apnf-man-platform-openapi-gco.yaml

openapi: 3.0.3
info:
  title: APNF MAN Platform - GCO API Reference
  version: 1.7.0
  license:
    name: CC-BY-SA-4.0
    url: https://creativecommons.org/licenses/by-sa/4.0/legalcode
  description: |
    # Introduction

    Welcome to the APNF MAN platform GCO (*Gestionnaire des Certificats Opérateurs*) API reference.
    The APIs listed in this reference provide functionalities for service providers to create and
    manage the STI certificates to be used for signing their SIP telephone calls per the STIR SHAKEN
    protocol, along with functionalities to manage access to the MAN platform.

    Each provider registered with the APNF may request an access to the MAN platform and therefore these APIs.

    Note that these APIs are a subset of APIs published by the platform. You can refer to the *References*
    at the end of this section to get a list of all API references published for the MAN platform.

    ## Authentication

    All APIs listed in this document require the API client to be authenticated.
    The authentication process relies on OAuth 2.0 protocol, where an access token needs
    to be passed to the API request as a JSON Web TOKEN using the Bearer `Authorization` header.

    ```
    Authorization: Bearer <JWT>
    ```

    Refer to the *MAN Platform Authorization API Reference* on how to generate access tokens. Note that in order to
    request an access token, you will first need to create an **API credential** as described in this reference.

    ## Requests & Headers

    - A Bearer `Authorization` header is required, where the Bearer token shall be set with the access token generated by the MAN platform authorization API.
    - A `X-Request-Id` header can be provided with an uuid. If provided, this header will be returned in the
    `X-Response-Id` response header.

    ## Responses & Headers

    Unless explicitly specified, all responses will use JSON for the response body format.
    The `Content-Type` header will be included in all responses to make the type explicit.

    Following headers are also included in responses:
    - `Content-Type`: format of the response, if a body is included in the response.
    - `Content-Length`: size in bytes of the response body, if a body is included in the response.
    - `X-Response-Id`: uniquely identifies the response sent to the client. It corresponds to the `X-Request-Id`
      request header if provided. Otherwise, a new value is generated,
    - `X-Correlation-Id`: ID generated by the API gateway to track the request between the different services. This
      value can be different from the `X-Response-Id` header.

    ## Dates

    Unless specified, all dates exposed in this API comply with the ISO-8601 date format using UTC as the timezone.

    ## Common Error Codes

    The following error codes can be returned:

    | Error code | Description                                                             |
    |:----------:|-------------------------------------------------------------------------|
    | **400**    | The request is malformed.                                               |
    | **401**    | The authentication failed.                                              |
    | **403**    | User is not allowed to access to the resource.                          |
    | **404**    | The resource does not exist.                                            |
    | **405**    | The method is not allowed for the resource.                             |
    | **406**    | The format in the `Accept` header is not supported.                     |
    | **409**    | There is a conflict between the object status and the action requested  |
    | **415**    | The format in the `Content-Type` header is not supported.               |
    | **429**    | Too many requests have been sent by the client (see Rate Limiting).      |
    | **500**    | An unexpected error occurred while processing the request.              |
    | **503**    | The service is unavailable.                                             |

    ## Rate Limiting

    To ensure availability to all clients, concurrent accesses to this API are restricted per
    below rate limiting logic:

    - Each IP address is allowed to perform up to 600 calls during a period of 1 minute.
    - The `GET /bpco/certificates` API method has an additional restriction, limiting calls to 1 per minute.
    - Any additional call will be rejected by the API using a 429 "TOO_MANY_REQUESTS" error code


    # References

    Additional API references are also available, covering other functionalities:
    - **MAN Platform API Reference**, covering all APIs published by the platform, including the GCO API methods presented in this reference.
    - **MAN Platform Authentication API Reference**, providing the APIs to create access tokens require to authenticate against the APIs listed in this document.
    - **MAN Platform BPCO API Reference**, listing APIs published as part of the BPCO (Base Publique des Certificats Opérateurs), the MAN platform public access service used to access STI certificates.

    # History

    **1.7.0** - 2024/09/09
    - (Certificates) Add `INVALIDATION` status to be used during CA compromission
    - (Certificates) New API method - GET /certificates/export
    - (Providers) GET /providers/{provider_id}/bypass_token - Rename response from `records` to `bypass_tokens`
    - (Providers) Cleanup provider unused examples and schemas
    - (Providers) Remove users and history API methods as available as part of the **MAN Platform API Reference** document.

    **1.6.0** - 2023/12/13
    - (Certificates) PATCH /certificates/{certificate_id} - Add constraints for expired certificates
    - (Certificates) POST /certificates/{certificate_id} - Add 409 HTTP status case
    - (Certificates) GET /certificates/export - New endpoint to export certificates as CSV
    - (Providers) GET /providers/{provider_id} - New `legal_administrator` property to provide provider current legal administrator user.
    - (Providers) GET /providers - Removed `verified`, `verified_at` and `verified_status` filters as never implemented
    - (Providers) GET /providers/{provider_id}/bypass_token - Add 415 HTTP status case
    - (Providers) PATCH /providers/{provider_id} - New `legal_administrator` property to change provider legal administrator user
    - (Providers) PATCH /providers/{provider_id} - Allow `opts_contracts` property to be edited by MANAGER users
    - (Providers) Add `BypassTokenId` schema
    - (Providers) Update `BypassToken` schema to add `BypassTokenId` reference and specify required properties
    - (Providers) Update `bypass_token` property in `Provider` schema
    - (Providers) Remove `domains_allowed` mentions from `ProviderCreationRequest` schema and examples as property has been removed since 1.3.0 release
    - (Providers) Updated `ProviderDetails` schema to add `deposit_notification_list` property and remove `last_verification` property
    - (Users) GET /users - Add `created_at`, `updated_at` and `last_connected_at` properties to `UserSummaryView` schema
    - (Users) GET /users - Grant API method access to the MANAGER role.
    - (Users) GET /users/{user_id} - Grant API method access to the MANAGER role.
    - (Users) GET /users/{user_id} - New `legal_administrator ` to see if user is legal administrator.
    - (Users) POST /users – Allow APNF administrators to create provider administrator users
    - (Users) PATCH /users - Allow APNF administrators to update the role of any provider user.
    - (Users) POST /users/reset-credential - Rename original reset-password to enhance functionality by adding reset of OTP and resend new link of account activation.
    - (BPCO) GET /bpco/certificates - Add missing `Content-Length` response header
    - (Description) Fix spelling error in 'Rate limiting'

    **1.5.0** - 2023/09/27
    - Include in `Description` section rate limiting logic
    - Add CC-BY-SA-4.0 license

    **1.4.0** - 2023/06/27
    - (Providers) POST /providers/{provider_id}/bypass_token - Add new API to generate a new provider bypass token
    - (Providers) GET /providers/{provider_id}/bypass_token - Add new API to retrieve bypass tokens generated by the provider
    - (Providers) GET /providers/{provider_id} - Add `bypass_token` property in Provider schema

    **1.3.0** - 2023/06/16
    - Add `servers` entries for VABF and Preproduction platforms
    - (Certificates) Clarify `renewal_after` property usage
    - (Certificates) Clarify `valid_to` constraints
    - (Providers) Deprecate `domains_allowed` property
    - (Providers) `technical_number` property cannot be edited by provider administrators

    **1.2.0** - 2023/05/04
    - (All) Remove `Content-Length` header for 204 and 304 responses
    - (All) Update error message for 401 HTTP responses
    - (All) Add 405 HTTP status case + update error message
    - (All) Use different ID values depending on the object type
    - (Certificates) Add new status `INVALID`
    - (POST /certificates/) Add `updated_at`, `updated_by` properties to response examples
    - (POST /certificates) Add `Location` header in responses
    - (POST /certificates/) Test certificates cannot have the `renewal_auto` property enabled.
    - (PATCH /certificates/{certificate_id}) Test certificates cannot have the `renewal_auto` property enabled.
    - (POST /certificates/{certificate_id}/renew) Add constraints for revoked and invalid certificates
    - (POST /certificates/{certificate_id}/renew) Test certificates cannot have the `renewal_auto` property enabled.
    - (POST /certificates/{certificate_id}/renew) Clarify valid_from/valid_to property constraints
    - (POST /certificates/{certificate_id}/renew) Add 409 HTTP status case for revoked certificates
    - (POST /certificates/{certificate_id}/renew) Add `Location` header in responses
    - (POST /certificates/{certificate_id}/revoke) Add constraints for expired, revoked and invalid certificates
    - (HEAD /bpco/certificates) Remove `Content-Length` response header and body
    - (GET /bpco/certificates) Add `Content-Type` header for 304 HTTP status case
    - (HEAD /bpco/crl) Remove `Content-Length` response header and body
    - (GET /bpco/crl) Add `Content-Type` header for 304 HTTP status case
    - (Providers) New `deposit_notification_list` property in Provider object
    - (Providers) Improve `domains_allowed` property description for `ProviderCreationRequest` example
    - (Providers) Allow `opts_contracts` property to be edited by *ADMINISTRATOR* users
    - (Users) New `/users/{user_id}/preferences` method
    - (Users) Remove `/user/activate` method

    **1.1.0** - 2023/01/18
    - Update base URL from *https://man-plateforme.fr/api/* to *https://api.man-plateforme.fr/*
    - Update BPCO API URLs from *https://man-bpco.fr/* to *https://api.man-bpco.fr/*
    - Change `Certificate` component schema to change `revoked_at` property format from `integer` to `string`
    - Update certificate serial number schema pattern
    - Cleanup `ProviderOIDCSettings` component schema
servers:
  - url: https://api.man-plateforme.fr/
    description: Production platform
  - url: https://api.pprod.man-plateforme.fr/
    description: Preproduction platform
  - url: https://api.vabf.man-plateforme.fr/
    description: VABF platform
tags:
  - name: Providers
    description: |
      Service provider registration, authorization and data management APIs.

      While most of these APIs can only be accessed by the MAN platform administrators
      to create and authorize service providers, these latter have access to a subset
      for updating their organization settings and reviewing their authorization status & history.
  - name: STI Certificates
    description: |
      STI certificates creation and management APIs.

      These APIs provide to service providers a full control of their STI certificates, with
      support of functionalities like certificate renewal, revocation and delegation.
  - name: History
    description: |
      Platform activity logs access and search APIs.

      These APIs give service providers a way to have access and review actions performed by their users
      within the platform.
  - name: STI Certificates (Archived)
    description: |
      STI certificates access APIs.

      3 months after their expiration, STI certificates are automatically archived by the platform
      and removed from the list of certificates. For tracking and forensics purposes, they however remain
      available for 3 years in a dedicated list, after which they are deleted
      once for all from the platform.

      These APIs just provide read-only access; no updates are allowed on certificates once archived.
  - name: BPCO
    description: |
      APIs related to BPCO (Base Publique des Certificats Opérateurs), the MAN platform public access
      service to STI certificates.

