Issue Certificate
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/example/certificates';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"workspace":"example","certificate_authority":"example","role":"example","common_name":"example","subject_alternative_names":["example"],"ttl":"example","tags":[{"key":"example","value":"example","type":"VAULT_TAG_TYPE_UNSPECIFIED","description":"example"}],"requested_key_type":"example","requested_extended_key_usages":["EXTENDED_KEY_USAGE_UNSPECIFIED"]}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/example/certificates \ --header 'Content-Type: application/json' \ --data '{ "workspace": "example", "certificate_authority": "example", "role": "example", "common_name": "example", "subject_alternative_names": [ "example" ], "ttl": "example", "tags": [ { "key": "example", "value": "example", "type": "VAULT_TAG_TYPE_UNSPECIFIED", "description": "example" } ], "requested_key_type": "example", "requested_extended_key_usages": [ "EXTENDED_KEY_USAGE_UNSPECIFIED" ] }'Issues a new leaf certificate under the given CA / role. The CA must be active (not revoked). Returns a long-running operation whose payload references the resulting QibdoCertificate.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the CA belongs to.
The CA that will issue the certificate.
Request Body required
Section titled “Request Body required ”Request payload for Issue Qibdo Certificate
Carries the input fields required to issue qibdo certificate.
object
The workspace the CA belongs to.
The CA that will issue the certificate.
The QibdoPkiRole used to constrain certificate parameters (allowed domains, key types, max TTL, allowed extended key usages). Carried as a UUID identifying the role aggregate; the handler loads the role and enforces all four dimensions before delegating to the engine.
Common Name for the issued certificate (typically a DNS name or service identity). Subject DN is composed from this.
Optional Subject Alternative Names — DNS names, IP addresses, or URIs.
Requested validity duration. The role’s max_ttl caps the granted TTL — the vault backend silently truncates if exceeded.
Optional tag entries used for organisation and policy matching.
Vault Tag
A key-value pair used to label and categorize vault resources such as secrets, crypto keys, leases, certificate authorities, certificates, and access policies.
object
Tag Key
Tag key (1–63 chars, lowercase letters/digits/dashes/underscores).
Tag Value
Tag value (free-form, up to 255 chars).
Tag Type
Whether the tag is system-managed or user-defined.
Tag Description
Optional description.
Optional requested key algorithm. When omitted the role’s first allowed
key type is implied. Names must match the CryptoAlgorithm enum
(RSA_2048, EC_P256, ED25519, etc.). When provided, must appear in
the role’s allowed_key_types; otherwise INVALID_ARGUMENT.
Optional requested Extended Key Usages. When non-empty, every entry must
appear in the role’s allowed_extended_key_usages; otherwise
INVALID_ARGUMENT.
Responses
Section titled “ Responses ”OK
Vault Operation
Tracks the result of a vault command (secret, crypto key, lease, certificate authority, certificate, access policy, or vault-level lifecycle action).
object
Operation ID
Unique identifier of the operation.
Workspace ID
The workspace in whose namespace the operation was executed.
Resource ID
ID of the affected resource (nullable for vault-level lifecycle ops such as snapshot).
Resource Type
URN of the affected resource type (e.g., “com.qibdo.cloud.vault:secret”).
Operation Type
The action performed (CREATE, ROTATE, REVOKE, ENCRYPT, …).
Status
The operation status (PENDING, RUNNING, DONE, FAILED).
Insert Time
When the operation was created.
Start Time
When execution started (nullable).
End Time
When execution completed (nullable).
Progress
Progress percentage (0–100).
Warnings
Non-fatal notices emitted during the operation.
Vault Warning
A non-fatal notice emitted by a vault operation. The operation still completed; the warning surfaces unsupported features or capability gaps in the underlying engine.
Warning codes follow the S_SSS_EEE convention:
- Millions digit: service (9 = vault)
- Thousands: group
- Units: specific warning
object
Warning Code
Numeric identifier of the warning type.
Description
Human-readable explanation of what was ignored or degraded.
Example generated
{}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}