CryptoHub enforces dual login: a single administrator is not fully authenticated until a second administrator has also logged in within the same session. The two logins share one cookie jar, and the bearer token is only minted once the session is fully logged in.
Encode the password
The password is sent base64-encoded in the password field. Generate it once:PW=$(printf 'your-admin-password' | base64)
Log in with dual login
Log in as Admin1, then Admin2, writing to a shared cookie jar (-c writes, -b reads):B=https://localhost:8443
CJ=./ch-admin.cookies
for U in Admin1 Admin2; do
curl -sk -c "$CJ" -b "$CJ" -X POST "$B/home/v1/login" \
-H 'Content-Type: application/json' \
-d "{\"authCredentials\":{\"username\":\"$U\",\"password\":\"$PW\"},\"authType\":\"userpass\"}"
done
The first login responds with fullyLoggedIn: false; after the second login the session is complete:Second login response (truncated)
{
"message": "Success",
"response": {
"fullyLoggedIn": true,
"hardened": false,
"management": true,
"perms": ["CertManage:Inject", "Crypto:Decrypt", "Keys", "..."]
}
}
Mint a bearer token
Now exchange the fully logged-in session for a bearer token:TOKEN=$(curl -sk -c "$CJ" -b "$CJ" "$B/home/v1/login/token" \
| python3 -c 'import sys,json;print(json.load(sys.stdin)["token"])')
GET /home/v1/login/token response (truncated)
{
"message": "Success",
"status": "Success",
"token": "eyJhbGciOiJIUzI1NiIsImtpZCI6IjI1NDQ5IiwidHlwIjoiSldUIn0.eyJ..."
}
For the remaining steps, send the token as a bearer header. Keep the cookie jar too, as some hosts accept either:AUTH=(-H "Authorization: Bearer $TOKEN")
A subsequent read-only call such as GET /api/v2/x509/cert-profiles/stubs should return HTTP 200 with "success": true. If you receive HTTP 401 or "errorCode": "InvalidAuthToken", the token has expired; repeat this step to mint a fresh one.