      These APIs provide access to metadata and download facilities to objects
      published in the BPCO, like STI certificates and CRLs.
paths:
  /providers/{provider_id}:
    get:
      summary: Return provider details
      description: |
        Return a JSON object with provider details.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can only access details of their provider.
      operationId: GetProvider
      tags:
        - Providers
      parameters:
        - $ref: '#/components/parameters/ProviderId'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a JSON object with provider details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Provider'
              examples:
                Provider Details:
                  $ref: '#/components/examples/ProviderDetails'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    patch:
      summary: Update provider properties
      description: |
        Update provider properties. Deleted providers cannot be updated.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR* and *MANAGER* users can update properties of their own provider. Only a subset of the provider properties can be updated by these users.
      operationId: UpdateProvider
      tags:
        - Providers
      parameters:
        - $ref: '#/components/parameters/ProviderId'
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        required: true
        description: |
          A [JSON Merge Patch (RFC 7386)](https://datatracker.ietf.org/doc/html/rfc7386) containing only the properties
          that must be updated (with the new value) or deleted (with null as value).
        content:
          application/merge-patch+json:
            schema:
              type: object
              properties:
                status:
                  type: string
                  description: |
                    Change the provider status. Only possible values are `ENABLED` and `DISABLED`.
                    - Only *MAN_ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                  enum:
                    - ENABLED
                    - DISABLED
                name:
                  type: string
                  maxLength: 64
                  description: |
                    Change the provider name
                    - Only *MAN_ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                  example: Opérateur
                address:
                  type: string
                  maxLength: 255
                  description: |
                    Change the provider HQ address
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                  example: 30, rue de Paris 75018 Paris
                technical_number:
                  type: string
                  maxLength: 15
                  description: |
                    Change the provider technical phone number
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                signatory:
                  type: boolean
                  description: |
                    Change the provider signatory flag
                    - Only *MAN_ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                  default: true
                opts:
                  type: string
                  description: |
                    Change the provider opts flag
                    - Only *MAN_ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                opts_contracts:
                  type: array
                  description: |
                    Change the list of providers allowed to select this provider as OPTS.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR*, *MANAGER* and *APNF* users can update this property
                    - Can be deleted.
                  items:
                    $ref: '#/components/schemas/ProviderCode'
                legal_administrator:
                  description: |
                    UUID of the user account to change the provider legal administrator
                  $ref: '#/components/schemas/UUID'
                global_notification_list:
                  description: |
                    Change the list of email addresses for the provider 'global' notification list.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: array
                  items:
                    $ref: '#/components/schemas/EmailAddress'
                legal_notification_list:
                  description: |
                    Change the list of email addresses for the provider 'legal' notification list.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: array
                  items:
                    $ref: '#/components/schemas/EmailAddress'
                certificate_notification_list:
                  description: |
                    Change the list of email addresses for the provider 'certificate' notification list.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: array
                  items:
                    $ref: '#/components/schemas/EmailAddress'
                ticketing_notification_list:
                  description: |
                    Change the list of email addresses for the provider 'ticketing' notification list.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: array
                  items:
                    $ref: '#/components/schemas/EmailAddress'
                deposit_notification_list:
                  description: |
                    Change the list of email addresses for the provider 'deposit' notification list.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: array
                  items:
                    $ref: '#/components/schemas/EmailAddress'
                ticket_notification_active:
                  description: |
                    Change the flag to receive ticket notifications.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Can be deleted.
                  type: boolean
                  example: true
                sftp_allowed_keys:
                  type: array
                  description: |
                    Change the SSH public keys allowed to access the platform SFTP service created for the provider.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - All values shall be passed when updating the property
                    - Can be deleted.
                  items:
                    type: string
                    maxLength: 1024
                    description: SSH public key contents
                    example: ssh-rsa AAAAB3NzaC...p5CSsDJ SI@host-4527
                sftp_allowed_ips:
                  type: array
                  description: |
                    Change the list of IPv4 addresses to be allowed to connect to the SFTP BSM service.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - All values shall be passed when updating the property
                    - Can be deleted.
                  items:
                    type: string
                    description: IPv4 address
                    format: ipv4
                    pattern: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)$
                    example: 127.0.0.1
                languages:
                  type: array
                  description: |
                    Change the list of languages to be proposed to the provider users for the platform UI.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - All values shall be passed when updating the property
                    - Cannot be deleted.
                  items:
                    $ref: '#/components/schemas/Language'
                  example:
                    - FRENCH
                    - ENGLISH
                authentication_mode:
                  type: string
                  description: |
                    Change the mode to be used to authenticate provider user accounts.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - Cannot be deleted.
                  enum:
                    - SSO
                    - MFA
                  default: MFA
                  example: SSO
                sso_settings:
                  type: object
                  description: |
                    Change the Single Sign-On configuration.
                    - *MAN_ADMINISTRATOR*, *ADMINISTRATOR* and *APNF* users can update this property
                    - To be used only when `authentication_mode` is set to `SSO`.
                    - All values shall be passed when updating the property
            examples:
              ProviderUpdateRequestByManAdministrator:
                $ref: '#/components/examples/ProviderUpdateRequestByManAdministrator'
              ProviderUpdateRequestByAdministrator:
                $ref: '#/components/examples/ProviderUpdateRequestByAdministrator'
      responses:
        '200':
          description: Confirms successful processing and return the provider properties in the response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Provider'
              examples:
                Successful response with provider properties:
                  $ref: '#/components/examples/ProviderDetails'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /providers/{provider_id}/bypass_token:
    get:
      summary: Retrieve a paginated list of bypass tokens created for the provider.
      description: |
        The API applies any sort preferences passed to the API request and returns a paginated list of corresponding results.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*
      operationId: ListProviderBypassTokens
      tags:
        - Providers
      parameters:
        - $ref: '#/components/parameters/ProviderId'
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a list of bypass tokens
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  bypass_tokens:
                    type: array
                    items:
                      $ref: '#/components/schemas/BypassToken'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    post:
      summary: Generate new provider bypass token
      description: |
        Create a new provider bypass token. The previous token will be archived.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR*, *MANAGER* can generate bypass token for their own provider.
      operationId: GenerateProviderBypassToken
      tags:
        - Providers
      parameters:
        - $ref: '#/components/parameters/ProviderId'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a JSON object with a single `id` property containing the bypass token value.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BypassTokenCreationResponse'
              examples:
                Successful response with bypass token details:
                  $ref: '#/components/examples/BypassTokenCreationResponse'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates:
    post:
      summary: Initiate the creation of a STI certificate
      description: |
        Initiate the creation of a new certificate. Shall always be called by the origin signing service provider.
        Two types of certificates can be created, for which the creation process will be different:
        * Direct certificates (type = `DIRECT`) are used directly by the origin signing service provider
        * Indirect certificates (type = `INDIRECT`) are requested by the origin signing service provider for a technical signing service provider (OPTS).

        While the creation of direct certificates is fully handled by this API, the process for indirect certificates is composed of 2 stages:
        * This API initiates the certificate request
        * The OPTS shall then call the `POST /certificates/{certificate_id}` to finalize the creation of the
          certificate.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR* and *MANAGER* can initiate the creation of a new certificate only for its own provider.
      operationId: CreateCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        description: Certificate details
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - name
                - type
                - valid_from
              properties:
                name:
                  type: string
                  maxLength: 64
                  description: Certificate name provided by the origin service provider.
                  example: Main Certificate
                description:
                  type: string
                  maxLength: 1024
                  description: Additional information related to the certificate.
                  example: Description of the certificate.
                type:
                  $ref: '#/components/schemas/CertificateType'
                opts:
                  type: string
                  description: |
                    APNF code assigned to the technical service provider (OPTS).
                    Required if `type` is `INDIRECT`.
                    Otherwise shall not be specified.
                  pattern: ^([0-9A-Z]{6})$
                  example: SPB000
                csr:
                  type: string
                  maxLength: 2048
                  description: |
                    Contents of the CSR file used to create this certificate. Format of the contents is PEM.
                    Required if `type` is `DIRECT`.
                    Otherwise shall not be specified.
                  example: |
                    -----BEGIN CERTIFICATE REQUEST-----
                    MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
                    UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
                    ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
                    7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
                    MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
                    mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
                    -----END CERTIFICATE REQUEST-----
                test_certificate:
                  type: boolean
                  description: Is this a test certificate?
                  default: false
                  example: false
                valid_from:
                  type: string
                  description: |
                    Certificate validity start date. Date shall be in ISO-8601 format.

                    Unless `test_certificate` is set to `true`, the date shall be at least one week in the future.
                  format: date-time
                  example: '2022-01-17T10:12:25Z'
                valid_to:
                  type: string
                  description: |
                    Certificate expiration date. Date shall be in ISO-8601 format.

                    Required if `type` is `INDIRECT` or if `test_certificate` is set to `true`.
                  format: date-time
                  example: '2023-01-17T10:12:25Z'
                renewal_auto:
                  type: boolean
                  description: |
                    Automated renewal option. Cannot be enabled for test certificates.

                    If enabled, the application will automatically create a new certificate
                    using the same CSR and options provided for this certificate.

                    See `renewal_after` option for defining when the renewal process shall be triggered.
                  default: false
                  example: true
                renewal_after:
                  type: integer
                  description: |
                    Number of days to wait after certificate creation (or finalization for an indirect certificate)
                    for the automated certificate renewal process to be triggered.

                    Required if if `renewal_auto` is set to `true`.
                    Otherwise, shall not be specified.
                  example: 300
            examples:
              DirectCertificateRequest:
                $ref: '#/components/examples/DirectCertificateRequest'
              IndirectCertificateRequest:
                $ref: '#/components/examples/IndirectCertificateRequest'
      responses:
        '201':
          description: |
            Confirms the creation of the new certificate and returns its details in the response.
            This applies only to direct certificates.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certificate'
              examples:
                DirectCertificate:
                  $ref: '#/components/examples/DirectCertificate'
          headers:
            Location:
              $ref: '#/components/headers/Location-Certificate'
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '202':
          description: |
            Confirms the indirect certificate creation request.
            This applies only to indirect certificates.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PendingIndirectCertificate'
              examples:
                PendingIndirectCertificate:
                  $ref: '#/components/examples/PendingIndirectCertificate'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '409':
          description: Error returned when the provider has already too many active certificates.
          content:
            application/json:
              schema:
                type: object
                required:
                  - code
                properties:
                  code:
                    type: string
                    description: Error code. Shall be capitalized with underscore.
                    example: CONFLICT
                  message:
                    type: string
                    description: Message providing more details and context for error that occurred
                    example: Maximum number of active certificates has been reached.
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    get:
      summary: Retrieve a paginated list of records with support of sorting & filtering
      description: |
        The API applies any sort and filter preferences passed to the API request and returns a paginated list of
        corresponding results.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access any certificate attached to their provider.
      operationId: SearchCertificates
      tags:
        - STI Certificates
      parameters:
        - name: query
          in: query
          description: |
            Filter on a property following the format `operator:value`.

            If the operator is `eq`, it can be ignored.

            For string, number or date-time property:
            * `eq` and `ne` = (not) equal.
            * `in` and `not_in` = (not) in a list. `value` contains an array such as `[val1,val2,val3]`.

            For string property only:
            * `match` and `not_match` = (not) match the wildcard pattern (`*` for zero or more characters and `?` for a
              single character) contains in `value`.

            For number or date-time property:
            * `gt` and `gte` = greater than (or equal).
            * `lt` and `lte` = less than (or equal).

            In any case, `value` must be percent encoded.

            The parameter name is one of the following values:
             - `id`
             - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
             - `type`
             - `opts`
             - `name`
             - `valid_from`
             - `valid_to`
             - `test_certificate`
             - `status`
             - `renewal_auto`
             - `renewal_after`
             - `sn`
             - `created_at`
             - `updated_at`
             - `revoked_at`
             - `revoked_reason`
          schema:
            type: object
            additionalProperties:
              type: string
              pattern: ^(((eq|ne|(not_)?match|[lg]te?):)?.+|(in|not_in):\[.+(,.+)*\])$
            example:
              provider_id: OPC000
              created_at: gte:2022-01-01T00:00:00Z
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - name: sort
          in: query
          description: |
            Sort preference using the format `property_name:order`, where:
            - `property_name` is one of the following values:
              - `id`
              - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
              - `opts`
              - `name`
              - `valid_from`
              - `valid_to`
              - `status`
              - `sn`
              - `created_at`
              - `updated_at`
              - `revoked_at`
              - `revoked_reason`
            - `order` may be set to `asc` or `desc`.
          schema:
            type: string
            pattern: ^(id|provider_id|type|opts|name|valid_(from|to)|test_certificate|url|status|renew(al_a(uto|fter)|ed_by)|sn|(cre|upd)ated_(at|by)|revoked_(at|by|reason)):(([Aa]|[Dd][Ee])[Ss][Cc])$
            example: name:asc
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of records
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  certificates:
                    type: array
                    items:
                      $ref: '#/components/schemas/CertificateSummaryView'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/{certificate_id}:
    get:
      summary: Return STI certificate details
      description: |
        Return a JSON object with STI certificate details and contents.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access any certificate attached to their provider.
      operationId: GetCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return the JSON object with certificate properties and contents.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certificate'
              examples:
                DirectCertificate:
                  $ref: '#/components/examples/DirectCertificate'
                PendingIndirectCertificate:
                  $ref: '#/components/examples/PendingIndirectCertificate'
                IndirectCertificate:
                  $ref: '#/components/examples/IndirectCertificate'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    post:
      summary: Finalize the creation of an indirect STI certificate
      description: |
        API called by the technical signing service provider (OPTS) to finalize the creation of indirect certificates.

        Can only be called by the OPTS for which the indirect certificate has been requested for.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR*, *MANAGER* users can finalize any indirect certificate created for their provider.
      operationId: FinalizeIndirectCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        description: JSON object with certificate finalization options
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - csr
              properties:
                description:
                  type: string
                  maxLength: 1024
                  description: OPTS additional information for this certificate. Only available to the OPTS.
                  example: Description of the certificate.
                csr:
                  type: string
                  maxLength: 2048
                  description: |
                    Contents of the CSR file used to create this certificate. Format of the contents is PEM.
                  example: |
                    -----BEGIN CERTIFICATE REQUEST-----
                    MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
                    UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
                    ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
                    7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
                    MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
                    mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
                    -----END CERTIFICATE REQUEST-----
      responses:
        '201':
          description: |
            Confirms the finalization of the indirect certificate and returns its properties and contents in the response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certificate'
              examples:
                IndirectCertificate:
                  $ref: '#/components/examples/IndirectCertificate'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '409':
          description: Returned when the API request cannot be fulfilled due to the object current status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiPayloadError'
              example:
                code: CONFLICT
                message: Cannot finalize an expired certificate.
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    patch:
      summary: Update STI certificate properties
      description: |
        Update certificate properties. Once the certificate has been created (for direct certificates)
        or finalized (for indirect certificates), only a subset of the certificate properties can be updated.

