LeGo CertHub
LeGo CertHub
InstallConfigureServer UsageClient UsageDownloadAuthorSource

Client Usage

Clients fetch their certificates and keys from LeGo via API GET calls. This page outlines the various nodes, their functions, and parameters. The 'Legacy API' option allows specifying the apiKey in the URL itself. This is generally discouraged and disabled by default as it can lead to accidental leaking of the API key. You should only use this feature if the client fetching the data does not support specifying the API key in the header.

I've written various scripts for my home lab to fetch keys and certificates available here. Since these are from a lab environment, they don't have complex (if any) error checking and handling. You should customize them to suit your needs.

Additionally, the LeGo GUI is a client accessing the API as well, so if you wanted to you could write your own GUI. This page only documents the nodes relevant to key and cert fetching. For a list of all nodes refer to the backend source /pkg/domain/app/routes.go.

Get Private Key

GET /legocerthub/api/v1/download/privatekeys/:name/*apiKey

The node to retrieve the pem content of a private key. :name is the name of the private key as specified in the 'name' field. *apiKey should be blank unless legacy api is required and enabled for the specific key.

The key's API key should be specified in a header named 'X-API-Key' or 'apikey'.

Example

GET lego.example.com/legocerthub/api/v1/download/privatekeys/SomeKeyINeed

(Header) X-API-Key: 1234567890abcdefghijk

Legacy Example

GET lego.example.com/legocerthub/api/v1/download/privatekeys/SomeKeyINeed/1234567890abcdefghijk

Get Certificate

GET /legocerthub/api/v1/download/certificates/:name/*apiKey

The node to retrieve the pem content of a certificate. :name is the name of the certificate as specified in the 'name' field. *apiKey should be blank unless legacy api is required and enabled for the specific certificate.

The specific pem content served is based on the most recent valid order for the specified certificate name. LeGo automatically determines this therefore keeping this path static while updating the content served from it as orders are refreshed.

The certificate's API key should be specified in a header named 'X-API-Key' or 'apikey'.

Example

GET lego.example.com/legocerthub/api/v1/download/certificates/SomeCertificateINeed

(Header) X-API-Key: 1234567890abcdefghijk

Legacy Example

GET lego.example.com/legocerthub/api/v1/download/certificates/SomeCertificateINeed/1234567890abcdefghijk

The final two nodes are far less likely to be needed, but certain clients prefer files this way so I created them.

Get Combined Key & Certificate

GET /legocerthub/api/v1/download/privatecerts/:name/*apiKey

The node to retrieve a singular file with the combined pem content of a key and certificate. :name is the name of the certificate as specified in the 'name' field. The name of the key will be calculated based on the key that was used to finalize the certificate's order. *apiKey should be blank unless legacy api is required and enabled for the specific certificate.

The specific pem content served is based on the most recent valid order for the specified certificate name. LeGo automatically determines this therefore keeping this path static while updating the content served from it as orders are refreshed.

The API Key for this node is a concatenation of the API key of the certificate and key, separated by a period. The API key should be specified in a header named 'X-API-Key' or 'apikey'.

Example

GET lego.example.com/legocerthub/api/v1/download/privatecerts/SomeCertificateINeed

(Header) X-API-Key: certAPIkey123abc.keyAPIkey567def

Legacy Example

GET lego.example.com/legocerthub/api/v1/download/privatecerts/SomeCertificateINeed/certAPIkey123abc.keyAPIkey567def

Get Certificate Root Chain

GET /legocerthub/api/v1/download/certrootchains/:name/*apiKey

The node to retrieve the pem content of a certificate's root chain. This node does strips and does not return the certificate itself. :name is the name of the certificate as specified in the 'name' field. *apiKey should be blank unless legacy api is required and enabled for the specific certificate.

The specific pem content served is based on the most recent valid order for the specified certificate name. LeGo automatically determines this therefore keeping this path static while updating the content served from it as orders are refreshed.

The certificate's API key should be specified in a header named 'X-API-Key' or 'apikey'.

Example

GET lego.example.com/legocerthub/api/v1/download/certrootchains/SomeCertificateINeed

(Header) X-API-Key: 1234567890abcdefghijk

Legacy Example

GET lego.example.com/legocerthub/api/v1/download/certrootchains/SomeCertificateINeed/1234567890abcdefghijk