Get Root Certificates

  • reference
    +
    Trusted CA (or 'root') certificates previously loaded into the Couchbase-Server cluster can be retrieved and inspected.

    HTTP Method and URI

    GET /pools/default/trustedCAs

    Description

    Returns a JSON array, each of whose members is an object whose key-value pairs provide information on a CA certificate that has been and remains loaded for the cluster. Note that this list is therefore complete and cluster-wide.

    Note that although support of multiple root certificates is only available in versions of Couchbase Server that are 7.1 and later, this API can be used on clusters that are running different versions of Couchbase Server, some of which are prior to 7.1.

    This method and endpoint can be used by unauthorized users: however, cluster-private details are redacted from the output. For all details to be returned, the user must have the Full Admin, the Local User Security Admin, or the External User Security Admin role. See the examples provided in Output Redaction, below.

    Curl Syntax

    The curl syntax is as follows:

    curl -X GET http://<ip-address-or-domain-name>:8091/pools/default/trustedCAs
     -u <username>:<password>

    Responses

    Success returns 200 OK and a JSON array, each of whose members is an object whose key-value pairs provide information on a trusted CA certificate that has been loaded on the cluster. If no trusted CA certificates have been loaded, the returned array is empty.

    Failure to authenticate returns HTTP/1.1 401 Unauthorized.

    A malformed URI returns HTTP/1.1 404 Object Not Found. An incorrect method returns HTTP/1.1 405 Method Not Allowed.

    Example

    The following example returns a list of all trusted CA certificates that are currently loaded on the cluster.

    curl -X GET http://10.144.220.101:8091/pools/default/trustedCAs -u Administrator:password

    Formatted, the output appears as follows:

