CipherTrust

Manage secrets and protect sensitive data through Thales CipherTrust security platform.

Authentication & Identity Management · Thales CipherTrust Manager

Configuration parameters

  • server_url — Server URL (required)
  • credentials — Username (required)
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings

Commands (27)

  • ciphertrust-certificate-issue

    Issues a certificate by signing the provided CSR with the CA. This is typically used to issue server, client or intermediate CA certificates. Either duration or not_after date must be specified. If both not_after date and duration are given, then not_after takes precedence over duration. If duration is given without not_before date, ceritificate is issued starting from server's current time for the specified duration.

  • ciphertrust-certificate-list

    Returns a list of certificates issued by the specified CA. The results can be filtered, using the command arguments.

  • ciphertrust-certificate-resume

    Certificate can be resumed only if it is revoked with reason certificateHold.

  • ciphertrust-certificate-revoke

    Revoke certificate with a given specific reason.

  • ciphertrust-csr-generate

    Creates a Certificate Signing Request (CSR) and its corresponding private key. This API does not store any state on the server as everything is returned in the result. This means that both the CSR and the private key must be stored securely on the client side. The private key can optionally be encrypted with a password. It is strongly recommended to encrypt the private key. If not specified, the private_key_file_password is mandatory and the file itself is protected with the password even if the private key is not encrypted.

  • ciphertrust-external-ca-delete

    Deletes an external CA certificate.

  • ciphertrust-external-ca-list

    Returns a list of external CA certificates. The results can be filtered, using the command arguments.

  • ciphertrust-external-ca-update

    Update an external CA.

  • ciphertrust-external-ca-upload

    Uploads an external CA certificate. These certificates can later be trusted by services inside the system for verification of client certificates. The uploaded certificate must have "CA:TRUE" as part of the "X509v3 Basic Constraints" to be accepted.

  • ciphertrust-group-create

    Create a new group. The group name is required.

  • ciphertrust-group-delete

    Deletes a group given the group name.

  • ciphertrust-group-list

    Returns a list of group Command arguments can be used to filter the results. Groups can be filtered for user or client membership. Connection filter applies only to user group membership and NOT to clients.

  • ciphertrust-group-update

    Update the properties of a group given the group name.

  • ciphertrust-local-ca-create

    Creates a pending local CA. This operation returns a CSR that either can be self-signed by calling the ciphertrust-local-ca-self-sign command or signed by another CA and installed by calling the ciphertrust-local-ca-install command. A local CA keeps the corresponding private key inside the system and can issue certificates for clients, servers or intermediate CAs. The local CA can also be trusted by services inside the system for verification of client certificates.

  • ciphertrust-local-ca-delete

    Deletes a local CA certificate.

  • ciphertrust-local-ca-install

    Installs a certificate signed by other CA to act as a local CA. Issuer can be both local or external CA. Typically used for intermediate CAs. The CA certificate must match the earlier created CA CSR, have "CA:TRUE" as part of the "X509v3 Basic Constraints", and have "Certificate Signing" as part of "X509v3 Key Usage" in order to be accepted.

  • ciphertrust-local-ca-list

    Returns a list of local CA certificates. The results can be filtered, using the command arguments. If local_ca_id is provided, a single local CA certificate is returned and the rest of the filters are ignored. A chained parameter is used to return the full CA chain with the certificate and can be used only if local_ca_id is provided.

  • ciphertrust-local-ca-self-sign

    Self-sign a local CA certificate. This is used to create a root CA. Either duration or notAfter date must be specified. If both notAfter and duration are given, then notAfter date takes precedence over duration. If duration is given without notBefore date, certificate is issued starting from server's current time for the specified duration.

  • ciphertrust-local-ca-update

    Update a local CA.

  • ciphertrust-local-certificate-delete

    Deletes a local certificate.

  • ciphertrust-user-create

    Create a new user in a domain (including root), or add an existing domain user to a sub-domain. Users are always created in the local, internal user database, but might have references to external identity providers. The connection property is optional. If this property is specified when creating new users, it can be the name of a connection or local_account for a local user. The connection property is only used in the body of the create-user request. It is not present in either request or response bodies of the other user endpoints. To create a user - username is mandatory. And password is required in most cases except when certificate authentication is used and certificate subject dn is provided. To enable certificate based authentication for a user, it is required to set certificate_subject_dn and add "user_certificate" authentication method in allowed_auth_methods. This functionality is available only for local users. To assign a root domain user to a sub-domain - the users are added to the domain of the user who is logging in, and the connection property should be left empty. The user_id or username fields are the only ones that are used while adding existing users to sub-domains; all other fields are ignored. To enable the two-factor authentication based on username-password and user certificate for a user, it is required to set "certificate_subject_dn" and add "password_with_user_certificate" authentication method in "allowed_auth_methods". For authentication, the user will require both username-password and user certificate. This functionality applies only to local users.

  • ciphertrust-user-delete

    Deletes a user given the user's user ID. If the current user is logged into a sub-domain, the user is deleted from that sub-domain. If the current user is logged into the root domain, the user is deleted from all domains it belongs to.

  • ciphertrust-user-password-change

    Change the current user's password. Can only be used to change the password of the currently authenticated user. The user will not be able to change their password to the same password.

  • ciphertrust-user-to-group-add

    Add a user to a group. This command is idempotent: calls to add a user to a group in which they already belong will return an identical, OK response.

  • ciphertrust-user-to-group-remove

    Removes a user from a group.

  • ciphertrust-user-update

    Change the properties of a user, for instance, the name, the password, or metadata. Permissions would normally restrict this to users with admin privileges. Non admin users wishing to change their own passwords should use the ciphertrust-user-password-change command.

  • ciphertrust-users-list

    Returns a list of users.