        - Indirect certificates that have not yet been finalised can have additional properties updated.
        - Expired certificates cannot be edited

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR*, *MANAGER* users can update any certificate created by/for their provider.
      operationId: UpdateCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        required: true
        description: |
          A [JSON Merge Patch (RFC 7386)](https://datatracker.ietf.org/doc/html/rfc7386) containing only the properties
          that must be updated (with the new value) or deleted (with null as value).
        content:
          application/merge-patch+json:
            schema:
              type: object
              properties:
                name:
                  type: string
                  maxLength: 64
                  description: |
                    Change the name of the certificate.
                    - Can be changed for both direct and indirect certificates
                    - Can be changed only by the origin service provider
                    - Cannot be deleted.
                  example: Main Certificate
                description:
                  type: string
                  maxLength: 1024
                  description: |
                    Change the description of the certificate.
                    - Can be changed for both direct and indirect certificates
                    - Can be changed by the origin service provider and the OPTS, each of them having their own description.
                    - Can be deleted.
                  example: Description of the certificate
                test_certificate:
                  type: boolean
                  description: |
                    Change the test certificate flag.
                    - Can be changed only for indirect certificates, if not finalized
                    - Can be changed only by the origin service provider
                    - Cannot be deleted.
                  example: false
                valid_from:
                  type: string
                  description: |
                    Change the certificate validity start date. Date shall be in ISO-8601 format.
                    - Can be changed only for indirect certificates not yet finalized
                    - Can be changed only by the origin service provider
                    - Unless `test_certificate` is set to `true`, the date shall be at least one week in the future.
                    - Cannot be deleted.
                  format: date-time
                  example: '2022-01-17T10:12:25Z'
                valid_to:
                  type: string
                  description: |
                    Change the certificate expiration date. Date shall be in ISO-8601 format.
                    - Can be changed only for indirect certificates not yet finalized
                    - Can be changed only by the origin service provider
                    - Cannot be deleted.
                  format: date-time
                  example: '2023-01-17T10:12:25Z'
                renewal_auto:
                  type: boolean
                  description: |
                    Change the certificate automatic renewal option.
                    - Can be changed for both direct and indirect certificates
                    - Can be changed only by the origin service provider
                    - Cannot be enabled for test certificates
                    - Cannot be deleted.
                  example: true
                renewal_after:
                  type: integer
                  description: |
                    Change the number of days to wait after certificate creation/finalization to trigger the automatic renewal process.
                    - Can be changed for both direct and indirect certificates
                    - Can be changed only by the origin service provider
                    - Cannot be deleted if `renewal_auto` is set to `true` for this certificate.
                  example: 300
            examples:
              DirectCertificateUpdateRequest:
                $ref: '#/components/examples/DirectCertificateUpdateRequest'
              PendingIndirectCertificateUpdateRequest:
                $ref: '#/components/examples/PendingIndirectCertificateUpdateRequest'
              IndirectCertificateUpdateRequest:
                $ref: '#/components/examples/IndirectCertificateUpdateRequest'
      responses:
        '200':
          description: Confirms successful processing and returns certificate properties and contents in the response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certificate'
              examples:
                DirectCertificate:
                  $ref: '#/components/examples/DirectCertificate'
                PendingIndirectCertificate:
                  $ref: '#/components/examples/PendingIndirectCertificate'
                IndirectCertificate:
                  $ref: '#/components/examples/IndirectCertificate'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
    delete:
      summary: Delete a STI certificate
      description: |
        Delete a STI certificate. Only test certificates or certificates in *PENDING* status can be deleted.

        If a test certificate that is still valid is deleted, the platform will also revoke it and add it to the
        STI certificates CRL in the BPCO to ensure that it cannot be used for any further calls.

        *Warning*: the action cannot be undone.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR* and *MANAGER* users can request deletion of any certificate attached to their own provider.

        *Note*: OPTS users cannot delete indirect certificates created for their provider.
      operationId: DeleteCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '204':
          $ref: '#/components/responses/SuccessNoMessage'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '409':
          description: Error returned when the certificate is already active and is not a test certificate.
          content:
            application/json:
              schema:
                type: object
                required:
                  - code
                properties:
                  code:
                    type: string
                    description: Error code. Shall be capitalized with underscore.
                    example: CONFLICT
                  message:
                    type: string
                    description: Message providing more details and context for error that occurred
                    example: This certificate is already active and it is not a test certificate.
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/{certificate_id}/renew:
    post:
      summary: Renew a STI certificate
      description: |
        This method creates a new certificate using the same CSR and properties used for the
        creation of the certificate specified in the `certificate_id` request parameter.

        - Unless a `name` is provided, the Common Name of the new certificate will be the same, but the serial number will be different.
        - The `renewed_by` property of the current certificate will be filled with the id of the new certificate.
        - OPTS users cannot renew indirect certificates they have been mandated for.
        - Revoked certificates cannot be renewed
        - Invalid certificates cannot be renewed

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR* and *MANAGER* can request renewal of certificates owned by their provider.
      operationId: RenewCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        description: |
          New properties may be specified for the creation of the new certificate.
          If not provided, values of the previous certificate will be kept, expect for the following:
          - `serial_number`: a new serial number is computed
          - `valid_from`: the date will be set to the current date & time + one week.
          - `valid_to`: the date will be computed so that the expiration delay will be the same than the one set for the initial certificate
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                name:
                  type: string
                  maxLength: 64
                  description: |
                    Certificate name. Overrides the property set in the initial certificate used for the renewal.
                  example: Main Certificate
                description:
                  type: string
                  maxLength: 1024
                  description: |
                    Additional information related to the certificate.

                    If not specified, the description set to the initial certificate is reused.
                  example: Description of the certificate.
                valid_from:
                  type: string
                  description: |
                    Certificate validity start date. Date shall be in ISO-8601 format.

                    If not specified, the date will be set to the current date & time + one week.
                    The same rules used when creating a certificate also apply for renewal.
                  format: date-time
                  example: '2022-01-17T10:12:25Z'
                valid_to:
                  type: string
                  description: |
                    Certificate expiration date. Date shall be in ISO-8601 format.

                    If not specified, the date will be computed so that the expiration delay will
                    be the same than the one set for the initial certificate. The same rules used
                    when creating a certificate also apply for renewal.

                    This property cannot be specified for a direct certificate that is not flagged
                    as a test certificate, as the expiration is fixed to one year for such certificates.
                  format: date-time
                  example: '2023-01-17T10:12:25Z'
                renewal_auto:
                  type: boolean
                  description: |
                    Automated renewal option. Cannot be enabled for test certificates.

                    If not specified, the property will copy the value set for the initial certificate.
                  example: true
                renewal_after:
                  type: integer
                  description: |
                    Number of days after certificate creation (or finalization for indirect certificates) to wait for
                    the automated certificate renewal process to be triggered.

                    Can be specified only if `renewal_auto` is set to `true`.
                  example: 300
      responses:
        '201':
          description: |
            Confirms the creation of the new certificate and returns its details and contents in the response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RenewedCertificate'
              examples:
                DirectCertificate:
                  $ref: '#/components/examples/DirectCertificate'
          headers:
            Location:
              $ref: '#/components/headers/Location-Certificate'
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '409':
          description: Error returned when the certificate is revoked
          content:
            application/json:
              schema:
                type: object
                required:
                  - code
                properties:
                  code:
                    type: string
                    description: Error code. Shall be capitalized with underscore
                    example: CONFLICT
                  message:
                    type: string
                    description: Message providing more details and context for error that occurred
                    example: This certificate is revoked.
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/{certificate_id}/revoke:
    post:
      summary: Revoke a STI certificate
      description: |
        Request the revocation of a certificate.
        Upon successful processing, the certificate will be immediately revoked by the platform.

        - OPTS users can revoke indirect certificates they have been mandated for.
        - Expired certificates cannot be revoked
        - Invalid certificates cannot be revoked
        - Revoked certificates cannot be revoked again

        *Warning*: the action cannot be undone.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*

        - *ADMINISTRATOR* and *MANAGER* users can request revocation of certificates attached to their own provider.
      operationId: RevokeCertificate
      tags:
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - reason
              properties:
                reason:
                  type: string
                  nullable: false
                  description: |
                    Reason associated with the certificate revocation as defined in RFC 5280.
                  enum:
                    - unspecified
                    - keyCompromise
                    - affiliationChanged
                    - superseded
                    - cessationOfOperation
                    - certificateHold
                    - privilegeWithdrawn
                  default: unspecified
                  example: keyCompromise
                comments:
                  type: string
                  maxLength: 64
                  description: |
                    Additional comments on the reason for revoking the certificate.
                  example: Clé privée compromise
      responses:
        '204':
          $ref: '#/components/responses/SuccessNoMessage'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '409':
          description: Error returned when the certificate status is `EXPIRED`, `REVOKED`, `INVALIDATION` or `INVALID`
          content:
            application/json:
              schema:
                type: object
                required:
                  - code
                properties:
                  code:
                    type: string
                    description: Error code. Shall be capitalized with underscore
                    example: CONFLICT
                  message:
                    type: string
                    description: Message providing more details and context for error that occurred
                    example: This certificate is expired or is already revoked.
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/{certificate_id}/history:
    get:
      summary: Retrieve activity history on certificates
      description: |
        Retrieve a paginated list of all actions performed on a certificate.
        Sorting and filtering are not supported for this API.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access the history of any certificate attached to their provider.
      operationId: GetCertificateHistory
      tags:
        - History
        - STI Certificates
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of history records
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  records:
                    type: array
                    items:
                      $ref: '#/components/schemas/History'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/export:
    get:
      summary: Retrieve a list of certificates in csv format with headers
      description: |
        The API applies any sort and filter preferences passed to the API request and returns a list of
        corresponding results in csv format.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access any certificate attached to their provider.
      operationId: ExportCertificates
      tags:
        - STI Certificates
      parameters:
        - name: query
          in: query
          description: |
            Filter on a property following the format `operator:value`.

            If the operator is `eq`, it can be ignored.

            For string, number or date-time property:
            * `eq` and `ne` = (not) equal.
            * `in` and `not_in` = (not) in a list. `value` contains an array such as `[val1,val2,val3]`.

            For string property only:
            * `match` and `not_match` = (not) match the wildcard pattern (`*` for zero or more characters and `?` for a
              single character) contains in `value`.

            For number or date-time property:
            * `gt` and `gte` = greater than (or equal).
            * `lt` and `lte` = less than (or equal).

            In any case, `value` must be percent encoded.

            The parameter name is one of the following values:
             - `id`
             - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
             - `type`
             - `opts`
             - `name`
             - `valid_from`
             - `valid_to`
             - `test_certificate`
             - `status`
             - `renewal_auto`
             - `renewal_after`
             - `renewed_by`
             - `url`
             - `sn`
             - `created_at`
             - `created_by`
             - `updated_at`
             - `updated_by`
             - `revoked_at`
             - `revoked_by`
             - `revoked_reason`
          schema:
            type: object
            additionalProperties:
              type: string
              pattern: ^(((eq|ne|(not_)?match|[lg]te?):)?.+|(in|not_in):\[.+(,.+)*\])$
            example:
              provider_id: OPC000
              created_at: gte:2022-01-01T00:00:00Z
        - name: sort
          in: query
          description: |
            Sort preference using the format `property_name:order`, where:
            - `property_name` is one of the following values:
              - `id`
              - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
              - `type`
              - `opts`
              - `name`
              - `valid_from`
              - `valid_to`
              - `test_certificate`
              - `url`
              - `status`
              - `renewal_auto`
              - `renewal_after`
              - `renewed_by`
              - `sn`
              - `created_at`
              - `created_by`
              - `updated_at`
              - `updated_by`
              - `revoked_at`
              - `revoked_by`
              - `revoked_reason`
            - `order` may be set to `asc` or `desc`.
          schema:
            type: string
            pattern: ^(id|provider_id|type|opts|name|valid_(from|to)|test_certificate|url|status|renew(al_a(uto|fter)|ed_by)|sn|(cre|upd)ated_(at|by)|revoked_(at|by|reason)):(([Aa]|[Dd][Ee])[Ss][Cc])$
            example: name:asc
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return certificates list in csv format with headers
          content:
            text/csv:
              schema:
                type: string
              example: |
                ID;status;name;serial_number;type;provider_code;opts;valid_from;valid_to;renewal_auto;days_before_renewal;bpco_url;description;test_certificate
                12;ACTIVE;Main Certificate;54e702c83df35b8a;DIRECT;SPC000;;2025-12-01T10:12:25Z;2026-01-01T10:12:25Z;true;9;https://api.man-bpco.fr/certs/SPC000/54e702c83df35b8a.cer;Description of the certificate.;false
                13;ACTIVE;Certificate;4df1d562e7f009e6;DIRECT;SPE000;;2025-12-01T10:12:25Z;2026-01-01T10:12:25Z;true;9;https://api.man-bpco.fr/certs/SPE000/4df1d562e7f009e6.cer;Description of the certificate.;false
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/archives:
    get:
      summary: Retrieve a paginated list of records with support of sorting & filtering
      description: |
        The API applies any sort and filter preferences passed to the API request and returns a paginated list of
        corresponding results.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access any archived certificate attached to their provider.
      operationId: SearchArchivedCertificates
      tags:
        - STI Certificates (Archived)
      parameters:
        - name: query
          in: query
          description: |
            Filter on a property following the format `operator:value`.