    [
      {
        "warnings": [
          {
            "name": "self_signed",
            "message": "Out-of-the-box certificates are self-signed. To further secure your system, you must create new X.509 certificates signed by a trusted CA.",
            "severity": 2,
            "severityName": "minimal"
          }
        ],
        "id": 0,
        "subject": "CN=Couchbase Server 90c7ba5e",
        "notBefore": "2013-01-01T00:00:00.000Z",
        "notAfter": "2049-12-31T23:59:59.000Z",
        "type": "generated",
        "pem": "-----BEGIN CERTIFICATE-----\nMIIDAjCCAeqgAwIBAgIIFrnqyI5FX+8wDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE\nAxMZQ291Y2hiYXNlIFNlcnZlciA5MGM3YmE1ZTAeFw0xMzAxMDEwMDAwMDBaFw00\nOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgOTBjN2Jh\nNWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEQNODtMyrvyIHXAO\n9YqIEstqD3SQZ1mSdI+G7gyi8Perc5QWlJbuUll8yhbAKFj9NDBXSCi3alMq2Joq\n1TIu7fQJWk1Z4qWb0Q7NDHWc4ZiUtmN3dUApMtqmAvXp17piOmHtx6FAQnihbMpB\ngPekKTI2bnLBR3o3RK7f5NYkEQzHq3hU3pd+lU6+LONxaDbUHcRMitdh9WXf6ddX\nKaGwzP2ci9zuLo45dOJtEYVl8GSy7oyLDSqg8bBsTeARWZyYUbWSH67iLatFoJqW\nEWpCor81xZorNWJWZkjN2ruFoOzjzWbV/c3RnVS7fep9EzK5fpkpCjKU+WNQWnEa\nVkonAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD\nATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBqIPz0UAtgW4Pk\nUARuDIeCONJYxtnDgKzX/S3e2H5iogffyU0uD2U7me8vzyDl1Q21AvDBbmHF+0Nu\nNhYBtuxlYpxpfdkbU92tF2zWl/adHZxn2t1BOv0jiY2P2sBbt+yWHcqvRvQnHO8T\n11nbj0RCKL+RVx5UVsB7OcAwpDXmC/U/L1i/IU0M1CuWYjTTFItGWzPxm6NtQkmN\nkT6KKs3AkDTYslIJhxN+ETv3aJwHkSODgbtT3bjSaX6sxKrS6FCsOLZL0BuMKxVF\nwjz5ulwntg9+Nu6e3T2Dkrz/U3H140cgGEjdiOUCL0AXpRJNAZAQjM0I6f+L2iH3\nZPLSLJZ2\n-----END CERTIFICATE-----\n\n",
        "nodes": [
          "10.144.220.101:8091",
          "10.144.220.102:8091"
        ]
      },
      {
        "warnings": [],
        "id": 2,
        "loadTimestamp": "2021-11-23T12:36:37.000Z",
        "subject": "CN=Couchbase Root CA",
        "notBefore": "2021-11-22T16:37:47.000Z",
        "notAfter": "2031-11-20T16:37:47.000Z",
        "type": "uploaded",
        "pem": "-----BEGIN CERTIFICATE-----\nMIIDGTCCAgGgAwIBAgIUZhSikh0Wl3wxgKtEqgmi2NDBZKswDQYJKoZIhvcNAQEL\nBQAwHDEaMBgGA1UEAwwRQ291Y2hiYXNlIFJvb3QgQ0EwHhcNMjExMTIyMTYzNzQ3\nWhcNMzExMTIwMTYzNzQ3WjAcMRowGAYDVQQDDBFDb3VjaGJhc2UgUm9vdCBDQTCC\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMso+6juWKMLD7HDuoiGDGeU\nldjh6bZEkXsYAmFEziZnreEONoGr3ZS1MtOro2F6dPM6QDKkSlhG7DogYGz96xPG\niLWWKuMUhhbqVkzjScYhg4FEsm356j8zVt6orn4D6BaT3RKaYP+SQP802t7/Jv6Y\nGjIl9+HUDMiwJ0qx5kci208mZacjrI/iw05f89IgB9mj4l81nb2DJXcuyfZFmYYV\nx8NcxbIWbfCFZDlftWNDkyyrjM1nM8MgSxXJLFCLLLRyYKfiS4h9ikzUM87hPXC+\ntj1Lpnbq5RQKAUHTaR7Sx9pWB/iB4tv3+Rk6lpDSLox5E36DxaTqJdgYnvonyVkC\nAwEAAaNTMFEwHQYDVR0OBBYEFIqaO4ZZnPAI9xfup7MeNB77+j9cMB8GA1UdIwQY\nMBaAFIqaO4ZZnPAI9xfup7MeNB77+j9cMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI\nhvcNAQELBQADggEBAMgN7PZlf88L3YV5pBQQb+t4p59Gagsw8Rt8z0XNTlVAPqd5\nkCU3KRJvf1AioQHGcvoKlAL9lIOzbeSmxUcWxg9UV5lPtDkIIISMFBajYDdwKGgy\nu0T9FVpwbXEM9hfLr0aDCQwWCw7u8j/hPTNMo0vqaH9ApS0Y/CR/bLR9PBhorR7G\naCOj4Nd5yrptbZjgvctvE1QxzulEOcndXMwUipV+LluO0AbtCym+07O0oScT5g5A\n9HC3NIyKRMvqQjzSjz/ddahdL3jBgImN+dSJDGQjCL/gl5jcuACHKtHcdoqmIGmZ\nRDy/b+3vQ/g1+iwfq+m6m0pZHIzilIoHM8jMzjI=\n-----END CERTIFICATE-----\n\n",
        "loadHost": "10.144.220.101",
        "loadFile": "/opt/couchbase/var/lib/couchbase/inbox/CA/ca.pem",
        "nodes": []
      },
      {
        "warnings": [],
        "id": 3,
        "loadTimestamp": "2021-11-23T12:42:27.000Z",
        "subject": "CN=Couchbase Root CA2",
        "notBefore": "2021-11-23T12:34:51.000Z",
        "notAfter": "2031-11-21T12:34:51.000Z",
        "type": "uploaded",
        "pem": "-----BEGIN CERTIFICATE-----\nMIIDGzCCAgOgAwIBAgIUJD6+ze/hW6BQaPm2Y99JWKqLHw8wDQYJKoZIhvcNAQEL\nBQAwHTEbMBkGA1UEAwwSQ291Y2hiYXNlIFJvb3QgQ0EyMB4XDTIxMTEyMzEyMzQ1\nMVoXDTMxMTEyMTEyMzQ1MVowHTEbMBkGA1UEAwwSQ291Y2hiYXNlIFJvb3QgQ0Ey\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3yljD6QRadQQuucUGnDi\nVXzEB4yp9dw1RPvUw2IYA+faYTXoMG2ScMPqK3RjiOa126sfqd4mKXO83AbMOYeS\ns3OPz966DtBqRD8z9nLKXOFreBGhG50sfaCla99rI4fxabsnZ/lIY9vIO1yn5TGB\nPjrIU8NdmkgybTPGxcsDDZRS8hbQAHTusyaaOS+wlo2l55+z63zpenG9HbfumkiY\n+3d9DppUXvjNXKRwivSamQ8SDoqQkraTSMvGinRHjQLg50sAk/6tw2RUdh6SJcZp\njOgSCSmWJUTT4xzA+su9n+uAztpgJtJvw+UPWILV99HqMRjsOcmJekm/0lDC5QH0\n+QIDAQABo1MwUTAdBgNVHQ4EFgQUO6oONcUBYJQfWUVMQEiMGdRDIvYwHwYDVR0j\nBBgwFoAUO6oONcUBYJQfWUVMQEiMGdRDIvYwDwYDVR0TAQH/BAUwAwEB/zANBgkq\nhkiG9w0BAQsFAAOCAQEAbWvD8htw4Yxc+98kUHdO1CI9DhGseYrHbZNwodFPxip/\nLMZTluh53ngM1biPnHHNiKG5QoqnGMzHnAbqYETWmLWh2hnVLR35gMfKBFGp236M\nnToiWHjZ56sTNYoinuza+G3qAWbHaziMOl+zY+loghI43y3UYtqT4NYnpRyfDlbJ\nfF5OHVouiQ4YJvZM7NYmRjwNqMvqEjuboSrnRb8X7VZkZbSqVyHLkl8pShR/lXbC\n9E0ITodIfNPQD31Z9ZDccxfB+naL+7rS34VKIQAAXGeIXZO7x/4LsewUIeNcJ3KM\nuwR6xdz/1EnMqLRfcXDMBsxSMp4vdiA+46NSj3U89g==\n-----END CERTIFICATE-----\n\n",
        "loadHost": "10.144.220.101",
        "loadFile": "/opt/couchbase/var/lib/couchbase/inbox/CA/ca2.pem",
        "nodes": []
      }
    ]

