ARIS
Certificate Self-Service
Checking Permissions...
You do not have permissions to use this service

Generate a New Certificate with Private Key for a Server

Key Algorithm
Download Files:
Drop the CSR file here

Submit a Certificate Signing Request (CSR)

Download Files:

Generate a Long Lived Access Token

Your Current Tokens

Authentication

All API requests require a valid Bearer Token. You must issue a long-lived access token before you can use these endpoints.

Authorization: Bearer YOUR_TOKEN_HERE
Header Type Description
Authorization string Value must be Bearer <token>.
X-Auth-Key string Fallback: You can use this if your request passes through a proxy that does not comply with RFC 9110 11.6.2 (e.g., proxies that strip or modify standard Authorization headers).

Example: Issue a web server certificate based on a list of domain names

Use this endpoint if you do not have a CSR. The server will generate the keys for you and include them in the response.

curl -X POST https://pki-self-service.it.aris.com/api/issue \
     -H "Authorization: Bearer YOUR_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{
       "DnsNames": ["server1.ad.aris.com", "server2.ad.aris.com"],
       "KeyAlgorithm": "RSA_2048",
       "PfxPassword": "optional-password",
       "EnhancedKeyUsage": ["ServerAuthentication"],
       "KeyUsage": ["DigitalSignature", "KeyEncipherment"]
     }'
Request Body Field Type Description
DnsNames array DNS Subject Alternative Names (SANs): ["server1.ad.aris.com", "server2.ad.aris.com"]
KeyAlgorithm string Possible values: RSA_2048, RSA_4096, ECDSA_P256, ECDSA_P384, ECDSA_P521
EnhancedKeyUsage array For Web Server: ["ServerAuthentication"]
PfxPassword string Optional: Password for the returned PFX file
KeyUsage array For RSA keys: ["KeyEncipherment", "DigitalSignature"]
For ECDSA keys: ["DigitalSignature"]

Example: Issue a certificate via CSR

Use this endpoint if you have already generated a Private Key and a Certificate Signing Request (CSR) on your own machine.

curl -X POST https://pki-self-service.it.aris.com/api/issue \
     -H "Authorization: Bearer YOUR_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{
       "Csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICvDCCAaQCAQAw...",
       "PfxPassword": "optional-password"
     }'
Request Body Field Type Description
Csr string The CSR content in PEM format
PfxPassword string Optional: Password for the returned PFX file

API Response Format

Upon a successful request (HTTP 200), the API returns a JSON object containing the issued certificate in multiple formats.

{
  "subjectName": "CN=server1.ad.aris.com",
  "caCertificatePem": "-----BEGIN CERTIFICATE-----\nMIIF9zCCA9  ...  FBSXkn+XOA==\n-----END CERTIFICATE-----",
  "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIFPDCCAySg  ...  Ku3+F7GBa24+\n-----END CERTIFICATE-----",
  "certificateChainPem": "-----BEGIN CERTIFICATE-----\nMIIFPDC  ...  FBSXkn+XOA==\n-----END CERTIFICATE-----",
  "privateKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANB  ...  JZREr9nz6zE9\n-----END PRIVATE KEY-----",
  "pfxBase64Data": "MIIRowIBAzCCEV8GCSqGSIb3DQEHAaCCEVAEghFMMI  ...  zsEFD/bOwcOUpRZ+gUpyAezBaR5Lz9bAgIH0A=="
}
Field Format Handling / Usage
subjectName string The distinguished name (DN) of the issued certificate.
certificatePem text/pem The leaf certificate. Save directly as .crt or .pem.
caCertificatePem text/pem The issuing CA certificate. Used to establish trust.
certificateChainPem text/pem The full bundle (Leaf + CA). Best for web server configuration.
privateKeyPem text/key The private key. Keep secure. Only returned if the API generated the keys.
pfxBase64Data base64 Binary PFX (PKCS#12) container. Must be decoded from Base64 before saving as .pfx.
Developer Tip: All Pem fields are standard strings - you can write their content directly to disk. For pfxBase64Data, use a Base64 decoder (e.g., Convert.FromBase64String in C# or base64 --decode in Linux) to save it as a binary file.

Users who can request certificates

Account
Request Filter (regex)
Enable
Regex Examples
Without Wildcards
With Wildcards