            If the operator is `eq`, it can be ignored.

            For string, number or date-time property:
            * `eq` and `ne` = (not) equal.
            * `in` and `not_in` = (not) in a list. `value` contains an array such as `[val1,val2,val3]`.

            For string property only:
            * `match` and `not_match` = (not) match the wildcard pattern (`*` for zero or more characters and `?` for a
              single character) contains in `value`.

            For number or date-time property:
            * `gt` and `gte` = greater than (or equal).
            * `lt` and `lte` = less than (or equal).

            In any case, `value` must be URL encoded.

            The property name is one of the following values:
             - `id`
             - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
             - `type`
             - `opts`
             - `name`
             - `valid_from`
             - `valid_to`
             - `test_certificate`
             - `status`
             - `archived`
             - `renewal_auto`
             - `renewal_after`
             - `sn`
             - `created_at`
             - `updated_at`
             - `revoked_at`
             - `revoked_reason`
          schema:
            type: object
            additionalProperties:
              type: string
              pattern: ^(((eq|ne|(not_)?match|[lg]te?):)?.+|(in|not_in):\[.+(,.+)*\])$
            example:
              provider_id: OPC000
              created_at: gte:2022-01-01T00:00:00Z
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - name: sort
          in: query
          description: |
            Sort preference using the format `property_name:order`, where:
            - `property_name` is one of the following values:
              - `id`
              - `provider_id` (only for *MAN_ADMINISTRATOR* and *APNF* users)
              - `opts`
              - `name`
              - `valid_from`
              - `valid_to`
              - `status`
              - `archived`
              - `sn`
              - `created_at`
              - `updated_at`
              - `revoked_at`
            - `order` may be set to `asc` or `desc`.
          schema:
            type: string
            pattern: ^(id|provider_id|type|opts|name|valid_(from|to)|test_certificate|url|status|archived|renew(al_a(uto|fter)|ed_by)|sn|(cre|upd)ated_(at|by)|revoked_(at|by|reason)):(([Aa]|[Dd][Ee])[Ss][Cc])$
            example: created_at:desc
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of records
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  certificates:
                    type: array
                    items:
                      $ref: '#/components/schemas/ArchivedCertificateSummaryView'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/archives/{certificate_id}:
    get:
      summary: Return archived STI certificate details
      description: |
        Return a JSON object with STI archived certificate details and contents.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access any archived certificate attached to their provider.
      operationId: GetArchivedCertificate
      tags:
        - STI Certificates (Archived)
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return the JSON object with certificate properties and contents.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Certificate'
              examples:
                DirectCertificate:
                  $ref: '#/components/examples/DirectArchivedCertificate'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '415':
          $ref: '#/components/responses/ErrorInvalidContentType'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /certificates/archives/{certificate_id}/history:
    get:
      summary: Retrieve activity history on STI archived certificates
      description: |
        Retrieve a paginated list of all actions performed on an STI archived certificate.
        Sorting and filtering are not supported for this API.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*

        - *ADMINISTRATOR*, *MANAGER* and *SUPERVISOR* users can access the history of any archived certificate attached to their provider.
      operationId: GetArchivedCertificateHistory
      tags:
        - History
        - STI Certificates (Archived)
      parameters:
        - $ref: '#/components/parameters/CertificateId'
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of history records
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  records:
                    type: array
                    items:
                      $ref: '#/components/schemas/History'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /bpco/certificates:
    head:
      summary: Get STI certificates last update date in BPCO
      description: |
        This method returns the date of the last update performed on STI certificates in the BPCO, i.e when a
        certificate has been published or removed.
        The date is returned in the `Last-Modified` response header.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*
      operationId: GetBpcoCertificatesLastUpdateDate
      tags:
        - BPCO
      parameters:
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '204':
          description: |
            Returns no contents. The `Last-Modified` header is set with the last update date of STI certificates in the BPCO.
          headers:
            Last-Modified:
              description: Last update date of certificates in the BPCO. Uses HTTP-Date format (RFC 7231).
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticatedNoContents'
        '403':
          $ref: '#/components/responses/ErrorNoPermissionNoContents'
        '405':
          $ref: '#/components/responses/ErrorNotAllowed'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeaderNoContents'
        '429':
          $ref: '#/components/responses/ErrorRateLimitingNoContents'
        '500':
          $ref: '#/components/responses/ErrorInternalNoContents'
        '503':
          $ref: '#/components/responses/ServiceUnavailableNoContents'
    get:
      summary: Get a copy of STI certificates in BPCO
      description: |
        This method returns as a GZipped TAR file a copy of all the STI certificates currently published in the BPCO.

        If the `since` parameter is specified, the GZipped TAR file only contains the certificates published in the BPCO or
        removed from it since the date provided in the parameter.
        The list of certificates removed from the BPCO are available in a `removed-certificates.csv` file included in the tarball.

        A `If-Modified-Since` request header may also be specified. In that case, a **304** response is returned if no certificates
        have been added or removed since the date specified in the header. This latter can be filled with the value of the
        `Last-Modified` response header collected from a previous call to this API or the `HEAD /bpco/certificates` one.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*
      operationId: GetBpcoCertificatesCopy
      tags:
        - BPCO
      parameters:
        - name: since
          in: query
          description: |
            Date in ISO-8601 format. When specified, return only the certificates added or removed since that date.
            The minutes and seconds are ignored (`2022-01-17T10:12:25Z` is therefore interpreted as `2022-01-17T10:00:00Z`)
            and the date cannot be older than 15 days.
          required: false
          schema:
            type: string
            format: date-time
            example: '2022-01-19T10:00:00Z'
        - $ref: '#/components/parameters/If-Modified-Since'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: |
            Return a GZipped TAR file which includes the certificates using the following structure:
            ```
            |-<Service Provider Code #A>/
            |  |- <serial number certificat #A1>.cer
            |  |- <serial number certificat #A2>.cer
            |  `- <serial number certificat #A3>.cer
            |-<Service Provider Code #B>/
            |  |- <serial number certificat #B1>.cer
            |  |- <serial number certificat #B2>.cer
            |-<Service Provider Code #C>/
            [...]
            ```
            If the `since` parameter is present, a `removed-certificates.csv` file may be included at the root of the
            GZipped TAR file.
            When present, this file lists all certificates deleted from the BPCO since that date, using the following
            format:
            ```ini
            <Service Provider Code #A>;<serial number certificat #A4>
            <Service Provider Code #B>;<serial number certificat #B3>
            <Service Provider Code #C>;<serial number certificat #C2>
            ```
            A semicolon (`;`, `U+003B`) is used between each column and a linefeed is used between each line
            (`\n`, `U+000A`).
          content:
            application/gzip:
              schema:
                type: string
                format: binary
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            Last-Modified:
              description: Last update date of STI certificates in the BPCO. Uses HTTP-Date format (RFC 7231)
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '304':
          description: No changes since the date provided in the `If-Modified-Since` request header.
          headers:
            Last-Modified:
              description: Last update date of STI certificates in the BPCO. Uses HTTP-Date format (RFC 7231)
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            Content-Type:
              $ref: '#/components/headers/Content-Type-GZip'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /bpco/certificates/history:
    get:
      summary: Retrieve activity history on the certificate public repository
      description: |
        Retrieve a paginated list of all actions performed on the list of STI certificates in the BPCO.
        Sorting and filtering are not supported for this API.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*
      operationId: GetBpcoCertificatesHistory
      tags:
        - BPCO
        - History
      parameters:
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of history records
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  records:
                    type: array
                    items:
                      $ref: '#/components/schemas/History'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /bpco/crl:
    head:
      summary: Get STI certificates CRL last update date in BPCO
      description: |
        This method returns the date of the last update performed on the Certificate Revocation List (CRL) of
        STI certificates in the BPCO, i.e when a STI certificate has been revoked or when certificate is remove from the CRL.
        The date is returned in the `Last-Modified` response header.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*
      operationId: GetBpcoCrlLastUpdateDate
      tags:
        - BPCO
      parameters:
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '204':
          description: |
            Returns no contents. The `Last-Modified` header is set with the last update date of STI certificates CRL in
            the BPCO.
          headers:
            Last-Modified:
              description: Last update date of STI certificates CRL in the BPCO. Uses HTTP-Date format (RFC 7231).
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticatedNoContents'
        '403':
          $ref: '#/components/responses/ErrorNoPermissionNoContents'
        '405':
          $ref: '#/components/responses/ErrorNotAllowed'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeaderNoContents'
        '429':
          $ref: '#/components/responses/ErrorRateLimitingNoContents'
        '500':
          $ref: '#/components/responses/ErrorInternalNoContents'
        '503':
          $ref: '#/components/responses/ServiceUnavailableNoContents'
    get:
      summary: Get a copy of the STI certificates CRL in BPCO
      description: |
        Get a copy of the STI certificates Certificate Revocation List (CRL) as available in the BPCO.

        The API returns the CRL in DER format, with the exact same contents returned by the BPCO API `GET /crl`.

        A `If-Modified-Since` request header may also be specified. In that case, a **304** response is returned
        if the CRL has not been updated since the date specified in the header. This latter can be filled with the value of the
        `Last-Modified` response header collected from a previous call to this API or the `HEAD /bpco/crl` one.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*
      operationId: GetBpcoCrlCopy
      tags:
        - BPCO
      parameters:
        - $ref: '#/components/parameters/If-Modified-Since'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: The Certificate Revocation List in DER format.
          content:
            application/pkix-crl:
              schema:
                type: string
                format: binary
                example: |

                  00000000: 3082 0120 3081 c802 0101 300a 0608 2a86  0.. 0.....0...*.
                  00000010: 48ce 3d04 0302 3067 3111 300f 0603 5504  H.=...0g1.0...U.
                  00000020: 030c 0842 5043 4f20 5041 3131 0b30 0906  ...BPCO PA11.0..
                  00000030: 0355 0406 1302 4652 312a 3028 0603 5504  .U....FR1*0(..U.
                  00000040: 0a0c 2142 6173 6520 6465 7320 4365 7274  ..!Base des Cert
                  00000050: 6966 6963 6174 7320 4f70 c383 c2a9 7261  ificats Op....ra
                  00000060: 7465 7572 3119 3017 0603 5504 0b0c 1050  teur1.0...U....P
                  00000070: 6f6c 6963 7920 4175 7468 6f72 6974 7917  olicy Authority.
                  00000080: 0d32 3230 3730 3431 3235 3032 305a 170d  .220704125020Z..
                  00000090: 3232 3038 3033 3132 3530 3230 5aa0 3030  220803125020Z.00
                  000000a0: 2e30 1f06 0355 1d23 0418 3016 8014 097a  .0...U.#..0....z
                  000000b0: 34d8 9663 a43e 0250 9294 9de2 de31 8135  4..c.>.P.....1.5
                  000000c0: 3c8a 300b 0603 551d 1404 0402 0210 0030  <.0...U........0
                  000000d0: 0a06 082a 8648 ce3d 0403 0203 4700 3044  ...*.H.=....G.0D
                  000000e0: 0220 58da 50e6 2670 a7e4 413d bb9d c193  . X.P.&p..A=....
                  000000f0: e0c0 3852 0138 1bd0 73fc 04fa 7328 952b  ..8R.8..s...s(.+
                  00000100: e169 0220 1110 3e86 450b f0db 4345 80c9  .i. ..>.E...CE..
                  00000110: b12e d905 9f72 051a e02d fd3d 67d7 4ce2  .....r...-.=g.L.
                  00000120: b92f e546                                ./.F
          headers:
            Last-Modified:
              description: Last update date of STI certificates CRL in the BPCO. Uses HTTP-Date format (RFC 7231).
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            Content-Length:
              description: Size in bytes of the DER contents provided in the response.
              schema:
                type: integer
                example: 311
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '304':
          description: No changes since the date provided in the `If-Modified-Since` request header
          headers:
            Last-Modified:
              description: Last update date of STI certificates CRL in the BPCO. Uses HTTP-Date format (RFC 7231).
              schema:
                $ref: '#/components/schemas/RFC7231.HTTP-date'
            Content-Type:
              $ref: '#/components/headers/Content-Type-Pkix-Crl'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '405':
          $ref: '#/components/responses/ErrorNotAllowed'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
  /bpco/crl/history:
    get:
      summary: Retrieve activity history on the CRL
      description: |
        Retrieve a paginated list of all actions performed on the STI certificates CRL in the BPCO.
        Sorting and filtering are not supported for this API.

