Thales CipherTrust Manager
This Integration is part of the Thales CipherTrust Manager Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Manage secrets and protect sensitive data through Thales CipherTrust security platform. This integration was integrated and tested with version v1 of CipherTrust.
Configure Thales CipherTrust Manager on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Thales CipherTrust Manager.
Click Add instance to create and configure a new integration instance.
Parameter Required Server URL True Username True Password True Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
Main Use Cases for the Thales CipherTrust Manager Integration#
The Thales CipherTrust Manager integration supports several key use cases:
1. Groups Management#
Groups management is essential for organizing users and defining permissions within the Thales CipherTrust Manager.
Overview:
A group carries with it permissions for performing specific tasks. A group also consists of a set of users and/or clients that have been authorized to perform these tasks. The CipherTrust Manager defines Special System Users, System Defined Groups, and User Defined Groups. System Defined Groups exist on CipherTrust Manager at launch time. Each System Defined Group carries with it permissions to perform specific tasks. \ To read more about the Special System Users and System Defined Groups, refer to the CipherTrust Manager documentation.
User Defined Groups: User Defined Groups User Defined Groups are created by Application Administrators. Administrators may use groups solely for organizing users, or may create policies that use group membership to assign other permissions. Adding group permissions to keys grants users in a User Defined Group the privileges to perform operations with those keys. Groups are stored in CipherTrust Manager's internal database.
2. Users Management#
Users management is critical for ensuring secure access and proper account management within the Thales CipherTrust Manager.
Overview:
Users are unique individuals or systems using the CipherTrust API. Users are authenticated against authentication systems, called "connections". A "connection" can be an identity provider, such as an OpenID endpoint, or a directory, such as LDAP or AD. CipherTrust Manager has a built-in, internal user directory, whose connection name is "local_account".
The User's connection property refers to the authentication system in which the user's credentials and identity reside. When you create a User, you must specify the connection: this tells CipherTrust Manager which authentication system it should use to authenticate the User. Some connections may require additional, connection-specific properties to create the User.
CipherTrust Manager supports external authentication systems. Once a user is authenticated against an external authentication system, a user will be created with connection|unique ID. This unique ID will be taken from an attribute associated with that user on the external authentication system.
The user_id identifies Users and it is in the form of:
connection|unique ID in that connectionThe internal user database uses UUIDs, so a user in the local_account connection might have a user_id of:
local_account|9cd4196b-b4b3-42d7-837f-d4fdeff36538Users have two attributes,
user_metadataandapp_metadata, which can be used to store application-specific information. The system does not use this information; it just stores it for the convenience of applications using the API. These properties are unstructured JSON documents: the caller can put any JSON-structured information in them.user_metadatais typically used to store application-specific data which the end user is allowed to see and modify, such as user preferences.app_metadatais typically used to store application-specific data about the user which the end user is not allowed to view or modify, such as the user's security roles.certificate_subject_dnis used to store Distinguished Name. To enable certificate-based authentication, add"user_certificate"authentication method in allowed_auth_methods. Value of Distinguished Name in the certificate and the value in the user object must match for successful authentication.allowed_client_typesandallowed_auth_methodsdo not control login behavior for users in admin group.
3. Certificate Authority#
Managing digital certificates is crucial for maintaining secure communications and ensuring data integrity.
Overview:
A Certificate Authority (CA) issues and installs digital certificates and certificate signing requests (CSR).
A certificate generally acts as the identity of a server or client and this API can be used to issue server and client certificates in order to setup trusted communication channels to the system. A Certificate Authority acts as the initially trusted shared entity between peers and can issue signed certificates to make it possible for each party to trust the other.
The system distinguishes between local CAs and external CAs with the difference that a local CA can issue signed certificates as the private signing key is stored inside the system. An external CA does not store the private key and can instead be used as a trusted entity for various interfaces and services inside the system when certificates are issued externally. It is fine to have a mix of both.
During initial bootstrapping of a new server a new local CipherTrust Manager root CA is automatically generated. This CA is later used to issue a server certificate for the interfaces available in the system. An easy way to inspect the certificate chain is to view the certificates in your browser when you connect to the web interface. All interfaces and services will by default trust this CA which means that a client certificate issued from this initial CipherTrust Manager root CA will automatically be trusted by the system. If preferred it is possible to create new local CAs and/or external CAs and instead used them for the internal interfaces and services.
Creating a local CA is a two-step process:
- Invoke Create local CA which creates a local CA in pending state and returns a CSR for signing. A pending local CA can then be activated in two ways:
- Invoke Self-sign a local CA to let the CA sign itself. This is typically done for Root CAs.
- Invoke Install a local CA which requires a signed certificate based on the CSR from the pending CA. This certificate can be signed by any other entity such as an external CA or even an other local CA.
- Once a local CA exists a signed certificate can be issued by invoking Issue certificate and provide the CSR, the purpose and the duration. A new signed certificate will be returned.
CipherTrust Manager allows to revoke and resume certificates signed by local CA. User can specify a reason to revoke a certificate according to RFC 5280. Certificates revoked with certificateHold reason will only allow resuming.
Creating an external CA is a single step:
- Invoke Upload external CA and provide the signed external CA certificate.
- Invoke Create local CA which creates a local CA in pending state and returns a CSR for signing. A pending local CA can then be activated in two ways:
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
ciphertrust-csr-generate#
Creates a Certificate Signing Request (CSR) and its corresponding private key. This API does not store any state on the server as everything is returned in the result. This means that both the CSR and the private key must be stored securely on the client side. The private key can optionally be encrypted with a password. It is strongly recommended to encrypt the private key. If not specified, the private_key_file_password is mandatory and the file itself is protected with the password even if the private key is not encrypted.
Base Command#
ciphertrust-csr-generate
Input#
| Argument Name | Description | Required |
|---|---|---|
| cn | Common Name. | Required |
| algorithm | RSA or ECDSA (default) algorithms are supported. A signature algorithm (SHA512WithRSA, SHA384WithRSA, SHA256WithRSA, SHA1WithRSA, ECDSAWithSHA512, ECDSAWithSHA384, ECDSAWithSHA256) is selected based on the algorithm and size. Possible values are: RSA, ECDSA. | Optional |
| dns_names | A comma-separated list of Subject Alternative Names (SAN) values. | Optional |
| A comma-separated list of e-mail addresses. | Optional | |
| ip | A comma-separated list of IP addresses. | Optional |
| name | A unique name of the CSR. | Optional |
| encryption_algo | Private key encryption algorithm. Possible values are: AES256, AES192, AES128, TDES. | Optional |
| name_fields_raw_json | Name fields are "O=organization, OU=organizational unit, L=location, ST=state/province, C=country". Fields can be duplicated if present in different objects. This is a raw json string, for example: "[{"O": "Thales", "OU": "RnD", "C": "US", "ST": "MD", "L": "Belcamp"}, {"OU": "Thales Group Inc."}]". | Optional |
| name_fields_json_entry_id | Entry ID of the file that contains the JSON representation of the name_fields_raw_json. | Optional |
| key_size | Key size. RSA: 1024 - 4096 (default: 2048), ECDSA: 256 (default), 384, 521. Possible values are: 1024, 2048, 3072, 4096, 256, 384, 521. | Optional |
| encryption_password | Password to PEM-encrypt the private key. If not specified, the private key is not encrypted in return. It is strongly recommended to encrypt the private key. If not specified, the private_key_file_password is mandatory. | Optional |
| private_key_file_password | Password to encrypt the private key file. It is strongly recommended to encrypt the private key. If not specified, the private key is encrypted with the password which must be provided. | Optional |
| private_key_bytes | Private Key bytes of the key which is to be used while creating CSR. (The algorithm and size should be according to this key). If not given will generate key internally as per algorithm and size. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
Command example#
!ciphertrust-csr-generate cn="example_csr" private_key_file_password=123
Context Example#
Human Readable Output#
CSR and its corresponding private key have been generated successfully for example_csr.
ciphertrust-certificate-issue#
Issues a certificate by signing the provided CSR with the CA. This is typically used to issue server, client or intermediate CA certificates. Either duration or not_after date must be specified. If both not_after date and duration are given, then not_after takes precedence over duration. If duration is given without not_before date, ceritificate is issued starting from server's current time for the specified duration.
