API Clients

API clients enable programmatic interaction with MTG-CLM, allowing organizations to automate certificate processes and integrate certificate lifecycle management into existing workflows. By connecting through the API, organizations can extend MTG-CLM’s capabilities to other applications and services.

Purpose and Function

API clients perform certificate management actions programmatically, including:

  • Creating end entities

  • Issuing certificates

  • Revoking certificates

  • Managing certificate requests

They operate using client credentials rather than user credentials, facilitating system-to-system integration without human intervention.

API Client Creation Fields

When creating a new API client, you’ll need to provide:

API Client Name (required)

A descriptive identifier for the client that reflects its purpose or the system it represents.

Realm (required)

The security domain(s) in which this client will operate.

Default Policy (optional)

The certificate policy to apply when requests from this client don’t specify a policy.

These fields establish the client’s identity, operational boundaries, and default behavior for certificate operations.

Business Value

  • Reduce operational overhead by automating repetitive certificate tasks.

  • Minimize certificate-related outages through consistent, programmatic management.

  • Accelerate deployment processes by removing manual certificate handling steps.

  • Enforce compliance by ensuring all certificates follow organizational policies.

  • Improve security posture through consistent certificate management practices.

Common Implementation Scenarios

Infrastructure Automation

Integrate with configuration management and deployment tools to automatically provision certificates during server deployment or updates.

Application Integration

Enable applications to request, renew, and manage their own certificates without manual intervention, reducing dependencies on certificate administrators.

Certificate Monitoring

Connect monitoring systems to proactively identify and address certificate issues before they impact services.

Technical Foundation

API clients in MTG-CLM are built on Keycloak’s client architecture, providing:

  • OAuth 2.0 token-based authentication

  • Granular access control through realm assignment

  • Secure client credential management

Realm Association

API clients require realm assignment to perform actions. This association:

  • Defines the scope of the client’s authority

  • Enforces separation between different business domains

  • Aligns with organizational security boundaries

Management Operations

API clients can be created and managed through MTG-CLM’s administration interface or directly in Keycloak. Essential management tasks include:

  • Creating clients with appropriate realm access

  • Managing client credentials

  • Assigning default certificate policies

  • Updating realm associations as business needs change

Further Reading

Keycloak Documentation