        **Allowed Roles**: *ADMINISTRATOR*, *MANAGER*, *SUPERVISOR*
      operationId: GetBpcoCrlHistory
      tags:
        - BPCO
        - History
      parameters:
        - $ref: '#/components/parameters/PaginationLimit'
        - $ref: '#/components/parameters/PaginationOffset'
        - $ref: '#/components/parameters/X-Request-Id'
      responses:
        '200':
          description: Return a paginated list of history records
          content:
            application/json:
              schema:
                type: object
                properties:
                  metadata:
                    $ref: '#/components/schemas/PaginationMetaData'
                  records:
                    type: array
                    items:
                      $ref: '#/components/schemas/History'
          headers:
            Content-Length:
              $ref: '#/components/headers/Content-Length'
            X-Correlation-Id:
              $ref: '#/components/headers/X-Correlation-Id'
            X-Response-Id:
              $ref: '#/components/headers/X-Response-Id'
        '400':
          $ref: '#/components/responses/ErrorValidation'
        '401':
          $ref: '#/components/responses/ErrorNotAuthenticated'
        '403':
          $ref: '#/components/responses/ErrorNoPermission'
        '404':
          $ref: '#/components/responses/ErrorNotFound'
        '406':
          $ref: '#/components/responses/ErrorInvalidAcceptHeader'
        '429':
          $ref: '#/components/responses/ErrorRateLimiting'
        '500':
          $ref: '#/components/responses/ErrorInternal'
        '503':
          $ref: '#/components/responses/ServiceUnavailable'
components:
  examples:
    BypassTokenCreationResponse:
      value:
        id: SPC000-YE42L73SGAG45I05
    DirectArchivedCertificate:
      summary: Details of an archived direct certificate
      value:
        id: d240dd9e-a077-42f5-92e3-a3d3f10e002e
        provider_id: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
        type: DIRECT
        name: Main Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2021-01-17T10:12:25Z'
        valid_to: '2023-01-17T10:12:25Z'
        renewal_auto: true
        renewal_after: 300
        status: REVOKED
        archived: true
        sn: 57ABB34BCA510043BDE438460F13B27E6A82C004
        url: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        contents: |
          -----BEGIN CERTIFICATE-----
          MIIC/DCCAqOgAwIBAgIUV6uzS8pRAEO95DhGDxOyfmqCwAQwCgYIKoZIzj0EAwIw
          gYcxLDAqBgNVBAMMI0JQQ08gQ0ExIMOiwoDCkyBTSEFLRU4gSW50ZXJtZWRpYXRl
          MQswCQYDVQQGEwJGUjEqMCgGA1UECgwhQmFzZSBkZXMgQ2VydGlmaWNhdHMgT3DD
          g8KpcmF0ZXVyMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
          NzA0MTAwMDMxWhcNMjIxMDAyMTAwMDMxWjBXMRYwFAYDVQQDDA1TSEFLRU4gT1BD
          MDAwMQswCQYDVQQGEwJGUjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQL
          DBBTZXJ2aWNlIFByb3ZpZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/
          qQeNfCytgqjIETfjmVEw7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0
          ULplSrl9+QrrpKLwjKOCARowggEWMB0GA1UdDgQWBBRk53mcS8XiTcavdh4VBd3j
          RA803zAfBgNVHSMEGDAWgBRNelLrS9FcVoyWR7d8FHJRlixuBDAOBgNVHQ8BAf8E
          BAMCB4AwDAYDVR0TAQH/BAIwADCBmwYDVR0fBIGTMIGQMIGNoB6gHIYaaHR0cHM6
          Ly88ZG9tYWluZS1icGNvPi9jcmyia6RpMGcxCzAJBgNVBAYTAkZSMSowKAYDVQQK
          DCFCYXNlIGRlcyBDZXJ0aWZpY2F0cyBPcMODwqlyYXRldXIxGTAXBgNVBAsMEFBv
          bGljeSBBdXRob3JpdHkxETAPBgNVBAMMCEJQQ08gUEExMBgGCCsGAQUFBwEaBAww
          CqAIFgZPUEMwMDAwCgYIKoZIzj0EAwIDRwAwRAIgNBAcIP/Gwx1rXvI2/PiflboV
          YVc3KWvfczSpXEMF61oCIG64G0cYxoO00MBdY+vg6umsNtA6eT0q5G6wW7dNjOTv
          -----END CERTIFICATE-----
        csr: |
          -----BEGIN CERTIFICATE REQUEST-----
          MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
          UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
          ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
          7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
          MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
          mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
          -----END CERTIFICATE REQUEST-----
        created_at: '2021-01-17T10:12:25Z'
        created_by: John Doe <john.doe@spa.domain>
        updated_at: '2022-01-17T10:12:25Z'
        updated_by: John Doe <john.doe@spa.domain>
        revoked_at: '2022-01-30T09:10:00Z'
        revoked_by: John Doe <john.doe@spa.domain>
        revoked_reason: keyCompromise
        revoked_comments: Clé privée compromise
    DirectCertificate:
      summary: Details of an active direct certificate
      value:
        id: d240dd9e-a077-42f5-92e3-a3d3f10e002e
        provider_id: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
        type: DIRECT
        name: Main Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2022-01-17T10:12:25Z'
        valid_to: '2023-01-17T10:12:25Z'
        renewal_auto: true
        renewal_after: 300
        status: ACTIVE
        archived: false
        sn: 57ABB34BCA510043BDE438460F13B27E6A82C004
        url: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        contents: |
          -----BEGIN CERTIFICATE-----
          MIIC/DCCAqOgAwIBAgIUV6uzS8pRAEO95DhGDxOyfmqCwAQwCgYIKoZIzj0EAwIw
          gYcxLDAqBgNVBAMMI0JQQ08gQ0ExIMOiwoDCkyBTSEFLRU4gSW50ZXJtZWRpYXRl
          MQswCQYDVQQGEwJGUjEqMCgGA1UECgwhQmFzZSBkZXMgQ2VydGlmaWNhdHMgT3DD
          g8KpcmF0ZXVyMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
          NzA0MTAwMDMxWhcNMjIxMDAyMTAwMDMxWjBXMRYwFAYDVQQDDA1TSEFLRU4gT1BD
          MDAwMQswCQYDVQQGEwJGUjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQL
          DBBTZXJ2aWNlIFByb3ZpZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/
          qQeNfCytgqjIETfjmVEw7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0
          ULplSrl9+QrrpKLwjKOCARowggEWMB0GA1UdDgQWBBRk53mcS8XiTcavdh4VBd3j
          RA803zAfBgNVHSMEGDAWgBRNelLrS9FcVoyWR7d8FHJRlixuBDAOBgNVHQ8BAf8E
          BAMCB4AwDAYDVR0TAQH/BAIwADCBmwYDVR0fBIGTMIGQMIGNoB6gHIYaaHR0cHM6
          Ly88ZG9tYWluZS1icGNvPi9jcmyia6RpMGcxCzAJBgNVBAYTAkZSMSowKAYDVQQK
          DCFCYXNlIGRlcyBDZXJ0aWZpY2F0cyBPcMODwqlyYXRldXIxGTAXBgNVBAsMEFBv
          bGljeSBBdXRob3JpdHkxETAPBgNVBAMMCEJQQ08gUEExMBgGCCsGAQUFBwEaBAww
          CqAIFgZPUEMwMDAwCgYIKoZIzj0EAwIDRwAwRAIgNBAcIP/Gwx1rXvI2/PiflboV
          YVc3KWvfczSpXEMF61oCIG64G0cYxoO00MBdY+vg6umsNtA6eT0q5G6wW7dNjOTv
          -----END CERTIFICATE-----
        csr: |
          -----BEGIN CERTIFICATE REQUEST-----
          MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
          UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
          ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
          7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
          MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
          mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
          -----END CERTIFICATE REQUEST-----
        created_at: '2022-01-17T10:12:25Z'
        created_by: John Doe <john.doe@spa.domain>
        updated_at: '2022-01-17T10:12:25Z'
        updated_by: John Doe <john.doe@spa.domain>
    DirectCertificateRequest:
      summary: Request for a direct certificate
      value:
        type: DIRECT
        name: Main Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2022-01-17T10:12:25Z'
        renewal_auto: true
        renewal_after: 300
        csr: |
          -----BEGIN CERTIFICATE REQUEST-----
          MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
          UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
          ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
          7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
          MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
          mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
          -----END CERTIFICATE REQUEST-----
    DirectCertificateUpdateRequest:
      summary: Request to update all possible properties of a direct certificate
      value:
        name: Certificate new name.
        description: Updated description of the certificate.
        renewal_auto: false
    IndirectCertificate:
      summary: Details of an indirect certificate finalized by the OPTS
      value:
        id: d240dd9e-a077-42f5-92e3-a3d3f10e002e
        provider_id: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
        type: INDIRECT
        opts: SPB000
        name: Indirect Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2022-03-01T00:00:00Z'
        valid_to: 2022-05-3123:59:59Z
        renewal_auto: false
        status: ACTIVE
        archived: false
        sn: 57ABB34BCA510043BDE438460F13B27E6A82C004
        url: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        contents: |
          -----BEGIN CERTIFICATE-----
          MIIC/DCCAqOgAwIBAgIUV6uzS8pRAEO95DhGDxOyfmqCwAQwCgYIKoZIzj0EAwIw
          gYcxLDAqBgNVBAMMI0JQQ08gQ0ExIMOiwoDCkyBTSEFLRU4gSW50ZXJtZWRpYXRl
          MQswCQYDVQQGEwJGUjEqMCgGA1UECgwhQmFzZSBkZXMgQ2VydGlmaWNhdHMgT3DD
          g8KpcmF0ZXVyMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
          NzA0MTAwMDMxWhcNMjIxMDAyMTAwMDMxWjBXMRYwFAYDVQQDDA1TSEFLRU4gT1BD
          MDAwMQswCQYDVQQGEwJGUjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQL
          DBBTZXJ2aWNlIFByb3ZpZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/
          qQeNfCytgqjIETfjmVEw7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0
          ULplSrl9+QrrpKLwjKOCARowggEWMB0GA1UdDgQWBBRk53mcS8XiTcavdh4VBd3j
          RA803zAfBgNVHSMEGDAWgBRNelLrS9FcVoyWR7d8FHJRlixuBDAOBgNVHQ8BAf8E
          BAMCB4AwDAYDVR0TAQH/BAIwADCBmwYDVR0fBIGTMIGQMIGNoB6gHIYaaHR0cHM6
          Ly88ZG9tYWluZS1icGNvPi9jcmyia6RpMGcxCzAJBgNVBAYTAkZSMSowKAYDVQQK
          DCFCYXNlIGRlcyBDZXJ0aWZpY2F0cyBPcMODwqlyYXRldXIxGTAXBgNVBAsMEFBv
          bGljeSBBdXRob3JpdHkxETAPBgNVBAMMCEJQQ08gUEExMBgGCCsGAQUFBwEaBAww
          CqAIFgZPUEMwMDAwCgYIKoZIzj0EAwIDRwAwRAIgNBAcIP/Gwx1rXvI2/PiflboV
          YVc3KWvfczSpXEMF61oCIG64G0cYxoO00MBdY+vg6umsNtA6eT0q5G6wW7dNjOTv
          -----END CERTIFICATE-----
        csr: |
          -----BEGIN CERTIFICATE REQUEST-----
          MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
          UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
          ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
          7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
          MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
          mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
          -----END CERTIFICATE REQUEST-----
        created_at: '2022-01-17T10:12:25Z'
        created_by: John Doe <john.doe@spa.domain>
        updated_at: '2022-01-17T10:12:25Z'
        updated_by: Jane Doe <jane.doe@spb>
    IndirectCertificateRequest:
      summary: Request for an indirect certificate
      value:
        type: INDIRECT
        opts: SPB000
        name: Indirect Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2022-03-01T00:00:00Z'
        valid_to: 2022-05-3123:59:59Z
        renewal_auto: false
    IndirectCertificateUpdateRequest:
      summary: Request to update all possible properties of a finalized indirect certificate
      value:
        name: Certificate new name.
        description: Updated description of the certificate.
        renewal_auto: true
        renewal_after: 300
    PendingIndirectCertificate:
      summary: Details of an indirect certificate not yet finalized
      value:
        id: d240dd9e-a077-42f5-92e3-a3d3f10e002e
        provider_id: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
        type: INDIRECT
        opts: SPB000
        name: Indirect Certificate
        description: Description of the certificate.
        test_certificate: false
        valid_from: '2022-03-01T00:00:00Z'
        valid_to: 2022-05-3123:59:59Z
        renewal_auto: false
        status: PENDING
        archived: false
        created_at: '2022-01-17T10:12:25Z'
        created_by: John Doe <john.doe@spa.domain>
        updated_at: '2022-01-17T10:12:25Z'
        updated_by: John Doe <john.doe@spa.domain>
    PendingIndirectCertificateUpdateRequest:
      summary: Request to update all possible properties of a pending indirect certificate
      value:
        name: Certificate new name.
        description: Updated description of the certificate.
        test_certificate: false
        valid_from: '2022-06-01T00:00:00Z'
        valid_to: '2023-01-00T00:00:00Z'
        renewal_auto: true
        renewal_after: 300
    ProviderDetails:
      value:
        id: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
        status: REGISTRATION
        name: Opérateur A
        code: SPA000
        address: 30, rue de Paris 75018 Paris
        technical_number: '33123456789'
        signatory: true
        opts: true
        legal_administrator: John Doe <john.doe@spa.domain>
        opts_contracts:
          - SPB000
          - SPC000
          - SPD000
        opts_allowed:
          - SPE000
          - SPF000
          - SPG000
        global_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        certificate_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        legal_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticketing_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticket_notification_active: true
        sftp_allowed_ips:
          - 172.16.25.6
        languages:
          - FRENCH
          - ENGLISH
        authentication_mode: MFA
        last_verification:
          id: 9152f121-f66f-421c-87ce-78b218e250d4
          status: COMPLETED
          decision: true
          completed_at: '2022-05-18T10:12:25Z'
        deleted: false
        created_at: '2022-01-17T10:12:25Z'
        created_by: MAN Administrator <support@man-platform>
        updated_at: '2022-01-17T10:12:25Z'
        updated_by: MAN Administrator <support@man-platform>
        bypass_token: SPC000-YE42L73SGAG45I05
    ProviderUpdateRequestByAdministrator:
      summary: Request to update all possible provider properties with an administrator user
      value:
        address: 30, rue de Paris 75018 Paris
        technical_number: '33123456789'
        global_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        certificate_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        legal_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticketing_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticket_notification_active: true
        sftp_allowed_ips:
          - 172.16.25.6
        languages:
          - FRENCH
          - ENGLISH
        authentication_mode: MFA
    ProviderUpdateRequestByManAdministrator:
      summary: Request to update all possible provider properties with a MAN administrator user
      value:
        status: DISABLED
        name: Opérateur A
        address: 30, rue de Paris 75018 Paris
        technical_number: '33123456789'
        signatory: true
        opts: true
        legal_administrator: 155720a6-f4c9-40ec-b479-a32d7f062553
        opts_contracts:
          - SPB000
          - SPC000
          - SPD000
        global_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        certificate_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        legal_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticketing_notification_list:
          - john.doe@spa.domain
          - jane.doe@spa.domain
        ticket_notification_active: true
        sftp_allowed_ips:
          - 172.16.25.6
        languages:
          - FRENCH
          - ENGLISH
        authentication_mode: MFA
  headers:
    Content-Length:
      description: Size in bytes of the response body.
      schema:
        type: integer
        example: 80
    Content-Type-GZip:
      description: Content-Type header set as "application/gzip".
      schema:
        type: string
        example: application/gzip
    Content-Type-Pkix-Crl:
      description: Content-Type header set as "application/pkix-crl".
      schema:
        type: string
        example: application/pkix-crl
    Location-Certificate:
      description: Certificate access URL in the BPCO.
      schema:
        type: string
        example: https://api.man-bpco.fr/certs/SPC000/a44cbe3916e8cd6e.cer
    X-Correlation-Id:
      description: ID generated by the API gateway.
      schema:
        $ref: '#/components/schemas/UUID'
      example: f13371a6-40d7-48cf-a221-794b63fddbd9
    X-Response-Id:
      description: Response ID that corresponds to the `X-Request-Id` request header, if provided.
      schema:
        $ref: '#/components/schemas/UUID'
      example: 68831c50-2953-4047-9935-81a98ac1e1e1
  parameters:
    CertificateId:
      name: certificate_id
      in: path
      description: ID of the certificate to retrieve history records
      required: true
      example: d240dd9e-a077-42f5-92e3-a3d3f10e002e
      schema:
        $ref: '#/components/schemas/UUID'
    If-Modified-Since:
      name: If-Modified-Since
      in: header
      description: Date in HTTP-Date format (RFC 7231).
      required: false
      schema:
        $ref: '#/components/schemas/RFC7231.HTTP-date'
    PaginationLimit:
      name: limit
      in: query
      description: 'Number of records to return (Max: 100)'
      required: false
      schema:
        type: integer
        minimum: 1
        maximum: 100
        default: 20
    PaginationOffset:
      name: offset
      in: query
      description: Offset to start the pagination
      required: false
      schema:
        type: integer
        default: 0
    ProviderId:
      name: provider_id
      in: path
      description: ID of the provider
      required: true
      example: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
      schema:
        $ref: '#/components/schemas/UUID'
    X-Request-Id:
      name: X-Request-Id
      in: header
      description: Request ID that will be returned into the `X-Response-Id` response header.
      required: false
      schema:
        $ref: '#/components/schemas/UUID'
      example: 68831c50-2953-4047-9935-81a98ac1e1e1
  responses:
    ErrorInternal:
      description: Returned when an unexpected error occurred while processing the request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: INTERNAL_SERVER_ERROR
            message: An unexpected error occurred while processing the request.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorInternalNoContents:
      description: Returned when an unexpected error occurred while processing the request.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorInvalidAcceptHeader:
      description: Returned when the client specifies a type not supported by the platform in the `Accept` HTTP header.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: NOT_ACCEPTABLE
            message: The format in the `Accept` header is not supported.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorInvalidAcceptHeaderNoContents:
      description: Returned when the client specifies a type not supported by the platform in the `Accept` HTTP header.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorInvalidContentType:
      description: Returned when the client specifies a `Content-Type` header value not supported.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: UNSUPPORTED_MEDIA_TYPE
            message: The format of the request body is not supported.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNoPermission:
      description: Returned when the client does not have the expected permissions to access the method.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: FORBIDDEN
            message: User is not allowed to access this resource.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNoPermissionNoContents:
      description: Returned when the client does not have the expected permissions to access the method.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNotAllowed:
      description: Error returned when the API method is not allowed for the given object.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: METHOD_NOT_ALLOWED
            message: The method is not allowed for the resource.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNotAuthenticated:
      description: Returned when the client authentication failed.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: UNAUTHORIZED
            message: The authentication failed.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNotAuthenticatedNoContents:
      description: Returned when the client authentication failed.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorNotFound:
      description: Returned when the object referenced by the API request does not exist.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: NOT_FOUND
            message: The resource is not found.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorRateLimiting:
      description: Returned when too many requests have been sent by the client in a certain amount of time.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: TOO_MANY_REQUESTS
            message: Rate limit is exceeded.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorRateLimitingNoContents:
      description: Returned when too many requests have been sent by the client in a certain amount of time.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ErrorValidation:
      description: Returned when the request input validation failed.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: BAD_REQUEST
            message: The request validation failed.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ServiceUnavailable:
      description: Returned when the service is unavailable (e.g. maintenance mode) and cannot process the request.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiPayloadError'
          example:
            code: SERVICE_UNAVAILABLE
            message: The service is currently unavailable.
      headers:
        Content-Length:
          $ref: '#/components/headers/Content-Length'
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    ServiceUnavailableNoContents:
      description: Returned when the service is unavailable (e.g. maintenance mode) and cannot process the request.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
    SuccessNoMessage:
      description: Confirms successful processing.
      headers:
        X-Correlation-Id:
          $ref: '#/components/headers/X-Correlation-Id'
        X-Response-Id:
          $ref: '#/components/headers/X-Response-Id'
  schemas:
    ApiPayloadError:
      type: object
      description: Data model for error responses.
      required:
        - code
        - message
      properties:
        code:
          type: string
          maxLength: 64
          description: Error code. Shall be capitalized with underscores.
        message:
          type: string
          maxLength: 1024
          description: Message providing more details and context for the error that occurred.
    ArchivedCertificateStatus:
      type: string
      description: Archived Certificate status. Allowed values are a subset of those accepted for `CertificateStatus` schema.
      enum:
        - REVOKED
        - EXPIRED
        - INVALID
      example: EXPIRED
    ArchivedCertificateSummaryView:
      type: object
      description: |
        Archived Certificate data model (summary view). This model will be used for both active and archived certificates.
      required:
        - id
        - provider_id
        - type
        - name
        - valid_from
        - valid_to
        - test_certificate
        - status
        - archived
        - renewal_auto
      properties:
        id:
          $ref: '#/components/schemas/CertificateId'
        provider_id:
          allOf:
            - description: ID of the service provider that requested the certificate.
            - $ref: '#/components/schemas/ProviderId'
        type:
          $ref: '#/components/schemas/CertificateType'
        opts:
          type: string
          description: |
            APNF Code of the technical signing service provider (OPTS). Mandatory when certificate `type` is `INDIRECT`,
            `null` otherwise.
          pattern: ^([0-9A-Z]{6})$
          example: SPB000
        name:
          type: string
          maxLength: 64
          description: |
            Certificate name provided by the origin service provider. Used to construct certificate Common Name.
          example: Main Certificate
        valid_from:
          type: string
          description: Certificate validity start date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        valid_to:
          type: string
          description: Certificate expiration date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2023-01-17T10:12:25Z'
        test_certificate:
          type: boolean
          description: Is this a test certificate?
          example: false
        url:
          type: string
          maxLength: 2048
          description: URL of the certificate in the certificate public repository
          example: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        status:
          $ref: '#/components/schemas/ArchivedCertificateStatus'
        archived:
          type: boolean
          description: Has the certificate been archived?
          example: true
        renewal_auto:
          type: boolean
          description: |
            Automated renewal option. If enabled, the application will create a new certificate using the same CSR and
            options provided for this certificate.
          example: true
        sn:
          type: string
          description: Certificate serial number
          pattern: ^([0-9A-Fa-f]{2,40})$
          example: 57ABB34BCA510043BDE438460F13B27E6A82C004
    BypassToken:
      type: object
      required:
        - id
        - created_at
      properties:
        id:
          $ref: '#/components/schemas/BypassTokenId'
        created_at:
          type: string
          description: |
            Token creation date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        archived_at:
          type: string
          description: |
            Token archiving date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
    BypassTokenCreationResponse:
      type: object
      description: Response of bypass token generation request
      required:
        - id
      properties:
        id:
          $ref: '#/components/schemas/BypassTokenId'
    BypassTokenId:
      type: string
      pattern: ^([0-9A-Z]{6})-([0-9A-Z\-]{16})$
      description: |
        Current token to be used by provider in "Identity-Bypass" SIP INVITE message header
        when the provider has to temporarily disable its STI-AS component.