Base Command#
ciphertrust-certificate-issue
Input#
| Argument Name | Description | Required |
|---|---|---|
| ca_id | An identifier of the issuer CA resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| csr_entry_id | The entry ID of the file to upload that contains CSR in PEM format. | Required |
| purpose | Purpose of the certificate. Possible values are: server, client, ca. | Required |
| duration | Duration in days of certificate. Either duration or not_after date must be specified. Default is 365. | Optional |
| name | A unique name of the certificate. If not provided, will be set to cert-<id>. | Optional |
| not_after | End date of the certificate. Either not_after date or duration must be specified. not_after overrides duration if both are given. | Optional |
| not_before | Start date of the certificate. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.CACertificate.id | String | A unique identifier for the certificate authority (CA). |
| CipherTrust.CACertificate.uri | String | Uniform Resource Identifier associated with the CA. |
| CipherTrust.CACertificate.account | String | Account associated with the CA. |
| CipherTrust.CACertificate.application | String | Application associated with the CA. |
| CipherTrust.CACertificate.devAccount | String | Developer account associated with the CA. |
| CipherTrust.CACertificate.name | String | Name of the CA. |
| CipherTrust.CACertificate.state | String | Current state of the CA (e.g., active, pending). |
| CipherTrust.CACertificate.createdAt | Date | Timestamp of when the CA was created. |
| CipherTrust.CACertificate.updatedAt | Date | Timestamp of the last update of the CA. |
| CipherTrust.CACertificate.serialNumber | String | Serial number of the CA's certificate. |
| CipherTrust.CACertificate.subject | String | Subject of the CA's certificate. |
| CipherTrust.CACertificate.issuer | String | Issuer of the CA's certificate. |
| CipherTrust.CACertificate.ca | String | Certificate authority. |
| CipherTrust.CACertificate.revoked_at | String | Revocation timestamp. |
| CipherTrust.CACertificate.sha1Fingerprint | String | SHA1 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha256Fingerprint | String | SHA256 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha512Fingerprint | String | SHA512 fingerprint of the certificate. |
| CipherTrust.CACertificate.notBefore | Date | Timestamp of when the certificate is valid from. |
| CipherTrust.CACertificate.notAfter | Date | Timestamp of when the certificate is valid until. |
Command example#
!ciphertrust-certificate-issue ca_id="example_local_ca" csr_entry_id="2234@a48e3cfd-a079-4895-89a7-4fac11b8143d" purpose=server duration=365
Context Example#
Human Readable Output#
cert-d897c45c-30c7-4681-825d-4598e1234ddf has been issued successfully!
ciphertrust-certificate-list#
Returns a list of certificates issued by the specified CA. The results can be filtered, using the command arguments.
Base Command#
ciphertrust-certificate-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| ca_id | An identifier of the issuer CA resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| subject | Filter by the subject. | Optional |
| issuer | Filter by the issuer. | Optional |
| cert | Filter by the cert. | Optional |
| id | Filter by ID or URI. | Optional |
| page | Page to return. | Optional |
| page_size | Number of entries per page. Defaults to 2000 (in case only page was provided). Maximum entries per page is 2000. | Optional |
| limit | The maximum number of entries to return. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.CACertificate.name | String | The name of the certificate. |
| CipherTrust.CACertificate.id | String | A unique identifier for the certificate. |
| CipherTrust.CACertificate.uri | String | Uniform Resource Identifier associated with the certificate. |
| CipherTrust.CACertificate.account | String | Account associated with the certificate. |
| CipherTrust.CACertificate.application | String | Application associated with the certificate. |
| CipherTrust.CACertificate.devAccount | String | Developer account associated with the certificate. |
| CipherTrust.CACertificate.createdAt | Date | Timestamp of when the certificate was created. |
| CipherTrust.CACertificate.updatedAt | Date | Timestamp of the last update of the certificate. |
| CipherTrust.CACertificate.ca | String | Certificate authority. |
| CipherTrust.CACertificate.revoked_at | String | Revocation timestamp. |
| CipherTrust.CACertificate.sha1Fingerprint | String | SHA1 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha256Fingerprint | String | SHA256 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha512Fingerprint | String | SHA512 fingerprint of the certificate. |
| CipherTrust.CACertificate.serialNumber | String | Serial number of the certificate. |
| CipherTrust.CACertificate.subject | String | Subject of the certificate. |
| CipherTrust.CACertificate.issuer | String | Issuer of the certificate. |
| CipherTrust.CACertificate.notBefore | Date | Timestamp of when the certificate is valid from. |
| CipherTrust.CACertificate.notAfter | Date | Timestamp of when the certificate is valid until. |
Command example#
!ciphertrust-certificate-list ca_id="localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd"
Context Example#
Human Readable Output#
Certificates issued by localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd#
Id Uri Createdat Updatedat Name Ca RevokedReason RevokedAt State Sha1Fingerprint Sha256Fingerprint Sha512Fingerprint Serialnumber Subject Issuer Notbefore Notafter 731d4f15-ea27-4cd5-bd11-7f8d488f51b7 kylo:kylo:naboo:certs:731d4f15-ea27-4cd5-bd11-7f8d488f51b7 2024-06-13T16:22:50.935704Z 2024-06-13T16:27:51.151693Z cert-731d4f15-ea27-4cd5-bd11-7f8d488f51b7 kylo:kylo:naboo:localca:3dc1f629-23b6-4cce-876a-c7d07a4862cd certificateHold 2024-06-13T16:27:51.151471Z revoked EEDE423751F0D393B775CAC3795B9CBB4D67ADF3 6E0BCC3C4294725AA9D8CA797A65066458A08DF243A5B1335A17BF1CE5E8EDD6 7C41E2235A73B61CB1456155DCBA2C05272DC9585521B84067BD579F9E73E0B598F1805C1593E81D767D702BE5466D367FC4D64555118F9832E1D0B3BC0CF1C3 278194539608420376178600649699280848294 /CN=ui_test /CN=demo_prep_example.com 2024-06-13T16:22:51Z 2025-06-02T13:58:56Z 0fb15f00-722c-412e-a1e8-6eb6130e87ba kylo:kylo:naboo:certs:0fb15f00-722c-412e-a1e8-6eb6130e87ba 2024-06-10T07:33:00.686183Z 2024-06-13T16:22:14.494428Z cert-0fb15f00-722c-412e-a1e8-6eb6130e87ba kylo:kylo:naboo:localca:3dc1f629-23b6-4cce-876a-c7d07a4862cd 0001-01-01T00:00:00Z active B8FE025144990B0662940F938E7C68E67877B76E 6F4E76E3B66E0E33F59EE24DBEF63E00FE8ACA8C14E504D20D184FD6CC0ACED3 7BF057227CC78B7E410023698B65D5D12018F4E102243A1D62445A7ACE1C92E53EBEDA25F3EAA9E3C0AA44CF217C2F426D1F05BAC1C4B522926E78EC83C1D7E1 94578324115075140466834527563222175449 /CN=test123 /CN=demo_prep_example.com 2024-06-10T07:33:19Z 2025-06-02T13:58:56Z e7ed2c9d-db2e-4625-a224-33007cee64ca kylo:kylo:naboo:certs:e7ed2c9d-db2e-4625-a224-33007cee64ca 2024-06-03T12:03:51.448698Z 2024-06-03T12:03:51.448698Z cert-e7ed2c9d-db2e-4625-a224-33007cee64ca kylo:kylo:naboo:localca:3dc1f629-23b6-4cce-876a-c7d07a4862cd 0001-01-01T00:00:00Z active D839A29F86EFFA3A4569FEF6B146F79C807433FC E18D1BB65DB40B1491534014E496CF62E106361DC1EDF6DB2B984DDF51A603C5 FCAFDFBE22083DF455A0392E9C427CF05E437F3C5027EB949838A5525BE09BE13A3DE6EC04DF9B4AC361C29F718D99C2736557BFD3CCB5AA1C1EF6B8B2554084 84999099666945695093203891019263091250 /CN=example /CN=demo_prep_example.com 2024-06-03T12:04:10Z 2025-06-02T13:58:56Z 1 to 3 of 3 Certificates issued by localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd
ciphertrust-certificate-resume#
Certificate can be resumed only if it is revoked with reason certificateHold.
Base Command#
ciphertrust-certificate-resume
Input#
| Argument Name | Description | Required |
|---|---|---|
| ca_id | An identifier of the issuer CA resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| cert_id | An identifier of the certificate resource. This can be either the ID (a UUIDv4), the URI, or the slug (which is the last component of the URI). | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.CACertificate.name | String | The name of the certificate. |
| CipherTrust.CACertificate.id | String | A unique identifier for the certificate. |
| CipherTrust.CACertificate.uri | String | Uniform Resource Identifier associated with the certificate. |
| CipherTrust.CACertificate.account | String | Account associated with the certificate. |
| CipherTrust.CACertificate.application | String | Application associated with the certificate. |
| CipherTrust.CACertificate.devAccount | String | Developer account associated with the certificate. |
| CipherTrust.CACertificate.createdAt | Date | Timestamp of when the certificate was created. |
| CipherTrust.CACertificate.updatedAt | Date | Timestamp of the last update of the certificate. |
| CipherTrust.CACertificate.ca | String | Certificate authority. |
| CipherTrust.CACertificate.revoked_at | Date | Revocation timestamp. |
| CipherTrust.CACertificate.state | String | Current state of the certificate (e.g., active, revoked). |
| CipherTrust.CACertificate.sha1Fingerprint | String | SHA1 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha256Fingerprint | String | SHA256 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha512Fingerprint | String | SHA512 fingerprint of the certificate. |
| CipherTrust.CACertificate.serialNumber | String | Serial number of the certificate. |
| CipherTrust.CACertificate.subject | String | Subject of the certificate. |
| CipherTrust.CACertificate.issuer | String | Issuer of the certificate. |
| CipherTrust.CACertificate.notBefore | Date | Timestamp of when the certificate is valid from. |
| CipherTrust.CACertificate.notAfter | Date | Timestamp of when the certificate is valid until. |
Command example#
!ciphertrust-certificate-resume ca_id="localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd" cert_id="0fb15f00-722c-412e-a1e8-6eb6130e87ba"
Context Example#
Human Readable Output#
0fb15f00-722c-412e-a1e8-6eb6130e87ba has been resumed
ciphertrust-certificate-revoke#
Revoke certificate with a given specific reason.
