Skip to main content

Certificate management API

Description

The Certificate management API makes it possible to create, upload and delete certificates and their private keys on your AXIS devices, such as HTTPS, SNMPv3, IEEE 802.1x network authentication and others used for identification and authentication. This is useful when you want to employ a cost-efficient and simple mechanism to manage certificates over multiple devices.

Create self-signed certificate

This self-signing certificate is generated by your Axis device without first being signed by a certificate authority and should only be used during the initial configuration of the device. It is recommended to exchange this for a signed protection certificate from a certification authority once the initial configuration has been completed.

http://ip-address/vapix/services

Request body syntax

<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:acertificates="http://www.axis.com/vapix/ws/certificates"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:acertificates="http://www.axis.com/vapix/ws/certificates"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<acertificates:CreateCertificate2 xmlns="http://www.axis.com/vapix/ws/certificates"><acertificates:Id>Certificate_ID</acertificates:Id><acertificates:Subject><acert:C>SE</acert:C><acert:ST></acert:ST><acert:L></acert:L><acert:O></acert:O><acert:OU></acert:OU><acert:CN>172.25.154.47</acert:CN></acertificates:Subject><acertificates:ValidNotBefore>2020-10-16T04:08:32</acertificates:ValidNotBefore><acertificates:ValidNotAfter>2040-10-16T04:08:32</acertificates:ValidNotAfter></acertificates:CreateCertificate2>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

GetClientCertificates

Using this method makes it possible to return a list containing the currently uploaded client certificates, which in turn are sent to the external server to validate the Axis device itself.

http://ip-address/vapix/services

Request body syntax

<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:GetCertificates xmlns="http://www.onvif.org/ver10/device/wsdl">
</tds:GetCertificates>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

GetCACertificates

Using this method makes it possible to return a list containing the currently uploaded CA certificates, which are used by the Axis device to validate the external server.

http://ip-address/vapix/services
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:GetCACertificates xmlns="http://www.onvif.org/ver10/device/wsdl"></tds:GetCACertificates>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

DeleteCertificates

Using this method makes it possible to delete either a CA certificate or client certificate uploaded to the Axis device.

http://ip-address/vapix/services
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:DeleteCertificates xmlns="http://www.onvif.org/ver10/device/wsdl"><CertificateID>Certificate_ID</CertificateID></tds:DeleteCertificates>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Upload certificate + Private key

Using this method makes it possible to upload a client certificate whereas the certificate and corresponding private key are separated in two individual files.

http://ip-address/vapix/services
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:LoadCertificateWithPrivateKey xmlns="http://www.onvif.org/ver10/device/wsdl"><CertificateWithPrivateKey><tt:CertificateID>Certificate_ID</tt:CertificateID><tt:Certificate><tt:Data>Certificate Payload</tt:Data></tt:Certificate><tt:PrivateKey><tt:Data>Private Key Payload</tt:Data></tt:PrivateKey></CertificateWithPrivateKey></tds:LoadCertificateWithPrivateKey>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Upload CA certificate

Using this method makes it possible to upload a CA certificate to the Axis device.

http://ip-address/vapix/services
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:LoadCACertificates xmlns="http://www.onvif.org/ver10/device/wsdl"><CACertificate><tt:CertificateID>Certificate_ID</tt:CertificateID><tt:Certificate><tt:Data>....CA Certificate Payload....</tt:Data></tt:Certificate></CACertificate></tds:LoadCACertificates>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Upload PKCS#12 Certificate

Using this method makes it possible to upload a password-protected PKCS#12 container where one file contains both the client certificate and the corresponding private key.

http://ip-address/vapix/services
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:acertificates="http://www.axis.com/vapix/ws/certificates"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:acertificates="http://www.axis.com/vapix/ws/certificates"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<acertificates:LoadPkcs12 xmlns="http://www.axis.com/vapix/ws/certificates"><Pkcs12><acert:Id>PFX-Sample Certificate</acert:Id><acert:Certificate>...Certificate Payload...</acert:Certificate><acert:Password>password</acert:Password></Pkcs12></acertificates:LoadPkcs12>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Set HTTPS certificate

Using this method makes it possible to set a specific, previously uploaded client certificate and select it to be used for HTTPS-connections.

http://ip-address/vapix/services

Please take note that the following field must be included in order to name the certificate that you want to set.

<acert:Id>CertificateName</acert:Id>

Request body syntax

<SOAP-ENV:Envelope
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:aweb="http://www.axis.com/vapix/ws/webserver"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:aweb="http://www.axis.com/vapix/ws/webserver"
xmlns:acert="http://www.axis.com/vapix/ws/cert"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">

<SOAP-ENV:Body>
<aweb:SetWebServerTlsConfiguration xmlns="http://www.axis.com/vapix/ws/webserver">
<Configuration>
<Tls>true</Tls>
<aweb:ConnectionPolicies>
<aweb:Admin>Https</aweb:Admin>
<aweb:Operator>Https</aweb:Operator>
<aweb:Viewer>Https</aweb:Viewer>
</aweb:ConnectionPolicies>
<aweb:Ciphers>
<acert:Cipher>ECDHE-ECDSA-AES128-GCM-SHA256</acert:Cipher>
<acert:Cipher>ECDHE-RSA-AES128-GCM-SHA256</acert:Cipher>
<acert:Cipher>ECDHE-ECDSA-AES256-GCM-SHA384</acert:Cipher>
<acert:Cipher>ECDHE-RSA-AES256-GCM-SHA384</acert:Cipher>
<acert:Cipher>ECDHE-ECDSA-CHACHA20-POLY1305</acert:Cipher>
<acert:Cipher>ECDHE-RSA-CHACHA20-POLY1305</acert:Cipher>
<acert:Cipher>DHE-RSA-AES128-GCM-SHA256</acert:Cipher>
<acert:Cipher>DHE-RSA-AES256-GCM-SHA384</acert:Cipher>
</aweb:Ciphers>
<aweb:CertificateSet>
<acert:Certificates>
<acert:Id>CertificateName</acert:Id>
</acert:Certificates>
<acert:CACertificates></acert:CACertificates>
<acert:TrustedCertificates></acert:TrustedCertificates>
</aweb:CertificateSet>
</Configuration>
</aweb:SetWebServerTlsConfiguration>
</SOAP_ENV:Body>
</SOAP-ENV:Envelope>

Please be aware that this example is meant for devices with firmware version 6.50. If your device has firmware version 7.10 and over you need to remove the following section:

<aweb:Operator>Https</aweb:Operator>
<aweb:Viewer>Https</aweb:Viewer>

Also, the ciphers listed in this example are subject to change with firmware updates.

Assign a certificate to the IEEE 802.1x configuration

Using this method makes it possible to assign an earlier uploaded certificate to the wired IEEE 802.1x configuration, which can then be configured by using setWired8021XConfiguration.

http://ip-address/vapix/services

Request body syntax

<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
<SOAP-ENV:Body>
<tds:SetDot1XConfiguration xmlns="http://www.onvif.org/ver10/device/wsdl">
<Dot1XConfiguration><tt:Dot1XConfigurationToken>EAPTLS_WIRED</tt:Dot1XConfigurationToken><tt:Identity>identity</tt:Identity><tt:EAPMethod>13</tt:EAPMethod><tt:EAPMethodConfiguration><tt:TLSConfiguration><tt:CertificateID>Default(self-signed)</tt:CertificateID></tt:TLSConfiguration></tt:EAPMethodConfiguration>
</Dot1XConfiguration>
</tds:SetDot1XConfiguration>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Please note that the CertificateID needs to be the certificate common name.