        The expected format is `SPC-RANDOM`, where:
        - SPC: APNF Service Provider Code
        - RANDOM: 1 to 16 characters between A-Z, 0-A or '-'
      example: SPC000-YE42L73SGAG45I05
    Certificate:
      type: object
      description: Certificate data model. This model will be used for both active and archived certificates.
      required:
        - id
        - provider_id
        - type
        - name
        - valid_from
        - valid_to
        - test_certificate
        - status
        - archived
        - renewal_auto
        - created_at
        - created_by
        - updated_at
        - updated_by
      properties:
        id:
          $ref: '#/components/schemas/CertificateId'
        provider_id:
          allOf:
            - description: ID of the service provider that requested the certificate.
            - $ref: '#/components/schemas/ProviderId'
        type:
          $ref: '#/components/schemas/CertificateType'
        opts:
          type: string
          description: |
            APNF Code of the technical signing service provider (OPTS). Mandatory when certificate `type` is `INDIRECT`,
            `null` otherwise.
          pattern: ^([0-9A-Z]{6})$
          example: SPB000
        name:
          type: string
          maxLength: 64
          description: |
            Certificate name provided by the origin service provider. Used to construct certificate Common Name.
          example: Main Certificate
        description:
          type: string
          maxLength: 1024
          description: Additional information related to the certificate
          example: Description of the certificate.
        valid_from:
          type: string
          description: Certificate validity start date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        valid_to:
          type: string
          description: Certificate expiration date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2023-01-17T10:12:25Z'
        test_certificate:
          type: boolean
          description: Is this a test certificate?
          example: false
        status:
          $ref: '#/components/schemas/CertificateStatus'
        archived:
          type: boolean
          description: Has the certificate been archived?
          example: false
        renewal_auto:
          type: boolean
          description: |
            Automated renewal option. If enabled, the application will create a new certificate using the same CSR and
            options provided for this certificate.
          example: true
        renewal_after:
          type: integer
          description: |
            Number of days after certificate creation to wait for the automated certificate renewal process to be
            triggered.
            Set only if `renewal_auto` is set to `true`.
          example: 300
        renewed_by:
          allOf:
            - description: ID of the new certificate that replaces this certificate.
            - $ref: '#/components/schemas/UUID'
        url:
          type: string
          maxLength: 2048
          description: URL of the certificate in the certificate public repository
          example: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        sn:
          type: string
          description: Certificate serial number
          pattern: ^([0-9A-Fa-f]{2,40})$
          example: 57ABB34BCA510043BDE438460F13B27E6A82C004
        contents:
          type: string
          maxLength: 2048
          description: Certificate contents in PEM format.
          example: |
            -----BEGIN CERTIFICATE-----
            MIIC/DCCAqOgAwIBAgIUV6uzS8pRAEO95DhGDxOyfmqCwAQwCgYIKoZIzj0EAwIw
            gYcxLDAqBgNVBAMMI0JQQ08gQ0ExIMOiwoDCkyBTSEFLRU4gSW50ZXJtZWRpYXRl
            MQswCQYDVQQGEwJGUjEqMCgGA1UECgwhQmFzZSBkZXMgQ2VydGlmaWNhdHMgT3DD
            g8KpcmF0ZXVyMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
            NzA0MTAwMDMxWhcNMjIxMDAyMTAwMDMxWjBXMRYwFAYDVQQDDA1TSEFLRU4gT1BD
            MDAwMQswCQYDVQQGEwJGUjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQL
            DBBTZXJ2aWNlIFByb3ZpZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/
            qQeNfCytgqjIETfjmVEw7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0
            ULplSrl9+QrrpKLwjKOCARowggEWMB0GA1UdDgQWBBRk53mcS8XiTcavdh4VBd3j
            RA803zAfBgNVHSMEGDAWgBRNelLrS9FcVoyWR7d8FHJRlixuBDAOBgNVHQ8BAf8E
            BAMCB4AwDAYDVR0TAQH/BAIwADCBmwYDVR0fBIGTMIGQMIGNoB6gHIYaaHR0cHM6
            Ly88ZG9tYWluZS1icGNvPi9jcmyia6RpMGcxCzAJBgNVBAYTAkZSMSowKAYDVQQK
            DCFCYXNlIGRlcyBDZXJ0aWZpY2F0cyBPcMODwqlyYXRldXIxGTAXBgNVBAsMEFBv
            bGljeSBBdXRob3JpdHkxETAPBgNVBAMMCEJQQ08gUEExMBgGCCsGAQUFBwEaBAww
            CqAIFgZPUEMwMDAwCgYIKoZIzj0EAwIDRwAwRAIgNBAcIP/Gwx1rXvI2/PiflboV
            YVc3KWvfczSpXEMF61oCIG64G0cYxoO00MBdY+vg6umsNtA6eT0q5G6wW7dNjOTv
            -----END CERTIFICATE-----
        csr:
          type: string
          maxLength: 2048
          description: Contents of the CSR file used to create this certificate. Format of the contents is PEM.
          example: |
            -----BEGIN CERTIFICATE REQUEST-----
            MIIBEjCBuQIBADBXMRYwFAYDVQQDDA1TSEFLRU4gT1BDMDAwMQswCQYDVQQGEwJG
            UjEVMBMGA1UECgwMT3DDg8KpcmF0ZXVyMRkwFwYDVQQLDBBTZXJ2aWNlIFByb3Zp
            ZGVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2qw/qQeNfCytgqjIETfjmVEw
            7R7PrKZFaHLhaOxJabV1BN/AGp0Shm5f/pOZ19S9GVT0ULplSrl9+QrrpKLwjKAA
            MAoGCCqGSM49BAMCA0gAMEUCIADk95rHd2LAI6vCuz8OjqlA9FJAWC1j/QcK8HSb
            mMWkAiEAsVc1L/LvTKlEI98lsfDmCtKsJuQ4iBBuZ5Hzp0T1Xr8=
            -----END CERTIFICATE REQUEST-----
        created_at:
          type: string
          description: Creation Date
          format: date-time
          example: '2022-01-17T10:12:25Z'
        created_by:
          type: string
          maxLength: 254
          description: |
            User who requested the certificate. Format shall be `<first name> <last name> <<email address>>`.
            May be set to `SYSTEM` if the certificate has been automatically created by the platform via the
            automated renewal logic.
            May otherwise be set to `API` if the request has been received via an API call.
          example: John Doe <john.doe@spa.domain>
        updated_at:
          type: string
          description: |
            Last Update Date.
            Initially set to the same value as `created_at`.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        updated_by:
          type: string
          maxLength: 254
          description: |
            User who updated the certificate data. Format shall be `<first name> <last name> <<email address>>`.
            May be set to `API` if the request has been received via an API call.
            Initially set to the same value as `created_by`.
          example: John Doe <john.doe@spa.domain>
        revoked_at:
          type: string
          description: |
            Certificate revocation date. Only set if the certificate has been revoked, i.e if `status` is set to
            'REVOKED'.
          format: date-time
          example: '2022-08-17T10:12:25Z'
        revoked_by:
          type: string
          maxLength: 254
          description: |
            User who revoked the certificate. Format shall be `<first name> <last name> <<email address>>`.
            May be set to `API` if the request has been received via an API call, or to `CA` if the certificate has
            been revoked by the Certificate Authority.
          example: John Doe <john.doe@spa.domain>
        revoked_reason:
          type: string
          description: |
            Reason associated with the certificate revocation as defined in RFC 5280.
            Set only if the certificate has been revoked, i.e if `status` is set to `REVOKED`.
          enum:
            - unspecified
            - keyCompromise
            - affiliationChanged
            - superseded
            - cessationOfOperation
            - certificateHold
            - privilegeWithdrawn
          default: unspecified
          example: keyCompromise
        revoked_comments:
          type: string
          maxLength: 1024
          description: |
            Additional comments on the reason associated with the certificate revocation.
            Set only if the certificate has been revoked, i.e if `status` is set to `REVOKED`.
          example: Clé privée compromise
    CertificateId:
      description: ID of the certificate. Must be unique.
      type: string
      format: uuid
      pattern: ^([0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})$
      example: d240dd9e-a077-42f5-92e3-a3d3f10e002e
    CertificateStatus:
      type: string
      description: Certificate status.
      enum:
        - PENDING
        - ACTIVE
        - REVOKED
        - EXPIRED
        - INVALIDATION
        - INVALID
      example: ACTIVE
    CertificateSummaryView:
      type: object
      description: |
        Certificate data model (summary view). This model will be used for both active and archived certificates.
      required:
        - id
        - provider_id
        - type
        - name
        - valid_from
        - valid_to
        - test_certificate
        - status
        - archived
        - renewal_auto
      properties:
        id:
          $ref: '#/components/schemas/CertificateId'
        provider_id:
          allOf:
            - description: ID of the service provider that requested the certificate.
            - $ref: '#/components/schemas/ProviderId'
        type:
          $ref: '#/components/schemas/CertificateType'
        opts:
          type: string
          description: |
            APNF Code of the technical signing service provider (OPTS). Mandatory when certificate `type` is `INDIRECT`,
            `null` otherwise.
          pattern: ^([0-9A-Z]{6})$
          example: SPB000
        name:
          type: string
          maxLength: 64
          description: |
            Certificate name provided by the origin service provider. Used to construct certificate Common Name.
          example: Main Certificate
        valid_from:
          type: string
          description: Certificate validity start date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        valid_to:
          type: string
          description: Certificate expiration date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2023-01-17T10:12:25Z'
        test_certificate:
          type: boolean
          description: Is this a test certificate?
          example: false
        url:
          type: string
          maxLength: 2048
          description: URL of the certificate in the certificate public repository
          example: https://api.man-bpco.fr/OPC000/57ABB34BCA510043BDE438460F13B27E6A82C004.cer
        status:
          $ref: '#/components/schemas/CertificateStatus'
        archived:
          type: boolean
          description: Has the certificate been archived?
          example: false
        renewal_auto:
          type: boolean
          description: |
            Automated renewal option. If enabled, the application will create a new certificate using the same CSR and
            options provided for this certificate.
          example: true
        sn:
          type: string
          description: Certificate serial number
          pattern: ^([0-9A-Fa-f]{2,40})$
          example: 57ABB34BCA510043BDE438460F13B27E6A82C004
    CertificateType:
      type: string
      description: |
        Certificate type. A direct certificate is expected to be used directly by the service provider,
        while an indirect certificate is requested by the service provider for a technical signing service provider (OPTS).
      enum:
        - DIRECT
        - INDIRECT
      example: DIRECT
    EmailAddress:
      type: string
      maxLength: 254
      description: Email address
      example: john.doe@spa.domain
    History:
      description: |
        Data model for history / activity log records.
        A history / activity log describes an action performed on an object in the application.
      type: object
      required:
        - id
        - object_type
        - action
        - message
        - performed_at
      properties:
        id:
          $ref: '#/components/schemas/HistoryId'
        object_type:
          type: string
          description: Type of the object
          example: USER
          enum:
            - PROVIDER
            - USER
            - API_CREDENTIAL
            - CERTIFICATE
            - BPCO_CERTIFICATES
            - BPCO_CRL
        object_id:
          allOf:
            - description: ID of the object
            - $ref: '#/components/schemas/UUID'
        object_name:
          type: string
          description: Name of the object
          maxLength: 254
          example: John Doe <john.doe@mydomain.com>
        action:
          description: Action performed on the object
          type: string
          example: PASSWORD_RESET
          enum:
            - CREATE
            - UPDATE
            - DELETE
            - UNDELETE
            - LOGIN
            - LOGOUT
            - PASSWORD_RESET
            - REGISTER
            - AUTHORIZE
            - RENEW
            - REVOKE
        message:
          type: string
          maxLength: 1024
          description: Message providing details on the action performed
          example: Password reset has been requested from login page
        changes:
          type: object
          description: List of the changes applied
          properties:
            property:
              type: string
              description: Name of the property
            old_value:
              type: string
              maxLength: 2048
              description: Old value
            new_value:
              type: string
              maxLength: 2048
              description: New value
        ip_address:
          type: string
          description: IP address of the user / API client at the origin of the action
          format: ipv4
          pattern: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)$
          example: 127.0.0.1
        performed_at:
          type: string
          description: Date of the action using ISO-8601 date format (UTC timezone)
          format: date-time
          example: '2022-01-17T10:12:25Z'
        performed_by:
          type: string
          maxLength: 254
          description: |
            Source of the action. May be set to :
            - a user if the action has been performed by the user from the platform UI. The format shall be `<first name> <last name> <<email address>>`.
            - `API` if the action is triggered by an API call
            - `SYSTEM` if the action is performed by the platform
            - null if the user is unknown (ex: password reset from the login page)
          example: John Doe <john.doe@mydomain.com>
    HistoryId:
      description: ID of the history record. Must be unique.
      type: string
      format: uuid
      pattern: ^([0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})$
      example: c8d2874c-4fb8-44c0-ab39-4143e53870a4
    Language:
      type: string
      enum:
        - FRENCH
        - ENGLISH
      example: FRENCH
    PaginationMetaData:
      type: object
      description: Information regarding paginated results
      properties:
        offset:
          type: integer
          description: Current offset
          default: 0
          example: 40
        limit:
          type: integer
          description: Number of resources per page
          minimum: 1
          default: 20
          maximum: 100
        links:
          type: object
          properties:
            next:
              type: string
              description: Path to retrieve the next page
              pattern: ^(\/([\w-.~]|%[0-9A-Za-z]{2})*)*(\?([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?((&|;)([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?)*)?(#([\w-.~]|%[0-9A-Za-z]{2})+)?$
              example: /resource?offset=60&limit=20
            first:
              type: string
              description: Path to retrieve the first page
              pattern: ^(\/([\w-.~]|%[0-9A-Za-z]{2})*)*(\?([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?((&|;)([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?)*)?(#([\w-.~]|%[0-9A-Za-z]{2})+)?$
              example: /resource?offset=0&limit=20
            prev:
              type: string
              description: Path to retrieve the previous page
              pattern: ^(\/([\w-.~]|%[0-9A-Za-z]{2})*)*(\?([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?((&|;)([\w-.~]|%[0-9A-Za-z]{2})+(=([\w-.~]|%[0-9A-Za-z]{2})+)?)*)?(#([\w-.~]|%[0-9A-Za-z]{2})+)?$
              example: /resource?offset=20&limit=20
    PendingIndirectCertificate:
      type: object
      description: |
        Indirect Certificate Request data model. This model is used when the origin service provider requests the
        creation of a certificate for a technical provider (OPTS)
      required:
        - id
        - provider_id
        - opts
        - type
        - name
        - valid_from
        - valid_to
        - test_certificate
        - status
        - renewal_auto
        - created_at
        - created_by
      properties:
        id:
          $ref: '#/components/schemas/CertificateId'
        provider_id:
          allOf:
            - description: ID of the service provider that requested the certificate.
            - $ref: '#/components/schemas/ProviderId'
        type:
          allOf:
            - enum:
                - INDIRECT
            - example: INDIRECT
            - $ref: '#/components/schemas/CertificateType'
        opts:
          type: string
          description: APNF Code of the technical signing service provider (OPTS).
          pattern: ^([0-9A-Z]{6})$
          example: SPB000
        name:
          type: string
          maxLength: 64
          description: Certificate name provided by the origin service provider
          example: Indirect Certificate
        description:
          type: string
          maxLength: 1024
          description: Additional information related to the certificate
          example: Description of the certificate.
        test_certificate:
          type: boolean
          description: Is this certificate a test?
          example: false
        valid_from:
          type: string
          description: Certificate validity start date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2022-01-17T10:12:25Z'
        valid_to:
          type: string
          description: Certificate expiration date. Date shall be in ISO-8601 format.
          format: date-time
          example: '2023-01-17T10:12:25Z'
        renewal_auto:
          type: boolean
          description: |
            Automated renewal option. If enabled, the application will create a new certificate using the same CSR and
            options provided for this certificate.
          example: true
        renewal_after:
          type: integer
          description: |
            Number of days after certificate creation to wait for the automated certificate renewal process to be
            triggered.
            Set only if `renewal_auto` is set to `true`.
          example: 300
        status:
          type: string
          description: Certificate status. Will always be set to PENDING
          enum:
            - PENDING
          example: PENDING
          default: PENDING
        created_at:
          type: string
          description: Creation Date
          format: date-time
          example: '2022-01-17T10:12:25Z'
        created_by:
          type: string
          maxLength: 254
          description: |
            User who requested the certificate. Format shall be `<first name> <last name> <<email address>>`.
            May be set to `SYSTEM` if the certificate has been automatically created by the platform via the
            automated renewal logic.
            May otherwise be set to `API` if the request has been received via an API call.
          example: John Doe <john.doe@spa.domain>
    Provider:
      allOf:
        - type: object
          required:
            - id
            - status
          properties:
            id:
              $ref: '#/components/schemas/ProviderId'
            status:
              $ref: '#/components/schemas/ProviderStatus'
        - $ref: '#/components/schemas/ProviderCreationRequest'
        - description: Provider data model
        - type: object
          required:
            - last_verification
            - deleted
            - created_at
            - created_by
            - updated_at
            - updated_by
          properties:
            legal_administrator:
              type: string
              description: |
                Represent the user which is the legal agent of the provider
              example: John Doe <john.doe@spa.domain>
            opts_allowed:
              type: array
              description: |
                List of providers OPTS that can be used to create an indirect certificate.