Base Command#
ciphertrust-certificate-revoke
Input#
| Argument Name | Description | Required |
|---|---|---|
| ca_id | An identifier of the issuer CA resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| cert_id | An identifier of the certificate resource. This can be either the ID (a UUIDv4), the URI, or the slug (which is the last component of the URI). | Required |
| reason | Specify one of the reasons to revoke a certificate according to RFC 5280. Possible values are: unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, removeFromCRL, privilegeWithdrawn, aACompromise. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.CACertificate.name | String | The name of the certificate. |
| CipherTrust.CACertificate.id | String | A unique identifier for the certificate. |
| CipherTrust.CACertificate.uri | String | Uniform Resource Identifier associated with the certificate. |
| CipherTrust.CACertificate.account | String | Account associated with the certificate. |
| CipherTrust.CACertificate.application | String | Application associated with the certificate. |
| CipherTrust.CACertificate.devAccount | String | Developer account associated with the certificate. |
| CipherTrust.CACertificate.createdAt | Date | Timestamp of when the certificate was created. |
| CipherTrust.CACertificate.updatedAt | Date | Timestamp of the last update of the certificate. |
| CipherTrust.CACertificate.ca | String | Certificate authority. |
| CipherTrust.CACertificate.revoked_at | Date | Revocation timestamp. |
| CipherTrust.CACertificate.revoked_reason | String | Reason for revocation. |
| CipherTrust.CACertificate.state | String | Current state of the certificate (e.g., active, revoked). |
| CipherTrust.CACertificate.sha1Fingerprint | String | SHA1 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha256Fingerprint | String | SHA256 fingerprint of the certificate. |
| CipherTrust.CACertificate.sha512Fingerprint | String | SHA512 fingerprint of the certificate. |
| CipherTrust.CACertificate.serialNumber | String | Serial number of the certificate. |
| CipherTrust.CACertificate.subject | String | Subject of the certificate. |
| CipherTrust.CACertificate.issuer | String | Issuer of the certificate. |
| CipherTrust.CACertificate.notBefore | Date | Timestamp of when the certificate is valid from. |
| CipherTrust.CACertificate.notAfter | Date | Timestamp of when the certificate is valid until. |
Command example#
!ciphertrust-certificate-revoke ca_id="localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd" cert_id="0fb15f00-722c-412e-a1e8-6eb6130e87ba" reason="certificateHold"
Context Example#
Human Readable Output#
0fb15f00-722c-412e-a1e8-6eb6130e87ba has been revoked
ciphertrust-external-ca-delete#
Deletes an external CA certificate.
Base Command#
ciphertrust-external-ca-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| external_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the Name, the URI, or the slug (which is the last component of the URI). | Required |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-external-ca-delete external_ca_id="123e0a83-63d3-4632-925b-e78ddbfc7774"
Human Readable Output#
123e0a83-63d3-4632-925b-e78ddbfc7774 has been deleted successfully!
ciphertrust-external-ca-list#
Returns a list of external CA certificates. The results can be filtered, using the command arguments.
Base Command#
ciphertrust-external-ca-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| external_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Optional |
| subject | Filter by the subject. | Optional |
| issuer | Filter by the issuer. | Optional |
| serial_number | Filter by the serial number. | Optional |
| cert | Filter by the cert. | Optional |
| page | Page to return. | Optional |
| page_size | Number of entries per page. Defaults to 2000 (in case only page was provided). Maximum entries per page is 2000. | Optional |
| limit | The maximum number of entries to return. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g. ,"PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.ExternalCA.id | String | A unique identifier for the certificate authority (CA) certificate. |
| CipherTrust.ExternalCA.uri | String | Uniform Resource Identifier associated with the CA certificate. |
| CipherTrust.ExternalCA.account | String | Account associated with the CA certificate. |
| CipherTrust.ExternalCA.devAccount | String | Developer account associated with the CA certificate. |
| CipherTrust.ExternalCA.application | String | Application associated with the CA certificate. |
| CipherTrust.ExternalCA.createdAt | Date | Timestamp of when the CA certificate was created. |
| CipherTrust.ExternalCA.updatedAt | Date | Timestamp of the last update of the CA certificate. |
| CipherTrust.ExternalCA.name | String | Name of the CA certificate. |
| CipherTrust.ExternalCA.purpose.client_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for client authentication. |
| CipherTrust.ExternalCA.purpose.user_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for user authentication. |
| CipherTrust.ExternalCA.serialNumber | String | Serial number of the CA certificate. |
| CipherTrust.ExternalCA.subject | String | Subject of the CA certificate. |
| CipherTrust.ExternalCA.issuer | String | Issuer of the CA certificate. |
| CipherTrust.ExternalCA.notBefore | Date | Timestamp of when the CA certificate is valid from. |
| CipherTrust.ExternalCA.notAfter | Date | Timestamp of when the CA certificate is valid until. |
| CipherTrust.ExternalCA.sha1Fingerprint | String | SHA1 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha256Fingerprint | String | SHA256 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha512Fingerprint | String | SHA512 fingerprint of the CA certificate. |
Command example#
!ciphertrust-external-ca-list
Context Example#
Human Readable Output#
External Certificate Authorities#
Name Subject Serial # Activation Expiration Client Auth User Auth test_ui /CN=ui_test 22416116914186521030446027138329400040 13 Jun 2024, 16:20 13 Jun 2025, 16:20 Disabled Disabled test_external_cert /C=US/ST=TX/L=Austin/O=Gemalto/OU=RnD/CN=ca.kylo.gemalto.com 0 02 Aug 2017, 22:42 26 Jul 2047, 22:42 Disabled Disabled sample-ex-CA /C=US/ST=TX/L=Austin/O=Gemalto/OU=RnD/CN=ca.kylo.gemalto.com 0 02 Aug 2017, 22:42 26 Jul 2047, 22:42 Disabled Disabled externalca-5304de93-6939-4a26-bdb4-5e3d0b2fdb38 /C=US/ST=TX/L=Austin/O=Gemalto/OU=RnD/CN=ca.kylo.gemalto.com 0 02 Aug 2017, 22:42 26 Jul 2047, 22:42 Disabled Disabled externalca-208d8f42-1af3-4039-8b02-5e38fb4723f4 /C=US/ST=TX/L=Austin/O=Gemalto/OU=RnD/CN=ca.kylo.gemalto.com 0 02 Aug 2017, 22:42 26 Jul 2047, 22:42 Disabled Disabled sample-ex-CA1 /C=US/ST=TX/L=Austin/O=Gemalto/OU=RnD/CN=ca.kylo.gemalto.com 0 02 Aug 2017, 22:42 26 Jul 2047, 22:42 Disabled Disabled 1 to 6 of 6 External Certificate Authorities
ciphertrust-external-ca-update#
Update an external CA.
Base Command#
ciphertrust-external-ca-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| external_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| allow_client_authentication | If set to true, the certificates signed by the specified CA can be used for client authentication. Possible values are: true, false. | Optional |
| allow_user_authentication | If set to true, the certificates signed by the specified CA can be used for user authentication. Possible values are: true, false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.ExternalCA.id | String | A unique identifier for the certificate authority (CA) certificate. |
| CipherTrust.ExternalCA.uri | String | Uniform Resource Identifier associated with the CA certificate. |
| CipherTrust.ExternalCA.account | String | Account associated with the CA certificate. |
| CipherTrust.ExternalCA.devAccount | String | Developer account associated with the CA certificate. |
| CipherTrust.ExternalCA.application | String | Application associated with the CA certificate. |
| CipherTrust.ExternalCA.createdAt | Date | Timestamp of when the CA certificate was created. |
| CipherTrust.ExternalCA.updatedAt | Date | Timestamp of the last update of the CA certificate. |
| CipherTrust.ExternalCA.name | String | Name of the CA certificate. |
| CipherTrust.ExternalCA.purpose.client_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for client authentication. |
| CipherTrust.ExternalCA.purpose.user_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for user authentication. |
| CipherTrust.ExternalCA.serialNumber | String | Serial number of the CA certificate. |
| CipherTrust.ExternalCA.subject | String | Subject of the CA certificate. |
| CipherTrust.ExternalCA.issuer | String | Issuer of the CA certificate. |
| CipherTrust.ExternalCA.notBefore | Date | Timestamp of when the CA certificate is valid from. |
| CipherTrust.ExternalCA.notAfter | Date | Timestamp of when the CA certificate is valid until. |
| CipherTrust.ExternalCA.sha1Fingerprint | String | SHA1 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha256Fingerprint | String | SHA256 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha512Fingerprint | String | SHA512 fingerprint of the CA certificate. |
Command example#
!ciphertrust-external-ca-update external_ca_id="123e0a83-63d3-4632-925b-e78ddbfc7774" allow_client_authentication=true allow_user_authentication=true
Context Example#
Human Readable Output#
123e0a83-63d3-4632-925b-e78ddbfc7774 has been updated successfully!
ciphertrust-external-ca-upload#
Uploads an external CA certificate. These certificates can later be trusted by services inside the system for verification of client certificates. The uploaded certificate must have "CA:TRUE" as part of the "X509v3 Basic Constraints" to be accepted.
