Get Certificate Authority
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/example';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/exampleReturns the metadata of a single CA.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the CA belongs to.
The unique identifier of the CA to retrieve.
Responses
Section titled “ Responses ”OK
QibdoCertificateAuthority — workspace-scoped certificate authority backed by
the vault’s PKI engine. CAs form a hierarchical trust chain: a ROOT CA is
self-signed, and one or more INTERMEDIATE CAs may chain off it. The CA’s
private key is held by the vault; only metadata is persisted in the relational database.
object
The unique identifier of the certificate authority (UUID).
The workspace this CA belongs to (UUID, weak reference to taxonomy).
Human-readable name unique within the workspace.
Topology of the CA — ROOT or INTERMEDIATE.
Parent CA id when this is an INTERMEDIATE; empty for ROOT.
Signing algorithm — must match vault.crypto_algorithms.
X.509 subject Distinguished Name.
Notbefore timestamp (CA validity start).
Notafter timestamp (CA validity end).
Optional CRL distribution point URL published by this CA.
Optional OCSP responder URL published by this CA.
Tag entries used for organisation and policy matching.
Vault Tag
A key-value pair used to label and categorize vault resources such as secrets, crypto keys, leases, certificate authorities, certificates, and access policies.
object
Tag Key
Tag key (1–63 chars, lowercase letters/digits/dashes/underscores).
Tag Value
Tag value (free-form, up to 255 chars).
Tag Type
Whether the tag is system-managed or user-defined.
Tag Description
Optional description.
Whether the CA itself has been revoked. Once true, the CA can issue no further certificates and existing certs SHOULD be rotated.
Vault PKI mount path where this CA is materialised (e.g., “workspaces/{workspace}/pki/{name}/”).
Timestamp when the CA was created (server-managed).
Timestamp when the CA metadata was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Example
{ "type": "CERTIFICATE_AUTHORITY_TYPE_UNSPECIFIED", "tags": [ { "type": "VAULT_TAG_TYPE_UNSPECIFIED" } ]}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}