                This list is generated by the platform based on `opts_contracts`.
              items:
                $ref: '#/components/schemas/ProviderCode'
              default: []
              example:
                - SPB000
                - SPC000
                - SPD000
            deleted:
              type: boolean
              description: |
                Deleted status.
                The user of the deleted provider do not have access anymore to the application. this provider will be
                effectively erased after 3 months.
                During that period, it is possible to "undelete" a provider.
              default: false
              example: false
            created_at:
              type: string
              description: Creation Date
              format: date-time
              example: '2022-01-17T10:12:25Z'
            created_by:
              type: string
              maxLength: 254
              description: |
                User who created the provider. Format shall be `<first name> <last name> <<email address>>`.
                May otherwise be set to `API` if the action has been triggered by an API call or `SYSTEM` if the action
                is performed by the platform.
              example: John Doe <john.doe@spa.domain>
            updated_at:
              type: string
              description: |
                Last Update Date.
                Initially set to the same value as `created_at`.
              format: date-time
              example: '2022-05-17T10:12:25Z'
            updated_by:
              type: string
              maxLength: 254
              description: |
                User who updated the provider data. Format shall be `<first name> <last name> <<email address>>`.
                May otherwise be set to `API` if the action has been triggered by an API call or `SYSTEM` if the action
                is performed by the platform.
                Initially set to the same value as `created_by`.
              example: John Doe <john.doe@spa.domain>
            deleted_at:
              type: string
              description: Deletion date
              format: date-time
              nullable: true
              example: '2022-05-17T10:12:25Z'
            deleted_by:
              type: string
              maxLength: 254
              description: |
                User who deleted the provider. Format shall be `<first name> <last name> <<email address>>`.
                May otherwise be set to `API` if the action has been triggered by an API call or `SYSTEM` if the action
                is performed by the platform.
              nullable: true
              example: John Doe <john.doe@spa.domain>
            bypass_token:
              $ref: '#/components/schemas/BypassTokenId'
    ProviderCode:
      type: string
      description: Service Provider Code. Each service provider in France is assigned a unique code by the APNF.
      pattern: ^([0-9A-Z]{6})$
      example: SPA000
    ProviderCreationRequest:
      type: object
      description: Provider creation request data model
      required:
        - name
        - code
        - address
        - signing_provider
      properties:
        name:
          type: string
          maxLength: 64
          description: Provider name
          example: Opérateur A
        code:
          $ref: '#/components/schemas/ProviderCode'
        address:
          type: string
          maxLength: 255
          description: Provider HQ address
          example: 30, rue de Paris 75018 Paris
        technical_number:
          type: string
          maxLength: 15
          description: |
            Phone number injected by the provider in SIP INVITE messages when the phone number specified in the `orig` field is not valid format for the STIR Shaken protocol.
            Number format shall comply with E.164 protocol.
          example: '33123456789'
        signatory:
          type: boolean
          description: |
            Flag to indicate if the provider is expected to sign phone calls and.
            Only signatory providers shall be allowed to have certificates delivered.
          default: true
        opts:
          type: boolean
          description: |
            Flag to indicate if the provider declares itself as a technical signatory provider (OPTS),
            e.g. a provider that can sign phone calls on behalf of other signatory providers.