Base Command#
ciphertrust-external-ca-upload
Input#
| Argument Name | Description | Required |
|---|---|---|
| cert_entry_id | The entry ID of the file to upload that contains the external CA certificate in PEM format. | Required |
| name | A unique name of the CA. If not provided, will be set to externalca-<id>. | Optional |
| parent | URI reference to a parent external CA certificate. This information can be used to build a certificate hierarchy. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.ExternalCA.id | String | A unique identifier for the certificate authority (CA) certificate. |
| CipherTrust.ExternalCA.uri | String | Uniform Resource Identifier associated with the CA certificate. |
| CipherTrust.ExternalCA.account | String | Account associated with the CA certificate. |
| CipherTrust.ExternalCA.devAccount | String | Developer account associated with the CA certificate. |
| CipherTrust.ExternalCA.application | String | Application associated with the CA certificate. |
| CipherTrust.ExternalCA.createdAt | Date | Timestamp of when the CA certificate was created. |
| CipherTrust.ExternalCA.updatedAt | Date | Timestamp of the last update of the CA certificate. |
| CipherTrust.ExternalCA.name | String | Name of the CA certificate. |
| CipherTrust.ExternalCA.purpose.client_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for client authentication. |
| CipherTrust.ExternalCA.purpose.user_authentication | String | If set to enabled, the certificates signed by the specified CA can be used for user authentication. |
| CipherTrust.ExternalCA.serialNumber | String | Serial number of the CA certificate. |
| CipherTrust.ExternalCA.subject | String | Subject of the CA certificate. |
| CipherTrust.ExternalCA.issuer | String | Issuer of the CA certificate. |
| CipherTrust.ExternalCA.notBefore | Date | Timestamp of when the CA certificate is valid from. |
| CipherTrust.ExternalCA.notAfter | Date | Timestamp of when the CA certificate is valid until. |
| CipherTrust.ExternalCA.sha1Fingerprint | String | SHA-1 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha256Fingerprint | String | SHA-256 fingerprint of the CA certificate. |
| CipherTrust.ExternalCA.sha512Fingerprint | String | SHA-512 fingerprint of the CA certificate. |
Command example#
"!ciphertrust-external-ca-upload cert_entry_id=2327@a48e3cfd-a079-4895-89a7-4fac11b8143d#### Context Example"
Context Example#
Human Readable Output#
externalca-34c27997-4d5d-4bd3-9ee6-c93ee9abbc7f has been uploaded successfully!
ciphertrust-group-create#
Create a new group. The group name is required.
Base Command#
ciphertrust-group-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Name of the group. | Required |
| description | Description of the group. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Group.name | String | The name of the group. |
| CipherTrust.Group.created_at | Date | The time the group was created. |
| CipherTrust.Group.updated_at | Date | The time the group was last updated. |
| CipherTrust.Group.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Group.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Group.client_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. client_metadata is typically used by applications to store information about the resource, such as client preferences. |
| CipherTrust.Group.description | String | The description of the group. |
| CipherTrust.Group.users_count | Number | The total user count associated with the group. |
Command example#
!ciphertrust-group-create name="example_group" description="this is an example group"
Context Example#
Human Readable Output#
example_group has been created successfully!
ciphertrust-group-delete#
Deletes a group given the group name.
Base Command#
ciphertrust-group-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_name | Name of the group. | Required |
| force | When set to true, groupmaps within this group will be deleted. Possible values are: true, false. | Optional |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-group-delete group_name="example_group" force=true
Human Readable Output#
example_group has been deleted successfully!
ciphertrust-group-list#
Returns a list of group Command arguments can be used to filter the results. Groups can be filtered for user or client membership. Connection filter applies only to user group membership and NOT to clients.
Base Command#
ciphertrust-group-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_name | Filter by group name. | Optional |
| user_id | Filter by user membership. Using the username 'nil' will return groups with no members. Accepts only a user ID. Using '-' at the beginning of user_id will return groups that the user is not part of. | Optional |
| connection | Filter by connection name or ID. | Optional |
| client_id | Filter by client membership. Using the client name 'nil' will return groups with no members. Using '-' at the beginning of client_id will return groups that the client is not part of. | Optional |
| page | Page to return. | Optional |
| page_size | Number of entries per page. Defaults to 2000 (in case only page was provided). Maximum entries per page is 2000. | Optional |
| limit | The maximum number of entries to return. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Group.name | String | Name of the group. |
| CipherTrust.Group.created_at | Date | The time the group was created. |
| CipherTrust.Group.updated_at | Date | The time the group was last updated. |
| CipherTrust.Group.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Group.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Group.client_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. client_metadata is typically used by applications to store information about the resource, such as client preferences. |
| CipherTrust.Group.description | String | Description of the group. |
| CipherTrust.Group.users_count | Number | The total user count associated with the group. |
Command example#
!ciphertrust-group-list page=1 page_size=10
Context Example#
Human Readable Output#
Groups#
Name Defined By No. Of Members Description admin System 1 All Clients System Application Data Protection Admins System Application Data Protection Clients System Audit Admins System Backup Admins System CA Admins System CCKM Admins System CCKM Users System Client Admins System 1 to 10 of 59 Groups
ciphertrust-group-update#
Update the properties of a group given the group name.
Base Command#
ciphertrust-group-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_name | Name of the group to update. | Required |
| new_group_name | New name of the group. | Optional |
| description | New description of the group. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Group.name | String | The name of the group. |
| CipherTrust.Group.created_at | Date | The time the group was created. |
| CipherTrust.Group.updated_at | Date | The time the group was last updated. |
| CipherTrust.Group.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Group.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Group.client_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. client_metadata is typically used by applications to store information about the resource, such as client preferences. |
| CipherTrust.Group.description | String | The description of the group. |
| CipherTrust.Group.users_count | Number | The total user count associated with the group. |
Command example#
!ciphertrust-group-update group_name="example_group" description="this is a modified description"
Context Example#
Human Readable Output#
example_group has been updated successfully!
ciphertrust-local-ca-create#
Creates a pending local CA. This operation returns a CSR that either can be self-signed by calling the ciphertrust-local-ca-self-sign command or signed by another CA and installed by calling the ciphertrust-local-ca-install command. A local CA keeps the corresponding private key inside the system and can issue certificates for clients, servers or intermediate CAs. The local CA can also be trusted by services inside the system for verification of client certificates.
Base Command#
ciphertrust-local-ca-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| cn | Common name. | Required |
| algorithm | RSA or ECDSA (default) algorithms are supported. Signature algorithm (SHA512WithRSA, SHA384WithRSA, SHA256WithRSA, SHA1WithRSA, ECDSAWithSHA512, ECDSAWithSHA384, ECDSAWithSHA256) is selected based on the algorithm and size. Possible values are: RSA, ECDSA. | Optional |
| copy_from_ca | ID of any local CA. If given, the CSR properties are copied from the given CA. | Optional |
| dns_names | A comma-separated list of Subject Alternative Names (SAN) values. | Optional |
| A comma-separated list of e-mail addresses. | Optional | |
| ip | A comma-separated list of IP addresses. | Optional |
| name | A unique name of the CA. If not provided, will be set to localca-<id>. | Optional |
| name_fields_raw_json | Name fields are "O=organization, OU=organizational unit, L=location, ST=state/province, C=country". Fields can be duplicated if present in different objects. This is a raw json string, for example: "[{"O": "Thales", "OU": "RnD", "C": "US", "ST": "MD", "L": "Belcamp"}, {"OU": "Thales Group Inc."}]". | Optional |
| name_fields_json_entry_id | Entry ID of the file that contains JSON representation of the name_fields_raw_json. | Optional |
| size | Key size. RSA: 1024 - 4096 (default: 2048), ECDSA: 256 (default), 384, 521. Possible values are: 256, 384, 521, 1024, 2048, 3072, 4096. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.LocalCA.id | String | Unique identifier for the CA. |
| CipherTrust.LocalCA.uri | String | Uniform Resource Identifier for the CA. |
| CipherTrust.LocalCA.account | String | Account associated with the CA. |
| CipherTrust.LocalCA.application | String | Application associated with the CA. |
| CipherTrust.LocalCA.devAccount | String | Developer account associated with the CA. |
| CipherTrust.LocalCA.createdAt | Date | Timestamp when the CA was created. |
| CipherTrust.LocalCA.updatedAt | Date | Timestamp when the CA was last updated. |
| CipherTrust.LocalCA.name | String | Name of the CA. |
| CipherTrust.LocalCA.state | String | State of the CA. |
| CipherTrust.LocalCA.subject | String | Distinguished Name (DN) of the CA subject. |
| CipherTrust.LocalCA.notBefore | Date | Timestamp before which the certificate is not valid. |
| CipherTrust.LocalCA.notAfter | Date | Timestamp after which the certificate is not valid. |
| CipherTrust.LocalCA.sha1Fingerprint | String | SHA1 fingerprint of the CA certificate. |
| CipherTrust.LocalCA.sha256Fingerprint | String | SHA256 fingerprint of the CA certificate. |
| CipherTrust.LocalCA.sha512Fingerprint | String | SHA512 fingerprint of the CA certificate. |
Command example#
!ciphertrust-local-ca-create cn="test.com" name="example_local_ca" algorithm="RSA" name_fields_raw_json="[ {\"O\" : \"FakeCompany\", \"OU\": \"RnD\", \"C\": \"US\", \"ST\": \"CA\", \"L\": \"FakeCity\"}, {\"OU\": \"Fake Group Inc.\"}]" email="fakeemail@fakecompany.com,fakeemail1@fakecompany.com" ip="10.10.10.10,20.20.20.20" dns_names="*.fakecompany.com,*.fakecompany.net"
Context Example#
Human Readable Output#
Pending Local CA test.com has been created successfully!
ciphertrust-local-ca-delete#
Deletes a local CA certificate.
Base Command#
ciphertrust-local-ca-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| local_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-local-ca-delete local_ca_id="example_local_ca"
Human Readable Output#
example_local_ca has been deleted successfully!
ciphertrust-local-ca-install#
Installs a certificate signed by other CA to act as a local CA. Issuer can be both local or external CA. Typically used for intermediate CAs. The CA certificate must match the earlier created CA CSR, have "CA:TRUE" as part of the "X509v3 Basic Constraints", and have "Certificate Signing" as part of "X509v3 Key Usage" in order to be accepted.
Base Command#
ciphertrust-local-ca-install
Input#
| Argument Name | Description | Required |
|---|---|---|
| local_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| cert_entry_id | The entry ID of the file to upload that contains the signed certificate in PEM format to install as a local CA. | Required |
| parent_id | An identifier of the parent resource. The resource can be either a local or an external CA. The identifier can be either the ID (a UUIDv4) or the URI. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.CAInstall.id | String | A unique identifier for the certificate authority (CA). |
| CipherTrust.CAInstall.uri | String | Uniform Resource Identifier associated with the CA. |
| CipherTrust.CAInstall.account | String | Account associated with the CA. |
| CipherTrust.CAInstall.application | String | Application associated with the CA. |
| CipherTrust.CAInstall.devAccount | String | Developer account associated with the CA. |
| CipherTrust.CAInstall.name | String | Name of the CA. |
| CipherTrust.CAInstall.state | String | Current state of the CA (e.g., active, pending). |
| CipherTrust.CAInstall.createdAt | Date | Timestamp of when the CA was created. |
| CipherTrust.CAInstall.updatedAt | Date | Timestamp of the last update of the CA. |
| CipherTrust.CAInstall.serialNumber | String | Serial number of the CA's certificate. |
| CipherTrust.CAInstall.subject | String | Subject of the CA's certificate. |
| CipherTrust.CAInstall.issuer | String | Issuer of the CA's certificate. |
| CipherTrust.CAInstall.notBefore | Date | Start date of the CA's certificate validity. |
| CipherTrust.CAInstall.notAfter | Date | End date of the CA's certificate validity. |
| CipherTrust.CAInstall.sha1Fingerprint | String | SHA1 fingerprint of the CA's certificate. |
| CipherTrust.CAInstall.sha256Fingerprint | String | SHA256 fingerprint of the CA's certificate. |
| CipherTrust.CAInstall.sha512Fingerprint | String | SHA512 fingerprint of the CA's certificate. |
| CipherTrust.CAInstall.purpose.client_authentication | String | Indicates if client authentication is enabled for the CA. |
| CipherTrust.CAInstall.purpose.user_authentication | String | Indicates if user authentication is enabled for the CA. |
Command example#
!ciphertrust-local-ca-install cert_entry_id=2412@a48e3cfd-a079-4895-89a7-4fac11b8143d local_ca_id=7951163f-a91d-4b29-91f7-b8175d732fc2 parent_id=b8f345ba-cd21-41ad-8184-56e6442bc52b"
Context Example#
Human Readable Output#
7951163f-a91d-4b29-91f7-b8175d732fc2 has been installed successfully!
ciphertrust-local-ca-list#
Returns a list of local CA certificates. The results can be filtered, using the command arguments. If local_ca_id is provided, a single local CA certificate is returned and the rest of the filters are ignored. A chained parameter is used to return the full CA chain with the certificate and can be used only if local_ca_id is provided.
Base Command#
ciphertrust-local-ca-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| subject | Filter by subject. | Optional |
| local_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Optional |
| chained | When set to ‘true’ the full CA chain is returned with the certificate. Must be used with the local CA ID. Possible values are: true, false. | Optional |
| issuer | Filter by issuer. | Optional |
| state | Filter by state. Possible values are: pending, active. | Optional |
| cert | Filter by cert. | Optional |
| page | Page to return. | Optional |
| page_size | Number of entries per page. Defaults to 2000 (in case only page was provided). Maximum entries per page is 2000. | Optional |
| limit | The maximum number of entries to return. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report. |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file |
| InfoFile.Extension | string | File extension. |
| CipherTrust.LocalCA.id | String | A unique identifier for the certificate authority (CA). |
| CipherTrust.LocalCA.uri | String | Uniform Resource Identifier associated with the CA. |
| CipherTrust.LocalCA.account | String | Account associated with the CA. |
| CipherTrust.LocalCA.name | String | Name of the CA. |
| CipherTrust.LocalCA.state | String | Current state of the CA (e.g., pending, active). |
| CipherTrust.LocalCA.createdAt | Date | Timestamp of when the CA was created. |
| CipherTrust.LocalCA.updatedAt | Date | Timestamp of last update of the CA. |
| CipherTrust.LocalCA.serialNumber | String | Serial number of the CA's certificate. |
| CipherTrust.LocalCA.subject | String | Subject of the CA's certificate. |
| CipherTrust.LocalCA.issuer | String | Issuer of the CA's certificate. |
| CipherTrust.LocalCA.notBefore | Date | Start date of the CA's certificate validity. |
| CipherTrust.LocalCA.notAfter | Date | End date of the CA's certificate validity. |
| CipherTrust.LocalCA.sha1Fingerprint | String | SHA1 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.sha256Fingerprint | String | SHA256 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.sha512Fingerprint | String | SHA512 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.purpose.client_authentication | String | Indicates if client authentication is enabled for the CA. |
| CipherTrust.LocalCA.purpose.user_authentication | String | Indicates if user authentication is enabled for the CA. |
Command example#
!ciphertrust-local-ca-list
Context Example#
Human Readable Output#
Local Certificate Authorities#
Active CAs#
Name Subject Serial # Activation Expiration Client Auth User Auth example_local_ca /C=US/ST=CA/L=FakeCity/O=FakeCompany/OU=RnD/OU=Fake Group Inc./CN=test.com 158212075602881140442360379812918138547 29 May 2024, 00:00 18 Jun 2027, 09:16 Enabled Enabled localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd /CN=demo_prep_example.com 129102809746806914708740056180976394480 01 Jun 2024, 13:58 02 Jun 2025, 13:58 Enabled Enabled test_local_ca /C=US/ST=CA/L=FakeCity/O=FakeCompany/OU=RnD/OU=Fake Group Inc./CN=test.com 226220228835411560013591369440322067707 03 Jun 2024, 14:10 04 Jun 2025, 14:10 Enabled Enabled test /CN=test-for-list 72278925304596589280809592640662340361 03 Jun 2024, 14:09 04 Jun 2025, 14:09 Enabled Enabled localca-f443d295-875a-4697-baf6-d02c17f23d78 /CN=test-create-local-ca 180344290974933345373617443253119448463 04 Jun 2024, 14:18 05 Jun 2025, 14:18 Enabled Enabled local_ca_to_self_sign /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 337185028007684692646558478315771697994 29 May 2024, 00:00 30 May 2027, 10:01 Enabled Enabled localca-0fb05898-6817-4d29-a47f-59820e437a22 /CN=test_file_csr 118269231003356260767200023246958364211 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled local-ca-install-id /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 28062530453531757191324395315743257082 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled maya-CA-2 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 128976853845189850850256632563440174889 20 May 2024, 13:20 02 Oct 2026, 14:18 Enabled Enabled localca-f1d8f086-ae3a-4c95-a879-20d8095dc951 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=test.com 329109383730933252345740275059611042991 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-30ac1fb0-1c3d-4d73-9a23-83e48c8860d7 /CN=test.com 65114707427365325108519135462150843996 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-ceacaf33-6572-4bfa-84f2-60ff94d5e007 /CN=test.com 32761860285466905109737610122636607959 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-8e4a12e3-b7f7-4a96-adc5-6fecbfdf9df5 /CN=test.com 133607681255884779182134929191905670600 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled isempty1? /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo2.com 163510084562999310649486415171752198390 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled isempty? /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo2.com 135850894135202628853705544520531120469 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled test1 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 178903473729619830181379965311891574804 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-<id> /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 225686445354134570260952387642633959405 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-b765018b-0a64-419f-b537-c30863aa4002 /C=US/ST=TX/L=Austin/O=Thales/CN=CipherTrust Root CA 24463087808077808513660017390325960995 13 Feb 2024, 10:08 11 Feb 2034, 10:08 Enabled Enabled sarah-2-CA /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/CN=kylo.com 297957266980521970680269241879076856098 01 May 2024, 10:05 01 May 2025, 10:05 Enabled Enabled maya-CA /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 139248642490513216788901886347651629296 20 May 2024, 12:54 16 May 2025, 12:54 Enabled Enabled sarah-CA /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/CN=kylo.com 236129256119494718420321950585891385888 30 Apr 2024, 09:29 02 Oct 2025, 14:18 Enabled Enabled localca-ded8d992-c884-4f98-ad4f-68264b263e09 /CN=test.com 192835835797178633282551614520727069145 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-2f0c4e7f-b388-427b-a9b3-532e3f330561 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=test.com 190170845302674761124094601994094514926 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-2630504e-ab3f-4b85-b176-319c18a8b014 /CN=test_file_csr2 39968239672548719518544113345523146127 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-5628ca09-01e7-4a4e-bc72-7259a5e7c70e /CN=test_playbook 4568441388696325044749525549789309664 15 Jun 2024, 12:27 16 Jun 2025, 12:27 Enabled Enabled maya-CA-4 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 103684251574198102057496728651123185286 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-eff61372-2db0-44cd-bbbd-2563393c55d8 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=test.com 225201555731716426434835627487751507394 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled isempty2? /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo2.com 213214243161581230018528102469896633667 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled test2 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 43170575982063033673607674252675234514 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled local-ca-install-parent-id /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 85223021320069691669631123788141870709 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-f96e3d3b-6962-4abe-938b-3920134a4a3d /CN=EXAMPLE2.COM 199509253732682618926504109082709033771 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled maya-CA-3 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=kylo.com 105363437016056150033773930926775683497 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-33a9019f-f74c-46e8-a10e-f059f88ad075 /C=US/ST=MD/L=Belcamp/O=Thales/OU=RnD/OU=Thales Group Inc./CN=test.com 163370278336848373402205300555971853006 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-e7d753e6-fb93-472a-a8c4-9ecf6ebf552b /CN=test_playbook 203497812975623845742505533309745775331 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-2ab5aea7-5f69-4152-b871-6996bc427702 /CN=ui_test 22416116914186521030446027138329400040 13 Jun 2024, 16:20 13 Jun 2025, 16:20 Enabled Enabled localca-3bfed997-da49-48b6-855f-b63a50398731 /CN=test_file_csr 61805608119136879200923975865797022045 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-ac1407ea-5929-481f-804a-50031efc4e48 /CN=test_ui_2 214676143757307299652298316136105097078 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled localca-36c36025-2eb8-428b-bbcb-de5eb91b363f /CN=demo_prep_example.com 297192342979904258733709782583904105532 15 Jun 2024, 12:25 16 Jun 2025, 12:25 Enabled Enabled Pending CAs#