    The returned array thus provides information on three trusted CA certificates, which are loaded for the entire cluster. Note that each object in the array has a key-value pair whose key is id, and whose corresponding value is an integer that is the id for the specified certificate. This id can be referenced when certificate-deletion is required: see Delete Root Certificates.

    Output Redaction

    Cluster-private information is redacted from returned objects, when the user is unauthorized. For example, the following call is made without authorization:

    curl -X GET http://172.23.122.104:8091/pools/default/trustedCAs

    Formatted, the output appears as follows:

    [
      {
        "id": 0,
        "subject": "CN=Couchbase Server 47ec9560",
        "notBefore": "2013-01-01T00:00:00.000Z",
        "notAfter": "2049-12-31T23:59:59.000Z",
        "pem": "-----BEGIN CERTIFICATE-----\nMIIDAjCCAeqgAwIBAgIIFueCfyPtHawwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE\nAxMZQ291Y2hiYXNlIFNlcnZlciA0N2VjOTU2MDAeFw0xMzAxMDEwMDAwMDBaFw00\nOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgNDdlYzk1\nNjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8TBiknmS0nfnheYok\n7NJBSfQ4ZkN8cagM3/7YWyABFcasDiIcqf+d6NRYBjZ+Q0Dxn5DYNI6UJXAx6Zob\nEw72VeCdUKvh0UN3+tYy/xVIrpmgqNvJsTKm7oAEzjKXADvrWUv7FhVnF0+1RV4k\nKKuPK/bvnZ83zUT+GSiLk+3P8mYc2rm4QU9Woagirb6+hWwHkNdsu8V7PACQH4px\njHQZbdO9glKBsWP7GhRFlBnR4ZV+3EpyqRfmxfrO4nd4WY3xjrq19Fe5F09QihMa\ntIe/UEF0WTXL+SlQKDOEGGEus79404QgJcQNX7NrVxAJMMPNBuf0/z0T8evFm5qK\nZuABAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD\nATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaF4Zs1OzI+emj\nQu/MyoB7X6qThP5hSqGMClLExWLrKlJ85OC6/qGKvog2CtJRWzsmRFWRLuTH2ZaV\nitiknYzaHEMuCDrvOeTocUfrxfXVVLJXI8lLpExJaIuKGYhF+ZhfLd0jzcTmcSuQ\nEApDZC3r4+r5VcWq7gRcuL9uuKTNFjHj0xEqHxrWI2jkFPFcv9LdF7hPlAyiyDsJ\n25TQTWCTXKMopOAwnVs1BnxyC9+XcsdQsuGmfJ/QiI6NtFUw6pQBV6MLpL4qhQ4u\nzN4Y69wm/aeA/xF9Cq5ntFfMOD4cJeBIIZz8CBQvztCBsoK2+duyu24KFpNhluVE\nC6YKL1Fh\n-----END CERTIFICATE-----\n\n"
      },
      {
        "id": 1,
        "subject": "C=US, ST=New Mexico, L=Albuquerque, O=A1A Car Wash, CN=docker-light-baseimage",
        "notBefore": "2021-01-16T11:42:00.000Z",
        "notAfter": "2026-01-15T11:42:00.000Z",
        "pem": "-----BEGIN CERTIFICATE-----\nMIICrjCCAjWgAwIBAgIUcun3KuyYiVryQCfOcWz7gNP0x/AwCgYIKoZIzj0EAwMw\ngZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgTWV4aWNvMRQwEgYDVQQHEwtB\nbGJ1cXVlcnF1ZTEVMBMGA1UEChMMQTFBIENhciBXYXNoMSQwIgYDVQQLExtJbmZv\ncm1hdGlvbiBUZWNobm9sb2d5IERlcC4xHzAdBgNVBAMTFmRvY2tlci1saWdodC1i\nYXNlaW1hZ2UwHhcNMjEwMTE2MTE0MjAwWhcNMjYwMTE1MTE0MjAwWjCBljELMAkG\nA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBNZXhpY28xFDASBgNVBAcTC0FsYnVxdWVy\ncXVlMRUwEwYDVQQKEwxBMUEgQ2FyIFdhc2gxJDAiBgNVBAsTG0luZm9ybWF0aW9u\nIFRlY2hub2xvZ3kgRGVwLjEfMB0GA1UEAxMWZG9ja2VyLWxpZ2h0LWJhc2VpbWFn\nZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABNa9OyYrVwTPLjvXW2/mhFFMmQAZSFiy\ngo9hXqnwz/NDy0ZuQKsUFzSed6UXNu1eQgMHTSuwWi2TdbgSX8paz+w2QGzm2QWh\nQFkcA96pzTUzjQanDvuqgVUhTWsmI04U2aNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G\nA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNcSeGQ+1u3nsr2BcYY2jVecyBQlMAoG\nCCqGSM49BAMDA2cAMGQCMBHppmoY8E2fv0PIg8lR3Xq4bKNTH7cG3WEbR10NHPeJ\nNHtBrXWsnjAouXKFGS+1vgIwAVP1gZCPOTvChfTF8uOHW7RZ3UnC3xcJlGaOrC7s\nuElSBnLT7DIT3uBSxmIegHNH\n-----END CERTIFICATE-----\n\n"
      }
    ]

    The above output contains only information that can be directly extracted from each certificate.

    By contrast, the call immediately below is made with full authorization:

    curl -X GET http://172.23.122.104:8091/pools/default/trustedCAs -u Administrator:password

    Formatted, the output appears as follows:

