "pendingChanges": [
        "/cps/v2/enrollments/10002/changes/10002"
    ],
    "maxAllowedSanNames": 100,
    "maxAllowedWildcardSanNames": 100
}

Enrollment members

Member Type v1 v2 v3 v4 v7 Description
adminContact Enrollment.adminContact Contact information for the certificate administrator that you want to use as a contact at your company.
certificateChainType String, Null Certificate trust chain type.
certificateType String Either san, single, wildcard, wildcard-san, or third-party. See Enrollment.validationType Values for details.
changeManagement Boolean If you turn change management on for an enrollment, it stops CPS from deploying the certificate to the network until you acknowledge that you are ready to deploy the certificate. You can test the certificate outside of CPS, on the Edge Staging Network (ESN), to make sure it works in your environment and then deploy the certificate. The ESN is a small network of Akamai edge servers built to simulate Akamai’s production network to test most of your site or application functionality with current production version configuration options and functions. For more information on the ESN, see the Edge Staging Network User Guide. You can also contact your account representative with questions or issues with your service on the ESN.
csr Enrollment.csr When you create an enrollment, you also generate a certificate signing request (CSR) using CPS. CPS signs the CSR with the private key. The CSR contains all the information the CA needs to issue your certificate.
enableMultiStackedCertificates Boolean Enable Dual-Stacked certificate deployment for this enrollment.
location String, Null The URI path to the enrollment. The last segment of the URI path serves as a unique identifier for the enrollment.
maxAllowedSanNames Number, Null Maximum number of SAN names supported for this enrollment type.
maxAllowedWildcardSanNames Number, Null Maximum number of Wildcard SAN names supported for this enrollment type.
networkConfiguration Enrollment.networkConfiguration Settings that specify any network information and TLS Metadata you want CPS to use to push the completed certificate to the network.
org Enrollment.org Your organization information.
pendingChanges Array, Null Returns the Changes currently pending in CPS. The last item in the array is the most recent change.
ra String The registration authority or certificate authority (CA) you want to use to obtain a certificate. A CA is a trusted entity that signs certificates and can vouch for the identity of a website. Either symantec, lets-encrypt, or third-party.
signatureAlgorithm String, Null The SHA (Secure Hash Algorithm) function. NSA designed this function to produce a hash of certificate contents, which is used in a digital signature. Specify either SHA-1 or SHA-256. We recommend you use SHA–256.
techContact Enrollment.techContact Contact information for an administrator at Akamai.
thirdParty Enrollment.thirdParty, Null Specifies that you want to use a third party certificate. This is any certificate that is not issued through CPS.
validationType String There are three types of validation. Domain Validation (DV), which is the lowest level of validation. The CA validates that you have control of the domain. CPS supports DV certificates issued by Let’s Encrypt, a free, automated, and open CA, run for public benefit. Organization Validation (OV), which is the next level of validation. The CA validates that you have control of the domain. Extended Validation (EV), which is the highest level of validation in which you must have signed letters and notaries sent to the CA before signing. You can also specify third party as a type of validation, if you want to use a signed certificate obtained by you from a CA not supported by CPS. Either dv, ev, ov, or third-party.
Enrollment.adminContact: Contact information for the certificate administrator that you want to use as a contact at your company.
addressLineOne String, Null The address of your organization.
addressLineTwo String, Null The address of your organization.
city String, Null The city where your organization resides.
country String, Null The country where your organization resides.
email String, Null The email address of the administrator who you want to use as a contact at your company.
firstName String, Null The first name of the administrator who you want to use as a contact at your company.
lastName String, Null The last name of the administrator who you want to use as a contact at your company.
organizationName String, Null The name of your organization.
phone String, Null The phone number of your organization.
postalCode String, Null The postal code of your organization.
region String, Null The region of your organization, typically a state or province.
title String, Null The title of the administrator who you want to use as a contact at your company.
Enrollment.csr: When you create an enrollment, you also generate a certificate signing request (CSR) using CPS. CPS signs the CSR with the private key. The CSR contains all the information the CA needs to issue your certificate.
c String, Null The country code for the country where your organization is located.
cn String The common name (CN) you want to use for the certificate in the Common Name field. The domain name you specify here must be owned or have legal rights to use the domain by the company you enter in the Organization field in this tab. The company that owns the domain name must be a legally incorporated entity and be active and in good standing.
l String, Null Your city in the locality (city).
o String, Null The name of your company or organization. Enter the name as it appears in all legal documents and as it appears in the legal entity filing.
ou String, Null Your organizational unit.