Name Subject Created Fingerprint localca-f39a4d50-7024-49e1-8e43-d56827a0394f /CN=test_playbook 16 Jun 2024, 12:56 811DD053B0953D8F3CB271BDFB9242B1BE85740A localca-0d17f8f8-124d-46ed-acb9-2484269f8715 /CN=test_playbook 16 Jun 2024, 12:42 E42A69710FDC0103576A21A1DC4A25047C845297 localca-af7c04ad-4cfc-4195-bf6a-83deb52456e7 /CN=test_playbook 16 Jun 2024, 12:41 5BB41C4639A33BE12190D106658C6A8BF8676112 localca-2789da9f-0049-407b-83f5-0632801f27b3 /CN=test_playbook 16 Jun 2024, 12:40 CF6DDE0BF02170E24074079C3EAFEF306B301514 localca-14f64185-4520-457d-9549-2a0fe2dba1f9 /CN=test_playbook 16 Jun 2024, 12:39 ECD32C72CD1DCDB00CB0A4C5A0C724839E25921F localca-9a728681-f77c-43b6-8bd7-dcf99d923d91 /CN=test_playbook 16 Jun 2024, 12:31 C9F4DE824A0A36F8697B40A1788B59458ACA047C localca-13c0a0d7-f1ca-4e35-892f-2d0d73154796 /CN=test_playbook 16 Jun 2024, 12:28 92B69050ED571F21438AA7960F9805FCB717BBD0 localca-f68f05cd-71e9-4c72-b00c-663cb095a56c /CN=test_playbook 16 Jun 2024, 12:30 23AFC84598A390986DB9F57AE41268C56D18A38A localca-89efc91b-56c2-4575-8d4a-a7497f552889 /CN=test_playbook 16 Jun 2024, 12:30 2AD5DC3F6E1FE4878D37A546EA1826B28C433EAC Expired CAs#
Name Subject Created Fingerprint localca-3f953b5c-f432-4e6f-8b9e-bba0e4f2ec95 /CN=test_ui_2 13 Jun 2024, 14:07 0A63239115356D9F28CBC20EE21D44B088FBB0D5 1 to 48 of 48 Local CAs
ciphertrust-local-ca-self-sign#
Self-sign a local CA certificate. This is used to create a root CA. Either duration or notAfter date must be specified. If both notAfter and duration are given, then notAfter date takes precedence over duration. If duration is given without notBefore date, certificate is issued starting from server's current time for the specified duration.
Base Command#
ciphertrust-local-ca-self-sign
Input#
| Argument Name | Description | Required |
|---|---|---|
| local_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| duration | The duration of the certificate in days. Either not_after date or duration must be specified. not_after overrides duration if both are given. Default is 365. | Optional |
| not_after | End date of the certificate. Either not_after date or duration must be specified. not_after overrides duration if both are given. | Optional |
| not_before | Start date of the certificate. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.CASelfSign.id | String | A unique identifier for the certificate authority (CA). |
| CipherTrust.CASelfSign.uri | String | Uniform Resource Identifier associated with the CA. |
| CipherTrust.CASelfSign.account | String | Account associated with the CA. |
| CipherTrust.CASelfSign.application | String | Application associated with the CA. |
| CipherTrust.CASelfSign.devAccount | String | Developer account associated with the CA. |
| CipherTrust.CASelfSign.name | String | Name of the CA. |
| CipherTrust.CASelfSign.state | String | Current state of the CA (e.g., pending, active). |
| CipherTrust.CASelfSign.createdAt | Date | Timestamp of when the CA was created. |
| CipherTrust.CASelfSign.updatedAt | Date | Timestamp of the last update of the CA. |
| CipherTrust.CASelfSign.serialNumber | String | Serial number of the CA's certificate. |
| CipherTrust.CASelfSign.subject | String | Subject of the CA's certificate. |
| CipherTrust.CASelfSign.issuer | String | Issuer of the CA's certificate. |
| CipherTrust.CASelfSign.notBefore | Date | Start date of the CA's certificate validity. |
| CipherTrust.CASelfSign.notAfter | Date | End date of the CA's certificate validity. |
| CipherTrust.CASelfSign.sha1Fingerprint | String | SHA1 fingerprint of the CA's certificate. |
| CipherTrust.CASelfSign.sha256Fingerprint | String | SHA256 fingerprint of the CA's certificate. |
| CipherTrust.CASelfSign.sha512Fingerprint | String | SHA512 fingerprint of the CA's certificate. |
| CipherTrust.CASelfSign.purpose.client_authentication | String | Indicates if client authentication is enabled for the CA. |
| CipherTrust.CASelfSign.purpose.user_authentication | String | Indicates if user authentication is enabled for the CA. |
Command example#
!ciphertrust-local-ca-self-sign local_ca_id="example_local_ca" not_after="in three years" not_before="29.5.24"
Context Example#
Human Readable Output#
example_local_ca has been self-signed successfully!
ciphertrust-local-ca-update#
Update a local CA.
Base Command#
ciphertrust-local-ca-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| local_ca_id | An identifier of the resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| allow_client_authentication | If set to true, the certificates signed by the specified CA can be used for client authentication. Possible values are: true, false. | Optional |
| allow_user_authentication | If set to true, the certificates signed by the specified CA can be used for user authentication. Possible values are: true, false. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| InfoFile.Name | string | File name. |
| InfoFile.EntryID | string | The entry ID of the report |
| InfoFile.Size | number | File size. |
| InfoFile.Type | string | File type, e.g., "PE". |
| InfoFile.Info | string | Basic information of the file. |
| InfoFile.Extension | string | File extension. |
| CipherTrust.LocalCA.id | String | A unique identifier for the certificate authority (CA). |
| CipherTrust.LocalCA.uri | String | Uniform Resource Identifier associated with the CA. |
| CipherTrust.LocalCA.account | String | Account associated with the CA. |
| CipherTrust.LocalCA.name | String | Name of the CA. |
| CipherTrust.LocalCA.state | String | Current state of the CA (e.g., pending, active). |
| CipherTrust.LocalCA.createdAt | Date | Timestamp of when the CA was created. |
| CipherTrust.LocalCA.updatedAt | Date | Timestamp of the last update of the CA. |
| CipherTrust.LocalCA.serialNumber | String | Serial number of the CA's certificate. |
| CipherTrust.LocalCA.subject | String | Subject of the CA's certificate. |
| CipherTrust.LocalCA.issuer | String | Issuer of the CA's certificate. |
| CipherTrust.LocalCA.notBefore | Date | Start date of the CA's certificate validity. |
| CipherTrust.LocalCA.notAfter | Date | End date of the CA's certificate validity. |
| CipherTrust.LocalCA.sha1Fingerprint | String | SHA1 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.sha256Fingerprint | String | SHA256 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.sha512Fingerprint | String | SHA512 fingerprint of the CA's certificate. |
| CipherTrust.LocalCA.purpose.client_authentication | String | Indicates if client authentication is enabled for the CA. |
| CipherTrust.LocalCA.purpose.user_authentication | String | Indicates if user authentication is enabled for the CA. |
Command example#
!ciphertrust-local-ca-update local_ca_id="example_local_ca" allow_client_authentication=true allow_user_authentication=true
Context Example#
Human Readable Output#
example_local_ca has been updated successfully!
ciphertrust-local-certificate-delete#
Deletes a local certificate.
Base Command#
ciphertrust-local-certificate-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| ca_id | An identifier of the issuer CA resource. This can be either the ID (a UUIDv4), the name, the URI, or the slug (which is the last component of the URI). | Required |
| local_ca_id | An identifier of the certificate resource.This can be either the ID (a UUIDv4), the URI, or the slug (which is the last component of the URI). | Required |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-local-certificate-delete ca_id="localca-3dc1f629-23b6-4cce-876a-c7d07a4862cd" local_ca_id="0fb15f00-722c-412e-a1e8-6eb6130e87ba"
Human Readable Output#
0fb15f00-722c-412e-a1e8-6eb6130e87ba has been deleted successfully!
ciphertrust-user-create#
Create a new user in a domain (including root), or add an existing domain user to a sub-domain. Users are always created in the local, internal user database, but might have references to external identity providers. The connection property is optional. If this property is specified when creating new users, it can be the name of a connection or local_account for a local user. The connection property is only used in the body of the create-user request. It is not present in either request or response bodies of the other user endpoints. To create a user - username is mandatory. And password is required in most cases except when certificate authentication is used and certificate subject dn is provided. To enable certificate based authentication for a user, it is required to set certificate_subject_dn and add "user_certificate" authentication method in allowed_auth_methods. This functionality is available only for local users. To assign a root domain user to a sub-domain - the users are added to the domain of the user who is logging in, and the connection property should be left empty. The user_id or username fields are the only ones that are used while adding existing users to sub-domains; all other fields are ignored. To enable the two-factor authentication based on username-password and user certificate for a user, it is required to set "certificate_subject_dn" and add "password_with_user_certificate" authentication method in "allowed_auth_methods". For authentication, the user will require both username-password and user certificate. This functionality applies only to local users.
