9 Importing certificates

You can use the MyID Core API to import certificates that were issued by a different system; this allows MyID to manage the certificates as if they had been issued by MyID. This feature is available only through the API, not through the MyID Operator Client.

The API provides the following endpoints:

• POST /api/Certificates/import

  This endpoint allows you to import a certificate, and optionally create a person from the DN information contained in the certificate. If the person already exists, MyID associates the certificate with their account.

  Users with access to the Import Certificate option in the Certificates section of the Edit Roles workflow have access to this endpoint.

  If the person does not already exist in MyID, you can configure MyID to create the person in the MyID database using the information from the certificate. The logon name is generated as a sequential number that increments with each new person created. To allow MyID to create people, you must set the Allow Certificate User Creation option on the Certificates page of the Operation Settings workflow.

• POST /api/People/{id}/certificateImport

  This endpoint allows you to import a certificate for a specific person who already exists in the MyID database.

  Users with access to the Import Person Certificate option in the Certificates section of the Edit Roles workflow have access to this endpoint.

This feature is designed to allow organizations to bring additional management control to certificates that are issued through other solutions; for example, end-entity certificates issued by automatic enrollment, SSL certificates, or certificates from legacy certificate authorities that have no other management capability.

Once you have imported a certificate, MyID CMS:

• Assigns the certificate to a user account for ownership tracking. You can view details on the Certificates tab of the View Person screen in the MyID Operator Client.

• Includes the certificate information in reports generated by the MyID Operator Client or the MyID Core API.

  See the Viewing a certificate section in the MyID Operator Client guide.

• Displays the certificate details recorded at import.

  See the Viewing a certificate section in the MyID Operator Client guide.

• Generates certificate renewal notifications for the imported certificate, allowing warning of expiry of the certificate. Where appropriate, you can issue new certificates through MyID from a connected certificate authority.

• When certificate private keys are imported, MyID provides secure storage and recovery of the certificate.

  You can also integrate this with the MyID SecureVault key store; see the Integrating with MyID SecureVault section in the Administration Guide for details.

• Enables revocation control of the certificate, if a connection to the certificate authority exists in MyID.

  See the Revoking, suspending, and unsuspending certificates section in the MyID Operator Client guide.

You can import certificates in Base 64 format, either using X.509 (.cer files) or PKCS#12 (.pfx files). If you are using a .pfx file, you must also supply the password.

For full information on using these API endpoints, including details of the available parameters and permissions, see the Certificates section in the API documentation; see section 2.1, Accessing the API documentation for details of viewing the Swagger API documentation.

cURL, Python, and PowerShell examples are provided in this guide; see section 9.1, Examples for importing a certificate and section 9.2, Examples for importing a certificate for a person.

For errors that may occur when attempting to import a certificate, see section 9.3, Troubleshooting importing certificates.