# Certificate Checker

Check the status of Apple certificates from `.p12`, `.pfx`, or `.mobileprovision` files. Returns certificate details, OCSP revocation status, and entitlements.

## Endpoint

`POST /api/certificate-checker`

## Description

Upload a certificate file and get back full details about the signing certificate inside it — who it belongs to, when it expires, whether Apple has revoked it, and (for mobileprovision files) which entitlements are active.

Supports:
- `.p12` / `.pfx` — PKCS#12 certificate files (password required if protected)
- `.mobileprovision` — Apple provisioning profiles (no password needed)

## Headers

| Header | Value | Required |
|---|---|---|
| `Authorization` | `Bearer <your_api_token>` | Yes |
| `Accept` | `application/json` | Yes |
| `Content-Type` | `multipart/form-data` | Yes |

## Body Parameters

| Parameter | Type | Required | Description |
|---|---|---|---|
| `file` | File | Yes | A `.p12`, `.pfx`, or `.mobileprovision` file (max 10MB) |
| `password` | String | No | Password for `.p12`/`.pfx` files. Not needed for `.mobileprovision`. |

---

## Example: Check a P12 File

### Request

```bash
curl -X POST https://developer.nabzclan.vip/api/certificate-checker \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Accept: application/json" \
  -F "file=@certificate.p12" \
  -F "password=mypassword"
```

### Response (200 OK)

```json
{
  "success": true,
  "file_type": "p12",
  "certificate_info": {
    "subject": {
      "userID": "XXXXXXXXXX",
      "commonName": "iPhone Distribution: Your Company Name",
      "organizationalUnitName": "XXXXXXXXXX",
      "organizationName": "Your Company Name",
      "countryName": "US"
    },
    "issuer": {
      "commonName": "Apple Worldwide Developer Relations Certification Authority",
      "organizationalUnitName": "G3",
      "organizationName": "Apple Inc.",
      "countryName": "US"
    },
    "serial_number": "123456789...",
    "signature_algorithm": "sha256WithRSAEncryption",
    "validity_period": {
      "valid_from": "2025-01-01T00:00:00+00:00",
      "valid_to": "2028-01-01T00:00:00+00:00"
    },
    "public_key_size": 2048,
    "fingerprints": {
      "sha256": "abcdef1234567890...",
      "md5": "abcdef1234567890...",
      "sha1": "abcdef1234567890..."
    }
  },
  "certificate_status": {
    "status": "Signed"
  },
  "type": "N/A"
}
```

---

## Example: Check a Mobileprovision File

### Request

```bash
curl -X POST https://developer.nabzclan.vip/api/certificate-checker \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Accept: application/json" \
  -F "file=@profile.mobileprovision"
```

### Response (200 OK)

```json
{
  "success": true,
  "file_type": "mobileprovision",
  "certificate_info": {
    "subject": {
      "commonName": "iPhone Distribution: Your Company Name",
      "organizationName": "Your Company Name",
      "countryName": "US"
    },
    "issuer": {
      "commonName": "Apple Worldwide Developer Relations Certification Authority",
      "organizationName": "Apple Inc.",
      "countryName": "US"
    },
    "serial_number": "123456789...",
    "signature_algorithm": "sha256WithRSAEncryption",
    "validity_period": {
      "valid_from": "2025-01-01T00:00:00+00:00",
      "valid_to": "2028-01-01T00:00:00+00:00"
    },
    "public_key_size": 2048,
    "fingerprints": {
      "sha256": "abcdef1234567890...",
      "md5": "abcdef1234567890...",
      "sha1": "abcdef1234567890..."
    }
  },
  "certificate_status": {
    "status": "Signed"
  },
  "entitlements": {
    "Push Notifications": { "status": "active" },
    "App Groups": { "status": "active" },
    "Associated Domains": { "status": "active" },
    "Apple Sign-In": { "status": "active" }
  },
  "type": "Enterprise Certificate"
}
```

---

## Certificate Status Values

| Status | Meaning |
|---|---|
| `Signed` | Certificate is valid and not revoked |
| `Revoked` | Certificate has been revoked by Apple |
| `Unknown` | OCSP server returned an unknown status |
| `OCSP URL not available` | Certificate does not have an OCSP endpoint |

### Revoked Response Example

When a certificate is revoked, extra details are included:

```json
{
  "certificate_status": {
    "status": "Revoked",
    "revocation_time": "Feb  7 07:20:00 2026 GMT",
    "reason": "certificateHold (0x6)",
    "reason_details": "Certificate is temporarily on hold."
  }
}
```

---

## Certificate Type (Mobileprovision Only)

| Type | Meaning |
|---|---|
| `Enterprise Certificate` | In-house distribution (no App Store, internal use) |
| `Personal Certificate` | Standard developer certificate (App Store or Ad Hoc) |
| `N/A` | Returned for `.p12` files (type is determined by provisioning profile, not the cert itself) |

---

## Error Responses

### Wrong Password (400)

```json
{
  "success": false,
  "error": "Invalid password or PKCS12 data"
}
```

### Invalid File Type (400)

```json
{
  "success": false,
  "error": "Invalid file type. Only .p12, .pfx, and .mobileprovision files are allowed."
}
```

### Missing File (422)

```json
{
  "message": "The file field is required.",
  "errors": {
    "file": ["The file field is required."]
  }
}
```

### Corrupt or Unreadable File (400)

```json
{
  "success": false,
  "error": "Plist data not found in the .mobileprovision file."
}
```