Base Command#
ciphertrust-user-create
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Full name of the user. | Optional |
| user_id | The ID of an existing root domain user. This field is used only when adding an existing root domain user to a different domain. | Optional |
| username | The login name of the user. This attribute is required to create a user, but is omitted when getting or listing a user. It cannot be updated. This attribute may also be used (instead of the user_id) when adding an existing root domain user to a different domain. | Optional |
| password | The password used to secure the users account. Allowed passwords are defined by the password policy. Password is optional when "certificate_subject_dn" is set and "user_certificate" is in allowed_auth_methods. In all other cases, password is required. It is not included in user resource responses. Default global password complexity requirement: minimum characters = 8, maximum characters = 30, lower-case letters = 1, upper-case letters = 1, decimal digits = 1, special characters = 1. | Optional |
| E-mail of the user. | Optional | |
| allowed_auth_methods | A comma-separated list of login authentication methods allowed to the user. Default value - "password". Password Authentication is allowed by default. Setting it to none, i.e., "none", means no authentication method is allowed to the user. If both enable_cert_auth and allowed_auth_methods are provided in the request, enable_cert_auth is ignored. Setting it to "password_with_user_certificate", means two-factor authentication is enabled for the user. The user will require both username-password and user_certificate for authentication. This property does not control login behavior for users in admin group. Possible values are: password, user_certificate, password_with_user_certificate, none. | Optional |
| allowed_client_types | A comma-separated list of client types that can authenticate using the user's credentials. Default value - "unregistered,public,confidential" i.e., all clients can authenticate the user using user's credentials. Setting it to none, "none", authenticate the user using user's credentials. Setting it to none, "none", means no client can authenticate this user, which effectively means no one can login into this user This property does not control login behavior for users in admin group. Possible values are: unregistered, public, confidential. | Optional |
| certificate_subject_dn | The Distinguished Name of the user in certificate. | Optional |
| connection | The name of a connection or "local_account" for a local user. Default is local_account. | Optional |
| expires_at | The expires_at field is applicable only for local user account. Only members of the 'admin' and 'User Admins' groups can add an expiration date to an existing local user account or modify the expiration date. Once the expires_at date is reached, the user account gets disabled and the user is not able to perform any actions. Setting the expires_at field to "never", removes the expiration date of the user account. | Optional |
| is_domain_user | This flag can be used to create the user in a non-root domain where user management is allowed. Possible values are: true, false. | Optional |
| prevent_ui_login | If true, user is not allowed to login from the web UI. Possible values are: true, false. Default is false. | Optional |
| password_change_required | If set to true, the user will be required to change their password on the next successful login. Possible values are: true, false. | Optional |
| password_policy | The password policy applies only to local user accounts and overrides the global password policy. By default, the global password policy is applied to the users. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Users.user_id | String | A unique identifier for API call usage. |
| CipherTrust.Users.username | String | The login name of the user. This attribute is required to create a user, but is omitted when getting or listing user. It cannot be updated. |
| CipherTrust.Users.connection | String | This attribute is required to create a user, but is not included in user resource responses. Can be the name of a connection or 'local_account' for a local user. Defaults to 'local_account'. |
| CipherTrust.Users.email | String | E-mail of the user. |
| CipherTrust.Users.name | String | Full name of the user. |
| CipherTrust.Users.certificate_subject_dn | String | The Distinguished Name of the user in certificate. |
| CipherTrust.Users.enable_cert_auth | Boolean | Deprecated: Use allowed_auth_methods instead. Enable certificate based authentication flag. If set to true, the user will be able to login using a certificate. |
| CipherTrust.Users.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Users.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Users.logins_count | Number | The number of logins. |
| CipherTrust.Users.last_login | Date | Timestamp of the last login. |
| CipherTrust.Users.created_at | Date | Timestamp of when user was created. |
| CipherTrust.Users.updated_at | Date | Timestamp of last update of the user. |
| CipherTrust.Users.allowed_auth_methods | Unknown | List of login authentication methods allowed to the user. |
| CipherTrust.Users.expires_at | Date | The expires_at is applicable only for local user accounts. The admin or a user who is part of the admin group can add an expiration date to an existing local user account or modify the expiration date. Once the expires_at date is reached, the user account gets disabled and the user is not able to perform any actions. |
| CipherTrust.Users.password_policy | String | The password policy applies only to local user accounts and overrides the global password policy. By default, the global password policy is applied to the users. |
| CipherTrust.Users.allowed_client_types | Unknown | List of client types allowed to the user. |
| CipherTrust.Users.nickname | String | Nickname of the user. |
| CipherTrust.Users.failed_logins_count | Number | Number of failed login attempts. |
| CipherTrust.Users.account_lockout_at | Date | Timestamp when the account was locked out. |
| CipherTrust.Users.failed_logins_initial_attempt_at | Date | Timestamp of the initial failed login attempt. |
| CipherTrust.Users.last_failed_login_at | Date | Timestamp of the last failed login attempt. |
| CipherTrust.Users.password_changed_at | Date | Timestamp of when the password was last changed. |
| CipherTrust.Users.password_change_required | Boolean | Indicates if a password change is required. |
| CipherTrust.Users.auth_domain | String | Authentication domain of the user. |
| CipherTrust.Users.login_flags | Unknown | Flags related to login permissions. |
Command example#
!ciphertrust-user-create username="example_user" password="123ABC!123abc" allowed_auth_methods="password,user_certificate" allowed_client_types="none" certificate_subject_dn="OU=organization unit,O=organization,L=location,ST=state,C=country"
Context Example#
Human Readable Output#
example_user has been created successfully!
ciphertrust-user-delete#
Deletes a user given the user's user ID. If the current user is logged into a sub-domain, the user is deleted from that sub-domain. If the current user is logged into the root domain, the user is deleted from all domains it belongs to.
Base Command#
ciphertrust-user-delete
Input#
| Argument Name | Description | Required |
|---|---|---|
| user_id | The user ID of the user. | Required |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-user-delete user_id="local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c"
Human Readable Output#
local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c has been deleted successfully!
ciphertrust-user-password-change#
Change the current user's password. Can only be used to change the password of the currently authenticated user. The user will not be able to change their password to the same password.
Base Command#
ciphertrust-user-password-change
Input#
| Argument Name | Description | Required |
|---|---|---|
| new_password | The new password. | Required |
| password | The user's current password. | Required |
| username | The login name of the current user. | Required |
| auth_domain | The domain where the user needs to be authenticated. This is the domain where the user is created. Defaults to the root domain. | Optional |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-user-password-change username="example_user" password="123ABC!123abc" new_password="new_123ABC!123abc"
Human Readable Output#
Password has been changed successfully for example_user!
ciphertrust-user-to-group-add#
Add a user to a group. This command is idempotent: calls to add a user to a group in which they already belong will return an identical, OK response.
Base Command#
ciphertrust-user-to-group-add
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_name | Name of the group. By default it will be added to the Key Users Group. Default is Key Users. | Required |
| user_id | The user ID of the user. Can be retrieved by using the command ciphertrust-users-list. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Group.name | String | The name of the group. |
| CipherTrust.Group.created_at | Date | The time the group was created. |
| CipherTrust.Group.updated_at | Date | The time the group was last updated. |
| CipherTrust.Group.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Group.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Group.client_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. client_metadata is typically used by applications to store information about the resource, such as client preferences. |
| CipherTrust.Group.description | String | The description of the group. |
| CipherTrust.Group.users_count | Number | The total user count associated with the group. |
Command example#
!ciphertrust-user-to-group-add group_name="example_group" user_id="local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c"
Context Example#
Human Readable Output#
local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c has been added successfully to example_group
ciphertrust-user-to-group-remove#
Removes a user from a group.
Base Command#
ciphertrust-user-to-group-remove
Input#
| Argument Name | Description | Required |
|---|---|---|
| group_name | Name of the group. | Required |
| user_id | The user ID of the user. Can be retrieved by using the command ciphertrust-users-list. | Required |
Context Output#
There is no context output for this command.
Command example#
!ciphertrust-user-to-group-remove group_name="example_group" user_id="local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c"
Human Readable Output#
local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c has been deleted successfully from example_group
ciphertrust-user-update#
Change the properties of a user, for instance, the name, the password, or metadata. Permissions would normally restrict this to users with admin privileges. Non admin users wishing to change their own passwords should use the ciphertrust-user-password-change command.
