TLS Certificate Management

API Reference
Postman Collection

Getting Started

About the API

The TLS Certificate Management API allows authorised participants to self-manage their AEMO-signed TLS certificates. Some AEMO systems require TLS certificates to secure the communication between participants’ and AEMO systems. AEMO has implemented Mutual TLS (MTLS) which requires the participant to use a valid TLS certificate to connect to AEMO’s network for communicating with MTLS-authenticated systems.

MTLS-authentication is used to protect some AEMO APIs. For a successful MTLS connection to be established with the API, you will need:

  • The AEMO certificate authority (server, root and CA certificates) must be trusted by your systems (e.g. added to your trusted certificate authority stores and/or security policies) to trust communication from AEMO. See AEMO Hub and signing certificate downloads to download these certificates.

  • A valid AEMO-signed TLS certificate to establish a TLS connection with the AEMO system, which this API allows you to manage these TLS certificates.

This API provides the following features:

  • Retrieve a list of your AEMO-signed TLS certificates and orders

  • Download a specific TLS certificate

  • Generate a new TLS certificate

  • Reissue a TLS certificate

  • Renew a soon-to-expire TLS certificate

  • Revoke a TLS certificate

Getting Access

To use the TLS Certificate Management API you must:

  • Be a Registered Participant with a Participant ID.

  • Have a valid AEMO-signed TLS certificate.

  • Have an MSATS user ID with the required Participant User Rights Management (URM) entity granted to it.

TLS Certificates

This API is protected by MTLS authentication. A valid AEMO-signed TLS certificate is required to access this API. See the Guide to TLS Certificate Management on how to get an AEMO-signed TLS certificate for the first time.

User rights access

Participant administrators provide access to the TLS Certificate Management API using the TLS_CERTIFICATE_MANAGEMENT entity. See the User Rights Management guide (URM) for details on managing URM functions.

Users must be assigned rights that have access to the entity TLS_CERTIFICATE_MANAGEMENT. The API allows two privileges (access levels) of access rights for that entity:

  • Delete right - all endpoints are available to users with the Delete right.

  • Read right - all GET endpoints are available to users under this right. Users with this right cannot create, revoke, reissue or renew TLS certificates. Rights created with Create and Update only have access to Read right features.

When calling this API, your username must be subscribed to a valid right under the TLS_CERTIFICATE_MANAGEMENT entity. You authorize your identity using Base64 encoding of your username and password, separated by a colon, in the Basic Auth header. For example:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

During formal onboarding, you will first be given access to Pre-Production and must complete your development/testing there prior to getting access to Production.

External Docs

Below are a list of external links for additional context to the API or Program:

API Details

Authentication Methods

This API is using the following Security Policies:

Note: The TLS certificates used to access Pre-Production are different from those used to access Production.

Base URLs

Below are the base URLs used for this API:


Base URL

Data Type


Test-Data (snapshot of production)


Live Data


Paths, Headers, Request Body and Responses can be found in the API Reference (OpenAPI Spec).