            This property can be set to `TRUE` only if `signatory` is also set to `TRUE`.
          default: false
          example: true
        opts_contracts:
          type: array
          description: |
            List of providers allowed to choose this provider as OPTS.
          items:
            $ref: '#/components/schemas/ProviderCode'
          default: []
          example:
            - SPB000
            - SPC000
            - SPD000
        global_notification_list:
          description: |
            List of email addresses for the provider 'global' notification list.
            Will receive any general information published by the platform.
          type: array
          items:
            $ref: '#/components/schemas/EmailAddress'
          default: []
          example:
            - john.doe@spa.domain
            - jane.doe@spa.domain
        certificate_notification_list:
          description: |
            List of email addresses for the provider 'certificate' notification list.
            Will receive any information published by the platform related to certificates creation and revocation.
          type: array
          items:
            $ref: '#/components/schemas/EmailAddress'
          default: []
          example:
            - john.doe@spa.domain
            - jane.doe@spa.domain
        deposit_notification_list:
          description: |
            List of email addresses for the provider 'deposit' notification list.
          type: array
          items:
            $ref: '#/components/schemas/EmailAddress'
          default: []
          example:
            - john.doe@spa.domain
            - jane.doe@spa.domain
        legal_notification_list:
          description: |
            List of email addresses for the provider 'legal' notification list.
            Will receive any information published by the platform related to provider authorization.
          type: array
          items:
            $ref: '#/components/schemas/EmailAddress'
          default: []
          example:
            - john.doe@spa.domain
            - jane.doe@spa.domain
        ticketing_notification_list:
          description: |
            List of email addresses for the provider 'ticketing' notification list.
            Will receive any information published by the platform related to ticket evolution.
          type: array
          items:
            $ref: '#/components/schemas/EmailAddress'
          default: []
          example:
            - john.doe@spa.domain
            - jane.doe@spa.domain
        ticket_notification_active:
          description: |
            If the function is disabled, notifications from the ticket management tools are not sent
            Unless there is a major incident on the MAN platform which requires imperative consideration of the
            notification.
          type: boolean
          default: true
        sftp_allowed_keys:
          type: array
          description: |
            SSH public keys allowed to access the platform SFTP service created for the provider

            If no values are specified, no connection to the SFTP service will be possible.
          items:
            type: string
            maxLength: 1024
            description: SSH public key contents
            example: ssh-rsa AAAAB3NzaC...p5CSsDJ SI@host-4527
        sftp_allowed_ips:
          type: array
          description: |
            List of IPv4 addresses to be allowed to connect to the SFTP BSM service.

            If no values are specified, connections to the SFTP service will be possible from any IP address.
          items:
            type: string
            description: IPv4 address
            format: ipv4
            pattern: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.){3}(25[0-5]|(2[0-4]|1\d|[1-9]|)\d)$
            example: 127.0.0.1
        languages:
          type: array
          description: |
            List of languages to be proposed to the provider users for the platform UI.
          items:
            $ref: '#/components/schemas/Language'
          default:
            - FRENCH
          example:
            - FRENCH
            - ENGLISH
        authentication_mode:
          type: string
          description: Mode to be used to authenticate provider user accounts.
          enum:
            - SSO
            - MFA
          default: MFA
          example: SSO
        sso_settings:
          $ref: '#/components/schemas/ProviderSSOSettings'
    ProviderId:
      description: ID of the provider. Must be unique.
      type: string
      format: uuid
      pattern: ^([0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})$
      example: cc4519cb-b2b6-45ad-904c-7698fdf72ba2
    ProviderOIDCSettings:
      type: object
      description: Configuration of an OpenID Connect identity provider
      properties:
        authorizationUrl:
          type: string
          example: https://samples.auth0.com/authorize
        tokenUrl:
          type: string
          example: https://samples.auth0.com/oauth/token
        logoutUrl:
          type: string
          description: |
            End session endpoint to use to logout user from external IDP. This is optional.
        userInfoUrl:
          type: string
          description: |
            The User Info Url. This is optional.
          example: https://samples.auth0.com/userinfo
        issuer:
          type: string
          description: |
            The issuer identifier for the issuer of the response. If not provided, no validation will be performed.
          example: https://samples.auth0.com/
        validateSignature:
          type: boolean
          description: |
            Enable/disable signature validation of external IDP signatures.
          example: true
        useJwksUrl:
          type: boolean
          description: |
            If true, identity provider public keys will be downloaded from given JWKS URL.
          example: true
        jwksUrl:
          type: string
          description: |
            URL where identity provider keys in JWK format are stored.
          example: https://samples.auth0.com/.well-known/jwks.json
        clientAuthMethod:
          type: string
          description: |
            The client authentication method (cfr. https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication).
            In case of JWT signed with private key, the realm private key is used.
          enum:
            - clientAuth_post
            - clientAuth_basic
            - clientAuth_secret_jwt
            - clientAuth_privatekey_jwt
          example: clientAuth_post
        clientId:
          type: string
          description: |
            The client identifier registered with the identity provider.
          example: kbyuFDidLLm280LIwVFiazOqjO3ty8KH
        clientSecret:
          type: string
          description: |
            The client secret registered with the identity provider.
          example: 60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa
    ProviderSSOSettings:
      allOf:
        - oneOf:
            - $ref: '#/components/schemas/ProviderOIDCSettings'
        - type: object
          description: |
            Single Sign-On configuration.
            To be used only when `authentication_mode` is set to `SSO`.
          default: null
          properties:
            type:
              type: string
              enum:
                - OIDC
    ProviderStatus:
      type: string
      description: Provider status
      enum:
        - REGISTRATION
        - ENABLED
        - DISABLED
      example: ENABLED
    RFC7231.HTTP-date:
      type: string
      description: Date format as defined in RFC7231, section 7.1.1.1.
      pattern: ^((Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} GMT)$
      example: Mon, 17 Jan 2022 10:12:25 GMT
    RenewedCertificate:
      allOf:
        - $ref: '#/components/schemas/Certificate'
      type: object
      required:
        - id
        - provider_id
        - opts
        - type
        - name
        - valid_from
        - valid_to
        - test_certificate
        - url
        - sn
        - contents
        - status
        - renewal_auto
        - created_at
        - created_by
    UUID:
      type: string
      format: uuid
      pattern: ^([0-9A-Fa-f]{8}(-[0-9A-Fa-f]{4}){3}-[0-9A-Fa-f]{12})$
      example: 9d82a078-01cb-4a70-a529-14b7e57d4a21
  securitySchemes:
    access_token:
      type: http
      description: |
        APIs need to provide an access token created using the MAN Platform Authorization API and which complies with OpenID Connect protocol.
        Refer to the *MAN platform authorization API Reference* on how to generate these access tokens.
      scheme: bearer
      bearerFormat: JWT