Base Command#
ciphertrust-user-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | The user's full name. | Optional |
| user_id | The user ID of the user. | Required |
| username | The login name of the user. | Optional |
| password | The password used to secure the user's account. | Optional |
| The email of the user. | Optional | |
| password_change_required | If set to true, user will be required to change their password on next successful login. Possible values are: true, false. | Optional |
| allowed_auth_methods | List of login authentication methods allowed to the user. Setting it to none, i.e., "none", means no authentication method is allowed to the user. If both enable_cert_auth and allowed_auth_methods are provided in the request, enable_cert_auth is ignored. Setting it to "password_with_user_certificate", means two-factor authentication is enabled for the user. The user will require both username-password and user_certificate for authentication. User cannot have "password" or "user_certificate" with "password_with_user_certificate" in allowed_auth_methods. This property does not control login behavior for users in admin group. Possible values are: password, user_certificate, password_with_user_certificate, none. | Optional |
| allowed_client_types | A comma-separated list of client types that can authenticate using the user's credentials. Setting it to none, i.e., "none", means no client can authenticate this user, which effectively means no one can login into this user. This property does not control login behavior for users in admin group. Possible values are: unregistered, public, confidential. | Optional |
| certificate_subject_dn | The Distinguished Name of the user in certificate. For example, OU=organization unit,O=organization,L=location,ST=state,C=country. | Optional |
| expires_at | The "expires_at" field is applicable only for local user account. Only members of the 'admin' and 'User Admins' groups can add an expiration date to an existing local user account or modify the expiration date. Once the "expires_at" date is reached, the user account gets disabled and the user is not able to perform any actions. Setting the "expires_at" argument to "never", removes the expiration date of the user account. | Optional |
| failed_logins_count | Set it to 0 to unlock a locked user account. | Optional |
| prevent_ui_login | If true, user is not allowed to login from the web UI. Possible values are: true, false. Default is false. | Optional |
| password_policy | The password policy applies only to local user accounts and overrides the global password policy. By default, the global password policy is applied to the users. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Users.user_id | String | A unique identifier for API call usage. |
| CipherTrust.Users.username | String | The login name of the user. This attribute is required to create a user, but is omitted when getting or listing a user. It cannot be updated. |
| CipherTrust.Users.connection | String | This attribute is required to create a user, but is not included in user resource responses. Can be the name of a connection or 'local_account' for a local user, defaults to 'local_account'. |
| CipherTrust.Users.email | String | E-mail of the user. |
| CipherTrust.Users.name | String | Full name of the user. |
| CipherTrust.Users.nickname | String | Nickname of the user. |
| CipherTrust.Users.certificate_subject_dn | String | The Distinguished Name of the user in certificate. |
| CipherTrust.Users.enable_cert_auth | Boolean | Deprecated: Use allowed_auth_methods instead. Enable certificate based authentication flag. If set to true, the user will be able to login using a certificate. |
| CipherTrust.Users.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Users.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Users.logins_count | Number | Number of logins. |
| CipherTrust.Users.last_login | Date | Timestamp of the last login. |
| CipherTrust.Users.created_at | Date | Timestamp of when the user was created. |
| CipherTrust.Users.updated_at | Date | Timestamp of the last update of the user. |
| CipherTrust.Users.allowed_auth_methods | Unknown | List of login authentication methods allowed to the user. |
| CipherTrust.Users.expires_at | Date | The expires_at is applicable only for local user accounts. The admin or a user who is part of the admin group can add an expiration date to an existing local user account or modify the expiration date. Once the expires_at date is reached, the user account gets disabled and the user is not able to perform any actions. |
| CipherTrust.Users.password_policy | String | The password policy applies only to local user accounts and overrides the global password policy. By default, the global password policy is applied to the users. |
| CipherTrust.Users.allowed_client_types | Unknown | List of client types allowed to the user. |
| CipherTrust.Users.failed_logins_count | Number | Number of failed login attempts. |
| CipherTrust.Users.failed_logins_initial_attempt_at | Date | Timestamp of the initial failed login attempt. |
| CipherTrust.Users.account_lockout_at | Date | Timestamp of when the account was locked. |
| CipherTrust.Users.last_failed_login_at | Date | Timestamp of the last failed login attempt. |
| CipherTrust.Users.password_changed_at | Date | Timestamp of when the password was last changed. |
| CipherTrust.Users.password_change_required | Boolean | Indicates if a password change is required at next login. |
| CipherTrust.Users.login_flags | Unknown | Flags related to login, such as prevent_ui_login. |
Command example#
!ciphertrust-user-update user_id="local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c" failed_logins_count=0 expires_at="never"
Context Example#
Human Readable Output#
local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c has been updated successfully!
ciphertrust-users-list#
Returns a list of users.
Base Command#
ciphertrust-users-list
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | Filter by the user's name. | Optional |
| user_id | If provided, gets the user with the specified user ID. If the user ID 'self' is provided, it will return the current user's information. | Optional |
| username | The user’s username. | Optional |
| The user’s email. | Optional | |
| groups | A comma-separated list of group names. Using 'nil' as the group name will return users that are not part of any group. | Optional |
| exclude_groups | A comma-separated list of groups to exclude. | Optional |
| auth_domain_name | The user’s auth domain. | Optional |
| account_expired | Whether to filter the list of users whose expiration time has passed. Possible values are: true, false. | Optional |
| allowed_auth_methods | A comma-separated list of login authentication methods allowed to the users. A special value empty can be specified to get users to whom no authentication method is allowed. Possible values are: password, user_certificate, password_with_user_certificate, empty. | Optional |
| allowed_client_types | A comma-separated list of client types that can authenticate the user. Possible values are: unregistered, public, confidential. | Optional |
| password_policy | The assigned password policy. | Optional |
| return_groups | If set to 'true', it returns the group's name in which user is associated along with all users information. Possible values are: true, false. | Optional |
| page | Page to return. | Optional |
| page_size | Number of entries per page. Defaults to 2000 (in case only page was provided). Maximum entries per page is 2000. | Optional |
| limit | The maximum number of entries to return. Default is 50. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CipherTrust.Users.username | String | The login name of the user. This attribute is required to create a user, but is omitted when getting or listing a user. It cannot be updated. |
| CipherTrust.Users.connection | String | This attribute is required to create a user, but is not included in user resource responses. Can be the name of a connection or 'local_account' for a local user, defaults to 'local_account'. |
| CipherTrust.Users.email | String | E-mail of the user. |
| CipherTrust.Users.name | String | Full name of the user. |
| CipherTrust.Users.certificate_subject_dn | String | The Distinguished Name of the user in certificate. |
| CipherTrust.Users.enable_cert_auth | Boolean | Deprecated: Use allowed_auth_methods instead. Enable certificate based authentication flag. If set to true, the user will be able to login using a certificate. |
| CipherTrust.Users.user_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. user_metadata is typically used by applications to store information about the resource which the end-users are allowed to modify, such as user preferences. |
| CipherTrust.Users.app_metadata | Unknown | A schema-less object, which can be used by applications to store information about the resource. app_metadata is typically used by applications to store information which the end-users are not themselves allowed to change, like group membership or security roles. |
| CipherTrust.Users.logins_count | Number | Number of logins. |
| CipherTrust.Users.last_login | Date | Timestamp of the last login. |
| CipherTrust.Users.created_at | Date | Timestamp of when the user was created. |
| CipherTrust.Users.updated_at | Date | Timestamp of the last update of the user. |
| CipherTrust.Users.allowed_auth_methods | Unknown | List of login authentication methods allowed to the user. |
| CipherTrust.Users.expires_at | Date | The expires_at is applicable only for local user accounts. The admin or a user who is part of the admin group can add an expiration date to an existing local user account or modify the expiration date. Once the expires_at date is reached, the user account gets disabled and the user is not able to perform any actions. |
| CipherTrust.Users.password_policy | String | The password policy applies only to local user accounts and overrides the global password policy. By default, the global password policy is applied to the users. |
| CipherTrust.Users.allowed_client_types | Unknown | List of client types allowed to the user. |
| CipherTrust.Users.last_failed_login_at | Date | Timestamp of the last failed login. |
| CipherTrust.Users.failed_logins_count | Number | Number of failed logins. |
| CipherTrust.Users.failed_logins_initial_attempt_at | Date | Timestamp of the first failed login. |
| CipherTrust.Users.account_lockout_at | Date | Timestamp of the account lockout. |
| CipherTrust.Users.nickname | String | Nickname of the user. |
| CipherTrust.Users.user_id | String | The user's unique identifier. |
| CipherTrust.Users.password_changed_at | Date | Timestamp of when the password was last changed. |
| CipherTrust.Users.password_change_required | Boolean | Flag indicating if password change is required. |
| CipherTrust.Users.groups | Unknown | List of groups the user belongs to. |
| CipherTrust.Users.auth_domain | String | Authentication domain ID. |
| CipherTrust.Users.login_flags | Unknown | Flags related to user login. |
| CipherTrust.Users.auth_domain_name | String | Name of the authentication domain. |
Command example#
!ciphertrust-users-list limit=10
Context Example#
Human Readable Output#
Users#
Username Full Name Created Updated Expires Id Last Login Logins Last Failed Login Password Changed Password Change Required admin admin admin@local 14 Feb 2024, 10:08 18 Jun 2024, 09:16 Never local|1e83aa21-0141-458a-8d77-e7d21192a82f 18 Jun 2024, 09:16 1518 13 Jun 2024, 07:53 14 Feb 2024, 11:36 false test_user new_test_user test_user@local 13 Jun 2024, 07:45 17 Jun 2024, 10:08 13 Jun 2025, 12:06 local|9a1769b4-86e0-4e24-8316-ea4e7b76c23c Never Logged In 0 17 Jun 2024, 10:08 13 Jun 2024, 07:45 false test_ui_create test_ui_create test_ui_create@local 13 Jun 2024, 12:30 13 Jun 2024, 12:30 Never local|ba75d58e-c8de-40fa-bb93-008a7263d59e Never Logged In 0 Never Failed A Login 13 Jun 2024, 12:30 false 1 to 3 of 3 Users