sans Array, Null Additional common names (CN) to create a Subject Alternative Names (SAN) list. String values.
st String, Null Your state or province.
Enrollment.networkConfiguration: Settings that specify any network information and TLS Metadata you want CPS to use to push the completed certificate to the network.
disallowedTlsVersions Array, Null Specify the TLS protocol version to disallow. CPS uses the TLS protocols that Akamai currently supports as a best practice.
dnsNameSettings Enrollment.networkConfiguration.dnsNameSettings, Null DNS name settings.
geography String Set to the enum core to specify worldwide (includes China and Russia). Set to the enum china+core to specify worldwide and China. Set to the enum russia+core to specify worldwide and Russia. You can only use this setting to include China and Russia if your Akamai contract specifies your ability to do so and you have approval from the Chinese and Russian government.
mustHaveCiphers String, Null Ciphers that you definitely want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set. For more information on cipher profiles, see Akamai community.
networkType String Type of the network that you want to deploy your certificate in, either standard-worldwide, worldwide-russia, or worldwide.
ocspStapling Enumeration, Null Enable OCSP stapling for the enrollment. OCSP Stapling improves performance by including a valid OCSP response in every TLS handshake. Specify OCSP Stapling if you want to improve performance by allowing the visitors to your site to query the Online Certificate Status Protocol (OCSP) server at regular intervals to obtain a signed time-stamped OCSP response. This response must be signed by the CA, not the server, therefore ensuring security. Disable OSCP Stapling if you want visitors to your site to contact the CA directly for an OSCP response. OCSP allows you to obtain the revocation status of a certificate. We recommend all customers enable this feature. Use on, off or not-set.
preferredCiphers String, Null Ciphers that you preferably want to include for your enrollment while deploying it on the network. Defaults to ak-akamai-default when it is not set. For more information on cipher profiles, see Akamai community.
quicEnabled Boolean Set to true to enable QUIC protocol.
secureNetwork String Set the type of deployment network you want to use. Set Standard TLS to deploy your certificate to Akamai’s standard secure network. It is not PCI compliant. Set Enhanced TLS to deploy your certificate to Akamai’s more secure network with PCI compliance capability.
sni Enrollment.networkConfiguration.sni, Null SNI settings for your enrollment. When set to null, the enrollment becomes non-SNI. When it is non-null, enrollment is SNI-ONLY. This setting cannot be changed once an enrollment is created.
sniOnly Boolean SNI settings for your enrollment. Set to true to enable SNI-only for the enrollment. This setting cannot be changed once an enrollment is created.
Enrollment.networkConfiguration.dnsNameSettings: DNS name settings.
cloneDnsNames Boolean Enable if you want CPS to direct traffic using all the SANs listed in the SANs parameter when you created your enrollment.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
Enrollment.networkConfiguration.sni: SNI settings for your enrollment. When set to null, the enrollment becomes non-SNI. When it is non-null, enrollment is SNI-ONLY. This setting cannot be changed once an enrollment is created.
cloneDnsNames Boolean Enable if you want CPS to direct traffic using all the SANs listed in the SANs parameter when you created your enrollment.
dnsNames Array, Null Names served by SNI-only enabled enrollments.
Enrollment.org: Your organization information.
addressLineOne String, Null The address of your organization.
addressLineTwo String, Null The address of your organization.
city String, Null The city where your organization resides.
country String, Null The country where your organization resides.
name String, Null The name of your organization.
phone String, Null The phone number of the administrator who you want to use as a contact at your company.
postalCode String, Null The postal code of your organization.
region String, Null The region where your organization resides.
Enrollment.techContact: Contact information for an administrator at Akamai.
addressLineOne String, Null The address for an administrator at Akamai.
addressLineTwo String, Null The address for an administrator at Akamai.
city String, Null The city for an administrator at Akamai.
country String, Null The country for an administrator at Akamai.
email String, Null The email address of the administrator who you want to use as a contact at your company.
firstName String, Null The first name of the technical contact who you want to use within Akamai. This is the person you work closest with at Akamai who can verify the certificate request. This is the person the CA calls if there are any issues with the certificate and they cannot reach the administrator.
lastName String, Null The last name of the technical contact who you want to use within Akamai.
organizationName String, Null The name of your organization in Akamai where your technical contact works.
phone String, Null The phone number of the technical contact who you want to use within Akamai.
postalCode String, Null The postal code for an administrator at Akamai.
region String, Null The region for an administrator at Akamai.
title String, Null The title for an administrator at Akamai.
Enrollment.thirdParty: Specifies that you want to use a third party certificate. This is any certificate that is not issued through CPS.
excludeSans Boolean If this is true, then the SANs in the enrollment do not appear in the CSR that CPS submits to the CA.

