Download a certificate

For operators who need to export a cert manually — emergency deployments, debugging, audit snapshots. Downloads go through single-use tokens with short expiry, so a copied URL can't be reused. Every download emits a cert.downloaded event with the actor and the selected format.

01Supported formats

Format	Contents	Typical use
`cert.pem`	Leaf certificate (PEM)	Nginx `ssl_certificate` when chain is separate.
`chain.pem`	Intermediate(s) only	Servers that want cert + chain in separate files.
`fullchain.pem`	Leaf + intermediates	Most nginx / Apache configs (`ssl_certificate`).
`key.pem`	Private key (PKCS#8 PEM)	Web server config.
`bundle.pkcs12`	Leaf + key + chain, passphrase-wrapped	Java keystores, Windows certificate import.
`bundle.zip`	All of the above	One-click snapshot for manual handoff.

02Steps

Open the certificate detail page.
Click Download (top-right actions). A modal opens.
Pick the format. For PKCS#12, provide a passphrase — the bundle will be encrypted with it.
Click Generate download link. The backend issues a single-use token valid for 5 minutes.
Click the link (or copy it). The download streams directly from the API.

Download tokens are single-use

Once the token is consumed, it is invalidated. A re-download needs a fresh token. The token is also TTL-bounded (5 min by default) so a leaked URL stops working quickly.

03Permissions

Operator role or higher is required to download.
Downloading the private key (key.pem, bundle.pkcs12, bundle.zip) is controlled by a separate policy toggle — Settings → Certificate Policy → Allow key export. When off, only the public parts (cert / chain / fullchain) are available.
If the certificate policy requires approval for downloads, a download_key approval request is created — see Approval workflow.

04Audit trail

Every download writes:

An audit_logs entry: actor (user or API key), format, IP address, timestamp.
A cert.downloaded event on the certificate timeline.
A token-consumption record in the download_tokens collection (retained 30 days for forensics).

05API access

The same flow is available via API:

# 1. Mint a token
curl -X POST -H "Authorization: Bearer <api-key>" \
  https://cap.example.com/api/v1/projects/$PID/certificates/$CID/downloads \
  -d '{"format":"fullchain","passphrase":""}'
# → {"token":"...", "expires_at":"..."}

# 2. Fetch
curl https://cap.example.com/api/v1/downloads/$TOKEN -o cert.pem

See API reference for full schema.

06Troubleshooting

"403 key export disabled"

The project's certificate policy forbids private-key export. An admin can flip the policy toggle, or the operator can request approval if the workflow is configured.

"token expired"

Tokens live 5 minutes. Generate a fresh one.

PKCS#12 bundle won't import on Windows

Windows imports prefer 3DES-encrypted PKCS#12; the default is AES-256 which older Windows versions reject. Use Advanced options → Legacy encryption on the download modal.