Certificate

Defines a TLS certificate and its associated private key.

This object can be configured from the WebUI under Settings › TLS › Certificates

Fields

certificate

Type: PublicText · required

TLS certificate in PEM format

privateKey

Type: SecretText · required

Private key in PEM format

subjectAlternativeNames

Type: String[] · server-set

Subject Alternative Names (SAN) for the certificate

notValidAfter

Type: UTCDateTime · server-set

Expiration date of the certificate

notValidBefore

Type: UTCDateTime · server-set

Issuance date of the certificate

issuer

Type: String · server-set

Certificate issuer

JMAP API

The Certificate object is available via the urn:stalwart:jmap capability.

x:Certificate/get

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

This method requires the sysCertificateGet permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Certificate/get",
          {
            "ids": [
              "id1"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:Certificate/set

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

Supports create, update, and destroy operations in a single call.

Create

This operation requires the sysCertificateCreate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Certificate/set",
          {
            "create": {
              "new1": {
                "certificate": {
                  "@type": "Text",
                  "value": "Example"
                },
                "privateKey": {
                  "@type": "Text",
                  "secret": "Example"
                }
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

Update

This operation requires the sysCertificateUpdate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Certificate/set",
          {
            "update": {
              "id1": {
                "certificate": {
                  "@type": "Text",
                  "value": "Example"
                }
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

Destroy

This operation requires the sysCertificateDestroy permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Certificate/set",
          {
            "destroy": [
              "id1"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:Certificate/query

This is a standard Foo/query method as defined in RFC 8620, Section 5.5.

This method requires the sysCertificateQuery permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:Certificate/query",
          {
            "filter": {
              "text": "example"
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

The x:Certificate/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):

Condition	Kind
text	text

CLI

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Fetch

stalwart-cli get certificate id1

Create

stalwart-cli create certificate \
  --field 'certificate={"@type":"Text","value":"Example"}' \
  --field 'privateKey={"@type":"Text","secret":"Example"}'

Query

stalwart-cli query certificate
stalwart-cli query certificate --where text=example

Update

stalwart-cli update certificate id1 --field description='Updated'

Delete

stalwart-cli delete certificate --ids id1

Nested types

PublicText

A text value provided directly, from an environment variable, or from a file.

• Text: Text value. Carries the fields of PublicTextValue.
• EnvironmentVariable: Text value read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
• File: Text value read from file. Carries the fields of SecretKeyFile.

PublicTextValue

A text value provided directly.

value

Type: Text · required

Text value

SecretKeyEnvironmentVariable

A secret value read from an environment variable.

variableName

Type: String · required

Environment variable name to read the secret from

SecretKeyFile

A secret value read from a file.

filePath

Type: String · required

File path to read the secret from

SecretText

A secret text value provided directly, from an environment variable, or from a file.

• Text: Secret value. Carries the fields of SecretTextValue.
• EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
• File: Secret read from file. Carries the fields of SecretKeyFile.

SecretTextValue

A secret text value provided directly.

secret

Type: Text · required · secret

Password or secret value