    [
      {
        "id": 0,
        "subject": "CN=Couchbase Server 47ec9560",
        "notBefore": "2013-01-01T00:00:00.000Z",
        "notAfter": "2049-12-31T23:59:59.000Z",
        "type": "generated",
        "pem": "-----BEGIN CERTIFICATE-----\nMIIDAjCCAeqgAwIBAgIIFueCfyPtHawwDQYJKoZIhvcNAQELBQAwJDEiMCAGA1UE\nAxMZQ291Y2hiYXNlIFNlcnZlciA0N2VjOTU2MDAeFw0xMzAxMDEwMDAwMDBaFw00\nOTEyMzEyMzU5NTlaMCQxIjAgBgNVBAMTGUNvdWNoYmFzZSBTZXJ2ZXIgNDdlYzk1\nNjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8TBiknmS0nfnheYok\n7NJBSfQ4ZkN8cagM3/7YWyABFcasDiIcqf+d6NRYBjZ+Q0Dxn5DYNI6UJXAx6Zob\nEw72VeCdUKvh0UN3+tYy/xVIrpmgqNvJsTKm7oAEzjKXADvrWUv7FhVnF0+1RV4k\nKKuPK/bvnZ83zUT+GSiLk+3P8mYc2rm4QU9Woagirb6+hWwHkNdsu8V7PACQH4px\njHQZbdO9glKBsWP7GhRFlBnR4ZV+3EpyqRfmxfrO4nd4WY3xjrq19Fe5F09QihMa\ntIe/UEF0WTXL+SlQKDOEGGEus79404QgJcQNX7NrVxAJMMPNBuf0/z0T8evFm5qK\nZuABAgMBAAGjODA2MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcD\nATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaF4Zs1OzI+emj\nQu/MyoB7X6qThP5hSqGMClLExWLrKlJ85OC6/qGKvog2CtJRWzsmRFWRLuTH2ZaV\nitiknYzaHEMuCDrvOeTocUfrxfXVVLJXI8lLpExJaIuKGYhF+ZhfLd0jzcTmcSuQ\nEApDZC3r4+r5VcWq7gRcuL9uuKTNFjHj0xEqHxrWI2jkFPFcv9LdF7hPlAyiyDsJ\n25TQTWCTXKMopOAwnVs1BnxyC9+XcsdQsuGmfJ/QiI6NtFUw6pQBV6MLpL4qhQ4u\nzN4Y69wm/aeA/xF9Cq5ntFfMOD4cJeBIIZz8CBQvztCBsoK2+duyu24KFpNhluVE\nC6YKL1Fh\n-----END CERTIFICATE-----\n\n",
        "warnings": [
          {
            "name": "self_signed",
            "message": "Out-of-the-box certificates are self-signed. To further secure your system, you must create new X.509 certificates signed by a trusted CA.",
            "severity": 2,
            "severityName": "minimal"
          }
        ],
        "nodes": [
          "172.23.122.103:8091",
          "172.23.122.104:8091"
        ]
      },
      {
        "id": 1,
        "loadTimestamp": "2022-04-20T05:31:24.000Z",
        "subject": "C=US, ST=New Mexico, L=Albuquerque, O=A1A Car Wash, CN=docker-light-baseimage",
        "notBefore": "2021-01-16T11:42:00.000Z",
        "notAfter": "2026-01-15T11:42:00.000Z",
        "type": "uploaded",
        "pem": "-----BEGIN CERTIFICATE-----\nMIICrjCCAjWgAwIBAgIUcun3KuyYiVryQCfOcWz7gNP0x/AwCgYIKoZIzj0EAwMw\ngZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgTWV4aWNvMRQwEgYDVQQHEwtB\nbGJ1cXVlcnF1ZTEVMBMGA1UEChMMQTFBIENhciBXYXNoMSQwIgYDVQQLExtJbmZv\ncm1hdGlvbiBUZWNobm9sb2d5IERlcC4xHzAdBgNVBAMTFmRvY2tlci1saWdodC1i\nYXNlaW1hZ2UwHhcNMjEwMTE2MTE0MjAwWhcNMjYwMTE1MTE0MjAwWjCBljELMAkG\nA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBNZXhpY28xFDASBgNVBAcTC0FsYnVxdWVy\ncXVlMRUwEwYDVQQKEwxBMUEgQ2FyIFdhc2gxJDAiBgNVBAsTG0luZm9ybWF0aW9u\nIFRlY2hub2xvZ3kgRGVwLjEfMB0GA1UEAxMWZG9ja2VyLWxpZ2h0LWJhc2VpbWFn\nZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABNa9OyYrVwTPLjvXW2/mhFFMmQAZSFiy\ngo9hXqnwz/NDy0ZuQKsUFzSed6UXNu1eQgMHTSuwWi2TdbgSX8paz+w2QGzm2QWh\nQFkcA96pzTUzjQanDvuqgVUhTWsmI04U2aNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G\nA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNcSeGQ+1u3nsr2BcYY2jVecyBQlMAoG\nCCqGSM49BAMDA2cAMGQCMBHppmoY8E2fv0PIg8lR3Xq4bKNTH7cG3WEbR10NHPeJ\nNHtBrXWsnjAouXKFGS+1vgIwAVP1gZCPOTvChfTF8uOHW7RZ3UnC3xcJlGaOrC7s\nuElSBnLT7DIT3uBSxmIegHNH\n-----END CERTIFICATE-----\n\n",
        "loadHost": "172.23.122.104",
        "loadFile": "/opt/couchbase/var/lib/couchbase/inbox/CA/ldap_ca.pem",
        "warnings": [],
        "nodes": []
      }
    ]

    Thus, since the call was fully authorized, its output contains additional, cluster-private information; including loadTimestamp, type, warnings, nodes, loadHost, and loadFile.

    See Also

    An overview of certificate management is provided in Certificates. Steps for certificate creation are provided in Configure Server Certificates and Configure Client Certificates.