Hi Nibexo,
first of all I don't know what you are going to accomplish with your API.
Is the purpose of your API to
- generate an X509-Certificate by signing it using a Certification Authority (CA) and assigning it to a user (already existing)?
- create a user account with a user / password tuple?
1) To POST to the said URL is a IMHO a good way to do it, but I'd do the authorization by using the HTTP-Authorization header (cf. RFC 7231) instead of using the payload.
I recommend to inform yourself on different authorization methods (OAuth / basic auth etc.).
To generate a so called Certificate Signing Request (CSR, RFC 2986) to request the generation of a Certificate you need way more information other than the life time,
so your POST request should contain way more fields like Country Code, State Code, City Code, Organization, .....
If your server did the work he should return a 201 response code (Created) and returning the URL of the created certificate inside the Location-Header field.
The URL could look something like:
../certmanagement/certificate/42
whereas 42 could be some kind of identifier.
Then the user can fetch the certificate by doing a GET on that URL. To do authorization you can use the same mechanism I mentioned before.
2) In that scenario the first POST request seems to be valid. But instead of building up a URL using your password and username I strongly recommend to let the server
decide what the URL of the new resource is and let him return the URL, probably:
../certmanagement/certificate/42
like in the first scenario using 201 response code. The client can now do the GET request on this URL and putting your (username, password)- tuple inside the Authorization Header.
If it is possible plz avoid basic authentication but instead use more sophisticated authentication methods. If your API is public and you use basic auth you should consider using SSL at least.
Otherwise an attacker could read the credentials of the client.
Regards,
Thomas