TLS Certificate Management

About the API

The TLS Certificate Management API allows participants to self-manage their AEMO-signed TLS certificates. TLS certificates are required to securely connect to AEMO systems.

MTLS-authentication is used to protect some AEMO APIs. For a successful MTLS connection to be established with the API:

• The AEMO certificate authority (server, root and CA certificates) must be trusted by your systems (for example, added to your trusted certificate authority stores and security policies) to trust communication from AEMO. To download these certificates, see AEMO Hub Signing Certificates.

• Have a valid AEMO-signed TLS certificate to establish a TLS connection with the AEMO system.

You can use the TLS Certificate Management API to:

• Retrieve a list of your AEMO-signed TLS certificates and orders.

• Download a TLS certificate.

• Generate a new TLS certificate.

• Reissue a TLS certificate.

• Renew an expiring TLS certificate.

• Revoke a TLS certificate.

Separate TLS certificates are required for accessing the pre-production and production environments.

Related resources

For additional information, see:

• Guide to TLS Certificate Management

• Guide to User Rights Management

• Guide to AEMO APIS

Prerequisites

Before using the TLS Certificate Management API, you must:

• Be a Registered Participant with a Participant ID.

• Have a valid AEMO-signed TLS certificate. See the Guide to TLS Certificate Management on how to get an AEMO-signed TLS certificate for the first time.

• Have an MSATS user ID with the required Participant User Rights Management (URM) entity granted to it.

During the formal onboarding process, you are first given access to pre-production and must complete your development and testing there before getting access to production.

User rights access

Participant administrators provide access to the TLS Certificate Management API using the TLS_CERTIFICATE_MANAGEMENT entity.

Users must be assigned rights that have access to the entity TLS_CERTIFICATE_MANAGEMENT. The API has 2 access right levels for the entity:

• Delete right - all endpoints are available to users with the Delete right.

• Read right - all GET endpoints are available to users under this right. Users with this right cannot create, revoke, reissue or renew TLS certificates. Rights created with Create and Update only have access to Read right features.

When calling this API, your username must be subscribed to a valid right under the TLS_CERTIFICATE_MANAGEMENT entity.

Authorization

API requests are authorized by Basic HTTP authentication (Basic Auth) using a Base64-encoded username and password. The credentials are assigned by your company’s participant administrator.

In an API request, include the Base64-encoded string in a HTTPS Authorization header. For more information, see Authorisation in the API Reference.

Base URLs

Endpoint details

For endpoint details. see the API Reference.