Enrollment.certificateType Values

The following details the range of enumeration values for the Enrollment’s certificateType member:

Value Description
san Specify this if you want to use Subject Alternative Names (SAN) in your certificate. The Subject Alternative Names allow you to secure up to 100 property hostnames with one certificate. These certificates are for users of many platforms who need to secure multiple names across different domains. You can update a SAN certificate at any time to add more names.
single Specify this if you want to use a single certificate. This associates a property hostname with a single name.
third-party Specify this if you want to use a third party certificate that is signed by a custom Certificate Authority (CA) of your choice, instead of using a CPS auto-managed CA.
wildcard-san Specify this if you want to use a wildcard SAN certificate. The Subject Alternative Names allow you to secure up to 100 property hostnames with one certificate. However, for a wildcard-san certificate in CPS, only twenty-five of them are allowed to be wildcards.
wildcard Specify this if you want to use a wildcard certificate. It secures an entire property hostname. A certificate for *.example.com secures www.example.com, mail.example.com, and any subdomain of example.com. If you do not know what property hostnames you want to attach your certificate to, you should obtain a wildcard certificate.

Enrollment.validationType Values

The following details the range of enumeration values for the Enrollment’s validationType member:

Value Description
dv Domain Validation, which is the lowest level of validation. In this validation type, the CA only validates that you have control of the domain. A typical CPS DV certificate expires in 90 days. CPS supports DV certificates issued by Let’s Encrypt, a free, automated, and open CA, run for public benefit.
ov Organization Validation, which is medium level of validation. The CA validates that you have control of the domain, as well as company information using public resources. An OV certificate expires in one year. CPS support DV certificates issued by Let’s Encrypt, a free, automated, and open CA, run for public benefit.
ev Extended Validation, which is the highest level of validation in which, on top of existing OV validation techniques, you must have signed letters and notaries sent to the CA before signing. Wildcard certificates cannot be EV certificates because an EV certificate requires you to be explicit about all the subject alternative names (SANs). CPS only supports EV certificates through CPS (auto) managed certificates.
third-party Third Party certificates allow you to obtain a certificate from a CA of your choice. Currently, certificates obtained through CPS must be issued either by DigiCert or Let’s Encrypt. If you want to use a different CA, you need to create a third party certificate. In this case, you use CPS to generate a certificate signing request (CSR), then you submit the CSR to your CA yourself and manually receive the signed certificate as well as trust chain back from the CA. After you obtain this information, you upload the signed certificate and trust chain to CPS.

Enrollment.ra Values

The following details the range of enumeration values for the Enrollment’s ra (Registration Authority) member:

Value Description
symantec Specifies that you want to use Symantec (issued by DigiCert).
lets-encrypt Specifies that you want to use Let’s Encrypt.
third-party Specifies that you want to use third party certificates.

