For Agents
Issue, renew, revoke, and download X.509 certificates from a self-hosted BounCA certificate authority across 14 endpoints.
Get started with BounCA API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"issue a BounCA certificate"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with BounCA API API.
Issue Root CAs, Intermediate CAs, and end-entity certificates from a self-hosted PKI
Revoke a certificate and update the corresponding certificate revocation list
Renew an existing certificate before expiry without rotating the private key
Download issued certificates in PEM bundles for distribution to services
GET STARTED
Use for: Issue a new server certificate for hostname api.internal.example, Revoke certificate id 42 because the private key was exposed, Renew the intermediate CA that expires next month, Download the PEM bundle for certificate id 100 to deploy on a load balancer
Not supported: Does not handle hardware security module key storage, secret rotation, or DNS-01 ACME challenges — use for self-hosted X.509 certificate issuance, revocation, renewal, and CRL handling only.
Jentic publishes the only available OpenAPI document for BounCA API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for BounCA API, keeping it validated and agent-ready. BounCA is a self-hosted PKI certificate authority management tool built on Django REST Framework that issues and manages Root CAs, Intermediate CAs, and end-entity certificates for servers, clients, and code signing. The API exposes login, certificate creation, revocation, renewal, CRL handling, and certificate download so platform teams can automate internal PKI from CI pipelines or AI agents. Authentication uses a bearer token issued via /auth/login/ or a session cookie.
Read certificate metadata including issuer, subject, serial, and expiry
Authenticate with a username and password to obtain a bearer token
Generate or refresh the CRL for a certificate authority
Patterns agents use BounCA API API for, with concrete tasks.
★ Automated internal certificate issuance from CI
Platform teams running a self-hosted BounCA wire certificate issuance into their CI pipeline so that each new internal service gets a freshly issued certificate without a ticket. The pipeline calls POST /auth/login/ for a token, POST /certificates/ with the CSR or subject details, and GET /certificates/{id}/download/ to fetch the PEM bundle. Most platform teams ship the integration in a couple of days.
Authenticate with username deploy and password from the vault, issue a server certificate for CN api.internal.example with a 365-day validity, and return the certificate id
Certificate revocation and CRL refresh
Security operations revoke a certificate when a host is decommissioned or a private key is suspected compromised, and they need a fresh CRL distributed to consumers. POST /certificates/{id}/revoke/ revokes the certificate and POST /certificates/{id}/crl/ regenerates the CRL for downstream distribution. Both operations are scriptable and typically wrap into an incident response runbook.
Revoke certificate id 999 with reason 'keyCompromise', then regenerate the CRL for its issuing CA and confirm the new CRL serial
Pre-expiry renewal of long-lived certificates
Platform teams renew CAs and long-lived service certificates before they expire to avoid outages. POST /certificates/{id}/renew/ creates a new certificate with the same subject, and GET /certificates/{id}/info/ confirms the new expiry. A nightly job that scans for certificates expiring in the next 30 days and renews them prevents silent failures.
List certificates expiring within 30 days, then call the renew endpoint for each and report the new expiry dates
Agent-driven internal PKI via Jentic
An AI agent embedded in a platform team's chat workflow handles requests like 'issue a cert for grafana.internal valid for one year' by calling BounCA. Through Jentic the agent searches for 'issue a BounCA certificate', loads the schema, and executes the call while the bearer token stays in the Jentic vault.
Search Jentic for 'issue a BounCA certificate', load the schema, and execute it for CN grafana.internal with a 365-day validity, returning the download URL
14 endpoints — jentic publishes the only available openapi specification for bounca api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/auth/login/
Authenticate and receive a bearer token
/certificates/
Issue a new certificate
/certificates/
List certificates in the BounCA host
/certificates/{id}/revoke/
Revoke an issued certificate
/certificates/{id}/renew/
Renew an existing certificate
/certificates/{id}/download/
Download the certificate PEM bundle
/certificates/{id}/info/
Read certificate metadata
/certificates/{id}/crl/
Regenerate the CRL for the issuing CA
/auth/login/
Authenticate and receive a bearer token
/certificates/
Issue a new certificate
/certificates/
List certificates in the BounCA host
/certificates/{id}/revoke/
Revoke an issued certificate
/certificates/{id}/renew/
Renew an existing certificate
Three things that make agents converge on Jentic-routed access.
Credential isolation
The BounCA bearer token is stored encrypted in the Jentic vault (MAXsystem). Agents receive scoped execution access only; the raw token and any session cookie never enter prompts, logs, or tool outputs.
Intent-based discovery
Agents search Jentic for intents like 'issue a BounCA certificate' or 'revoke a certificate' and Jentic returns the matching operations with their input schemas, so the agent calls the right endpoint without crawling docs.
Time to first call
Direct BounCA integration: 2-3 days for auth, certificate request schema, and CRL handling. Through Jentic: under 1 hour — search, load schema, execute.
Alternatives and complements available in the Jentic catalogue.
SSL Labs API
TLS configuration scanner that pairs with BounCA to validate the certificates it issues are deployed correctly.
Use SSL Labs to verify that a host actually serves the certificate BounCA issued and that ciphers and chain order are correct.
HashiCorp Nomad API
Workload orchestrator commonly running services that consume BounCA-issued certificates.
Pair Nomad with BounCA when services need a TLS identity provisioned at scheduling time and BounCA is the internal CA.
Evervault API
Managed encryption and key custody service rather than a self-hosted CA.
Use Evervault when a managed encryption-as-a-service is preferable; use BounCA when the team wants full control over a self-hosted CA.
Specific to using BounCA API API through Jentic.
Why is there no official OpenAPI spec for BounCA API?
BounCA does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call BounCA API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the BounCA API use?
BounCA supports HTTP bearer tokens issued by POST /auth/login/ and Django session cookies. For programmatic and agent use, prefer the bearer token; in Jentic the token is stored in the vault and injected at execution so it never enters the agent's context.
Can I issue a server certificate with the BounCA API?
Yes. POST /certificates/ with the certificate type set to a server cert and the required subject information; BounCA returns the new certificate id, and GET /certificates/{id}/download/ fetches the PEM bundle for deployment.
How do I revoke a certificate and refresh the CRL through Jentic?
Run pip install jentic, then search Jentic for 'revoke a BounCA certificate', load the POST /certificates/{id}/revoke/ schema, and execute it with the certificate id and revocation reason. Follow with the /crl/ endpoint to regenerate the CRL.
What are the rate limits for the BounCA API?
BounCA is self-hosted, so there are no vendor-imposed rate limits in the spec; throughput is bounded by the host running BounCA. Use the bulk listing endpoint with pagination instead of per-id loops, and serialize CRL regeneration to avoid concurrent CA updates.
Can I renew an existing certificate before it expires?
Yes. POST /certificates/{id}/renew/ creates a new certificate that reuses the same subject and CA as the original. Combine it with GET /certificates/ filtered by expiry to build a recurring renewal job.
/certificates/{id}/download/
Download the certificate PEM bundle
/certificates/{id}/info/
Read certificate metadata
/certificates/{id}/crl/
Regenerate the CRL for the issuing CA