All Keylime APIs use REST (Representational State Transfer).
Most API interactions are secured using mTLS connections. By default there are two CAs involved, but the components can be configured to accommodate more complex setups.
(The revocation process also uses a CA, but this is different to those CAs)
This CA is created by verifier on startup. It contains the server certificates and keys used by the verifier and registrar for their respective HTTPS interfaces. Then it also contains the client certificates and keys that are used by the tenant to connect to the registrar, verifier and agent. Also the verifier uses that certificate to authenticate itself against the agent.
The agent runs an HTTPS server and provides its certificate to the registrar (mtls_cert
).
The server component CA certificate is also required on the agent to authenticate connections from the tenant and verifier. By default /var/lib/keylime/cv_ca/cacert.crt
is used.
Keylime API is versioned. More information can be found here: https://github.com/keylime/enhancements/blob/master/45_api_versioning.md
Warning
API version 1.0 will no longer be officially supported starting with Keylime 6.4.0.
Changes between the different API versions.
API version 2.1 was first implemented in Keylime 6.4.0.
- Added ak_tpm field to POST /v2.1/agents/{agent_id:UUID} in cloud verifier.
- Added mtls_cert field to POST /v2.1/agents/{agent_id:UUID} in cloud verifier.
- Removed vmask parameter from
This removed the requirement for the verifier to connect to the registrar.
API version 2.0 was first implemented in Keylime 6.3.0.
- Added mTLS authentication to agent endpoints.
- Added supported_version field to POST /v2.0/agents/{agent_id:UUID} in cloud verifier.
- Added mtls_cert field to POST/GET /v2.0/agents/{agent_id:UUID} in registrar.
- Added /version endpoint to agent. Note that this endpoint is not implemented by all agents.
- Dropped zlib encryption for quote field data in GET /v2.0/quotes/integrity/GET /v2.0/quotes/identity.