Skip Navigation

getUserKeyPair2 API

UEM
 uses this API to fetch an initial key-pair and to renew an existing certificate. This API replaces the deprecated getUserKeyPair API.
The HTTP request line is: 
POST customerSpecifiedPrefix/pki?operation=getUserKeyPair2
UEM
 sends the following values:
Element
Type
Required
Details
mType
string
Yes
The value is 
initialCert
 if 
UEM
 is fetching the key-pair for the first time, and 
renewCert
 if 
UEM
 is renewing the certificate.
  
user
string
Yes
The user’s email address or another unique identifier. The certificate subject is created by the issuer.
authToken
string
No
An authentication token value provided by the user if it is required by the user credential profile.
reqId
string
No
For 
initialCert
 only, a request ID value to assist the sender in matching the response.
deviceId
string
No
For 
initialCert
 only, the 
BlackBerry Dynamics
 device ID. This value can be used to track if two apps on the same device are requesting the certificate at the same time.
deviceName
string
No
For 
initialCert
 only, the device name.
cmsSigned
string
No
When a 
BlackBerry Dynamics
 app renews an existing certificate, it uses the current private key to authenticate the request to renew. It sends this information in the 
cmsSigned
 element, and 
UEM
 sends this to the PKI connector without making any changes.
cmsSigned = base64 encoded (cms-signed-data(CertRequest))
CertRequest includes 
reqId, deviceId, deviceName,
 and 
pkcs10
 (base64 encoded CSR). 
The API call returns the following response values:
Element
Type
Required
Details
status
string
Yes
This can be a value of 
success
 or
 failure
.
failureInfo
string
No
This element provides details about a failure.
payloadType
string
No
This is a value of 
pkcs12
.
payload
Base64 encoded object
No
This is a value of 
BASE64 Encoded PKCS12
.
regID
string
Yes
This is a request ID value.
password
string
No
If pkcs12 was password encrypted and 
authToken
 was not used as the password for encryption, a decryption password may be returned. For certificate renewal, a password is required.

Initial enrollment sample

In this sample, the administrator has specified the following URL for the PKI connector in the management console: https://ra.lifeonthedot.com
Request: The following payload is sent over an SSL connection to https://ra.lifeonthedot.com:
POST /pki?operation=getUserKeyPair2 HTTP/1.0 Host: ra.lifeonthedot.com Content-Type: application/json Content-Length: XYZ { "mType": "initialCert", "user": "joe.foo@lifeonthedot.com", "authToken": "56ht12d0", "reqId": "12487", “deviceId”: “6e8S8JCLN7Hc5v3cGqvfkfM/C/tAFDS1CFUPJ53ASL”, “deviceName”: “Joe’s iPhone6” }
If the server URL was set as https//ra.lifeonthedot.com/foo in the management console, the request will be:
POST /foo/pki?operation=getUserKeyPair2 HTTP/1.0 Host: ra.lifeonthedot.com Content-Type: application/json Content-Length: XYZ
Response:
HTTP/1.0 200 OK Host: ra.lifeonthedot.com Content-Type: application/json Content-Length: XYZ { "status":"success", "reqId": "12487", "payloadType":"pkcs12", "password":"clearTextPassword", "payload":"BASE64 Encoded PKCS12" }

Renew sample

Request:
POST /pki?operation=getUserKeyPair2 HTTP/1.0 Host: ra.lifeonthedot.com Content-Type: application/json Content-Length: XYZ { "mType": "renewCert", "user": "joe.foo@lifeonthedot.com", "cmsSigned": "base64-enoded-CMS-signed-data" }
Response:
HTTP/1.0 200 OK Host: ra.lifeonthedot.com Content-Type: application/json Content-Length: XYZ { "status":"success", "reqId": "12487", "payloadType":"pkcs12", "password":"clearTextPassword", "payload":"BASE64 Encoded PKCS12" }