Person API Certificates

Managing certificates in the Person API.

The Certificates endpoints in the Person API provides a way to manage certificates for a Developer Team.

Separate Access

To create and manage Person API certificates, a separate app must be created in the Developer Portal owned by the same Team that owns the app with regular Person API access. This requirement also applies to apps registered for the mock APIs. In order to test the certificates endpoint using the mock Person API, create a separate app and enable access to Mock Person API Certificates in the app registration page in the Developer Portal.

Requirements for Self-Signed Certificate

Endpoint: POST /people/certificates

Requirements

  1. PEM-encoded certificate
    The certificate must be in PEM format. This format is a Base64-encoded way of representing certificates, which is widely supported and ensures secure certificate exchange.

  2. 2048-bit or higher RSA key
    A minimum key size of 2048 bits is required. This helps maintain strong encryption, safeguarding against brute-force attacks and ensuring compliance with modern security standards.

  3. Validity period: 90 days or less
    The certificate should not be valid for more than 90 days. This short lifespan ensures regular renewal cycles, reducing the chance of long-term exposure to vulnerabilities.

  4. Maximum of 30 certificates per client
    To avoid overuse of server resources, each client can only store up to 30 certificates at a time. This ensures efficient resource management and keeps the system responsive.

Request Body Example

{
    "data": {
        "type": "certificates",
        "attributes": {
            "certificate": "-----BEGIN CERTIFICATE-----\nMIIDWDCCAkCgAwIBAgIUaiq6K195EzsvindYi6Iu2AK39SQwDQYJKoZIhvcNAQEL\nBQAwWTELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVdpc2NvbnNpbjEQMA4GA1UEBwwH\nTWFkaXNvbjEQMA4GA1UECgwHVGVzdGluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4X\nDTI0MDkyNTE3MDg1NVoXDTI0MTIyNDE3MDg1NVowWTELMAkGA1UEBhMCVVMxEjAQ\nBgNVBAgMCVdpc2NvbnNpbjEQMA4GA1UEBwwHTWFkaXNvbjEQMA4GA1UECgwHVGVz\ndGluZzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\nMIIBCgKCAQEAyXcXQqCOvAE7V25B08c6FYTA3ruqtPXiv0lipuOLCQ1fRhteoeVL\n9qp/BM8fEEhnuYDq0zxlPLu0hYi4Fuc8KHdY7Qwe16q+d8J28GCxxW2gfxS9Yn+O\nQn6yF3Q4LtmxLqgBtFaI8sKS7O4qrBWSIxONEZP8FpMMgaAJv4b6lwjfyLsAA5kE\n64jd5MXrCGbu7BawrQ/PLVl/7WqADp1CeDskQM1/9i75ZIErcXrOte1pCftCnVGZ\nKiHS2JmBFhzUOb3efwgTKSggoFf/NPJ2Ja50qutS/ovXakYgHVKpEeKbirE0TYCf\nFb79EAinP8Q+1W/z/bgJ2SoVm4akf/BzSwIDAQABoxgwFjAUBgNVHREEDTALggls\nb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAJkx7OvrTdXYu4OXF8kzKk9WSmw4\nPLmyUdSgBChBGu2MABSRK4imQ//6NmKWqtMLlJ0JpkTSJMjmU7xCg15Q/eaH/YSc\no+ji6ShoSFlZcm2LuGCvwMOmfnsMKtNSyUPq5n3MvJZUCEh7Ojc/N3yxzROvUQwA\n3EctLRWtYZzFYc5sFYHGNVOqaTabV3zbCtO5oaEmZplRtQ4ZzPoDu+Bzk9aFrQD3\naIPpuoaK27+y0u0/1IgziR2pYrUV8MH63jxG6LEsg3I0+VSXjlZfUBPAItId3p65\n97wQcJErutieNl8blnVm+lAU+R273CxnJGwjoBayYJxqpB5UN10DiSNo/Lc=\n-----END CERTIFICATE-----"
        }
    }
}

Creating a Self-Signed Certificate Using OpenSSL (An Example)

To create a self-signed certificate using OpenSSL, follow these steps:

Step 1: Generate a Private Key

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

Step 2: Create a Certificate Signing Request (CSR)

openssl req -new -key private_key.pem -out csr.pem -subj "/C=US/ST=State/L=City/O=Organization/OU=Unit/CN=example.com"

Step 3: Generate a Self-Signed Certificate

openssl x509 -req -days 90 -in csr.pem -signkey private_key.pem -out certificate.pem

Example of the Generated Certificate

-----BEGIN CERTIFICATE-----
MIIDWDCCAkCgAwIBAgIUaiq6K195EzsvindYi6Iu2AK39SQwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVdpc2NvbnNpbjEQMA4GA1UEBwwH
TWFkaXNvbjEQMA4GA1UECgwHVGVzdGluZzESMBAGA1UEAwwJbG9jYWxob3N0MB4X
DTI0MDkyNTE3MDg1NVoXDTI0MTIyNDE3MDg1NVowWTELMAkGA1UEBhMCVVMxEjAQ
BgNVBAgMCVdpc2NvbnNpbjEQMA4GA1UEBwwHTWFkaXNvbjEQMA4GA1UECgwHVGVz
dGluZzESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyXcXQqCOvAE7V25B08c6FYTA3ruqtPXiv0lipuOLCQ1fRhteoeVL
9qp/BM8fEEhnuYDq0zxlPLu0hYi4Fuc8KHdY7Qwe16q+d8J28GCxxW2gfxS9Yn+O
Qn6yF3Q4LtmxLqgBtFaI8sKS7O4qrBWSIxONEZP8FpMMgaAJv4b6lwjfyLsAA5kE
64jd5MXrCGbu7BawrQ/PLVl/7WqADp1CeDskQM1/9i75ZIErcXrOte1pCftCnVGZ
KiHS2JmBFhzUOb3efwgTKSggoFf/NPJ2Ja50qutS/ovXakYgHVKpEeKbirE0TYCf
Fb79EAinP8Q+1W/z/bgJ2SoVm4akf/BzSwIDAQABoxgwFjAUBgNVHREEDTALggls
b2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAJkx7OvrTdXYu4OXF8kzKk9WSmw4
PLmyUdSgBChBGu2MABSRK4imQ//6NmKWqtMLlJ0JpkTSJMjmU7xCg15Q/eaH/YSc
o+ji6ShoSFlZcm2LuGCvwMOmfnsMKtNSyUPq5n3MvJZUCEh7Ojc/N3yxzROvUQwA
3EctLRWtYZzFYc5sFYHGNVOqaTabV3zbCtO5oaEmZplRtQ4ZzPoDu+Bzk9aFrQD3
aIPpuoaK27+y0u0/1IgziR2pYrUV8MH63jxG6LEsg3I0+VSXjlZfUBPAItId3p65
97wQcJErutieNl8blnVm+lAU+R273CxnJGwjoBayYJxqpB5UN10DiSNo/Lc=
-----END CERTIFICATE-----

This certificate can then be used in the API request to create a new certificate.

NOTE: The certificate generated above will need to be formatted correctly before sending it in a request body.


Keywords:
person-api 
Doc ID:
158407
Owned by:
Jared K. in DoIT Enterprise Integration - API Team
Created:
2026-02-09
Updated:
2026-02-10
Sites:
DoIT Enterprise Integration - API Team