Warnings

Warnings generated by CPS.

Download schema: warnings.v1.json

Sample v1 object:

{
    "warnings": "Some of the domains being provisioned (%s) exist on another certificate. Akamai recommends against overlapping names on Enhanced TLS and Standard TLS certificates except during digital property migrations. Enhanced TLS traffic could be misdirected in the event of DNS misconfiguration and treated as Standard TLS until the overlap is eliminated."
}

Warnings members

Member Type Required Description
warnings String, Null String with comma separated list of warnings.

CertificateHistory

The type of certificate. This could be a single certificate, which associates a property hostname with a single name. It could be a wildcard certificate, which secures an entire property hostname. It could be a SAN certificate, which uses Subject Alternative Names and allows you to secure up to 100 property hostnames with one certificate. It could also be a wildcard SAN certificate, which is a SAN certificate that can have up to 100 SANs with 25 wildcard entries in the SAN list. Lastly, you can have a third-party certificate, which is a signed certificate obtained by you from an external certificate authority.

Download schema: certificate-history.v1.json

CertificateHistory members

Member Type Required Description
deploymentStatus String The current status of the certificate on the network. This is either active or inactive.
geography String, Null Lists where you can deploy the certificate. If it is standard-worldwide, you can deploy everywhere except China. If it is worldwide, you can deploy everywhere including China. If it is worldwide-russia, you can deploy everywhere including Russia. Geography is dependent on your network type. If your network type is standard-tls, then you can deploy in Russia and worldwide-russia is the same as standard-worldwide.
multiStackedCertificates CertificateHistory.multiStackedCertificates[] Enables an ECDSA certificate in addition to an RSA certificate. CPS automatically performs all certificate operations on both certificates, and will use the best certificate for each client connection to your secure properties. Customers who are pinning certificates will need to pin both the RSA and the ECDSA certificate. We recommend all customers enable this feature.
primaryCertificate CertificateHistory.primaryCertificate Primary certificate for Enrollment.
ra String, Null The certificate registration authority of the primary certificate.
slots Array The slot number of the primary certificate.
stagingStatus String The staging status of the primary certificate.
type Enumeration Either san, single, wildcard, wildcard-san, or third-party.
CertificateHistory.multiStackedCertificates[]: Enables an ECDSA certificate in addition to an RSA certificate. CPS automatically performs all certificate operations on both certificates, and will use the best certificate for each client connection to your secure properties. Customers who are pinning certificates will need to pin both the RSA and the ECDSA certificate. We recommend all customers enable this feature.
certificate String, Null The certificate type of the multi-stacked certificate.
expiry String, Null The expiration date for the multi-stacked certificate.
trustChain String, Null The trust chain for the multi-stacked certificate.
CertificateHistory.primaryCertificate: Primary certificate for Enrollment.
certificate String, Null The primary certificate in the multi-stacked certificate.
expiry String, Null The expiration date for the primary certificate.
trustChain String, Null The trust chain for the primary certificate.

ChangeHistory

Change history item.

Download schema: change-history.v3.json

ChangeHistory members

Member Type Required Description
action Enumeration Show every change on the certificate. The possible changes are import-certificate, renew, new-certificate, modify-san, update-network-configuration.
actionDescription String A description of each change.
businessCaseId String, Null SalesForce ID associated with this change.
createdBy String The username of the user who initiated the change.
createdOn String A date and timestamp when the change started.
lastUpdated String, Null A date and timestamp when the change was last updated.
multiStackedCertificates ChangeHistory.multiStackedCertificates[] Dual-stacked certificate.
primaryCertificate ChangeHistory.primaryCertificate, Null Primary Certificate.
primaryCertificateOrderDetails ChangeHistory.primaryCertificateOrderDetails, Null CA order details for this Change.
ra String The certificate authority that issued the certificate.
status Enumeration The status of the change. The possible changes are incomplete, cancelled, completed.
ChangeHistory.multiStackedCertificates[]: Dual-stacked certificate.
certificate String, Null Certificate text.
csr String, Null Certificate CSR.
trustChain String, Null Certificate trust chain.
ChangeHistory.primaryCertificate: Primary Certificate.
certificate String, Null Certificate text.
csr String, Null Certificate CSR.
trustChain String, Null Certificate trust chain.
ChangeHistory.primaryCertificateOrderDetails: CA order details for this Change.
geotrustOrderId Number, Null Geotrust order ID.
originalPartnerOrderId String, Null Original partner order ID.
partnerOrderId String, Null Partner order ID.

