For the latest version, please use Certificate Lifecycle Manager 6.5.0!

API Clients

API clients enable programmatic interaction with MTG CLM, allowing organizations to automate certificate processes and integrate certificate lifecycle management into existing workflows. By connecting through the API, organizations can extend MTG CLM’s capabilities to other applications and services.

Purpose and Function

API clients perform certificate management actions programmatically, including:

  • Creating end entities

  • Issuing certificates

  • Revoking certificates

  • Managing certificate requests

They operate using client credentials rather than user credentials, facilitating system-to-system integration without human intervention.

API Client Creation Fields

When creating a new API client, you’ll need to provide:

API Client Name

A descriptive identifier for the client that reflects its purpose or the system it represents.

This field is mandatory.

Realm

The security domain(s) in which this client will operate.

This field is mandatory.

Default Policy

The certificate policy to apply when requests from this client don’t specify a policy.

These fields establish the client’s identity, operational boundaries and default behavior for certificate operations.

Business Value

  • Reduce operational overhead by automating repetitive certificate tasks.

  • Minimize certificate-related outages through consistent, programmatic management.

  • Accelerate deployment processes by removing manual certificate handling steps.

  • Enforce compliance by ensuring all certificates follow organizational policies.

  • Improve security posture through consistent certificate management practices.

Multi-Realm Roles and Policy Assignment

API clients are created within a realm and receive the realm’s default role. However, additional roles from other realms can be assigned to an API client if needed.

When assigning roles:

  • An API client can only set a default policy from a realm that already has policies defined.

  • If a client has roles in multiple realms, it can choose a default policy from any realm where policies are available.

This mechanism ensures that API clients operate within clearly defined boundaries by default, but can be extended for cross-realm scenarios when required. Multi-realm access always requires explicit role assignment.

Common Implementation Scenarios

Infrastructure Automation

Integrate with configuration management and deployment tools to automatically provision certificates during server deployment or updates.

Application Integration

Enable applications to request, renew and manage their own certificates without manual intervention, reducing dependencies on certificate administrators.

Certificate Monitoring

Connect monitoring systems to proactively identify and address certificate issues before they impact services.

Technical Foundation

API clients in MTG CLM are built on Keycloak’s client architecture, providing:

  • OAuth 2.0 token-based authentication

  • Granular access control through realm assignment

  • Secure client credential management

Management Operations

API clients can be created and managed through MTG CLM’s administration interface or directly in Keycloak. Essential management tasks include:

  • Creating clients with appropriate realm access

  • Managing client credentials

  • Assigning default certificate policies

  • Updating realm associations as business needs change

Further Reading

Keycloak Documentation