DvHistory

Domain Validation (DV) challenges are used by Let’s Encrypt to verify domain control.

Download schema: dv-history.v1.json

DvHistory members

Member Type Required Description
domain String The domain being validated.
domainHistory DvHistory.domainHistory[] A history record for a single domain.
DvHistory.domainHistory[]: A history record for a single domain.
challenges DvHistory.domainHistory[].challenges[] Challenges used for validation.
domain String, Null Domain which is being validated.
error String, Null Current validation status for domains not yet validated.
expires String, Null Timestamp when this token or validation will expire. Sample 2017–12–05T18:57:07z.
fullPath String, Null The URL that Let’s Encrypt returns for the token.
redirectFullPath String, Null The URL that Let’s Encrypt returns. This is the path to the server to which you want to redirect and find the token.
requestTimestamp String, Null The timestamp when the domain was successfully requested. Sample 2014–08–12T18:57:07z.
responseBody String, Null The data Let’s Encrypt expects to find served at fullPath URL.
status String, Null The domain validation status.
token String, Null The validation token issued by Let’s Encrypt.
validatedTimestamp String, Null The timestamp when the domain was successfully validated. Sample 2014–08–12T18:57:07z.
validationRecords DvHistory.domainHistory[].validationRecords[] Validation attempt.
validationStatus String, Null Status of the domain validation process.
DvHistory.domainHistory[].challenges[]: Challenges used for validation.
error String, Null Validation status for this challenge.
fullPath String, Null Path where Let’s Encrypt respects and expects to find token as content.
redirectFullPath String, Null The URL where Akamai publishes responseBody for Let’s Encrypt to validate http-01 challenges. The client can configure a redirect at fullPath to redirect requests to this redirectFullPath URL, keeping in mind that the token may change over time.
responseBody String, Null The data Let’s Encrypt expects to find served at fullPath URL.
status String, Null The domain validation status. Status include valid and pending.
token String, Null The validation token issued by Let’s Encrypt.
type String, Null Challenge type. Current types include http-01 and dns-01.
validationRecords DvHistory.domainHistory[].challenges[].validationRecords[] The records that you send to Let’s Encrypt to validate your domain.
DvHistory.domainHistory[].challenges[].validationRecords[]: The records that you send to Let’s Encrypt to validate your domain.
authorities Array, Null Validation authorities.
hostname String, Null The name being validated.
port String, Null Port used for validation.
resolvedIp Array, Null IPs resolved for name being validated.
triedIp String, Null IP from resolvedIp tried for this validation.
url String, Null URL attempted validated.
usedIp String, Null IP from resolvedIp used for this validation.
DvHistory.domainHistory[].validationRecords[]: Validation attempt.
hostname String, Null The records that Let’s Encrypt returns to you to validate your domain.
port String, Null Port used for validation.
resolvedIp Array, Null IP address
url String, Null URL attempted validated.
usedIp String, Null IP from resolvedIp used for this validation.

Errors

If you encounter errors, the CPS API responds with appropriate HTTP status codes and a response object that explains them, detailed below.

Error responses

CPS API error responses conform and are formatted based on HTTP Problem Details standard.

HTTP status codes

CPS API HTTP response codes are as follows:

Code Description
200 The operation was successful.
202 Resource successfully accepted.
400 Bad Request.
403 Forbidden.
404 Resource not found.
406 Not acceptable.
409 Conflict with current state of resource.
410 Requested resource is no longer available.
500 Internal server error.
502 Platform timeout error.

Last modified: 10/18/2018