xtract.bot

POST /api/csr-generate3 quota units per call · cache hits free

Build a Certificate Signing Request (CSR) ready for submission to a CA. Provide your existing keypair (PEM) and a subject DN — get back a standard PEM CSR with optional Subject Alternative Names.

Builds a PKCS#10 Certificate Signing Request (CSR) — the file you send to a Certificate Authority (Let's Encrypt, your internal CA, AWS Certificate Manager, etc.) to request a signed cert. Inputs: - `privateKeyPem`: existing private key (PKCS#8 PEM). RSA or Ed25519 supported. - `publicKeyPem`: matching public key (SPKI PEM). - `subject`: DN string, e.g. `CN=example.com,O=Example Inc,C=US`. - `subjectAlternativeNames`: optional array of DNS / IP / URI / email entries. - For RSA keys: choose `signatureAlgorithm` (RSA-PSS or RSASSA-PKCS1-v1_5) + `hash`. **Output:** the CSR as PEM (`-----BEGIN CERTIFICATE REQUEST-----`).

Inputs

NameTypeDefaultDescription
privateKeyPem*stringPrivate key (PKCS#8 PEM). RSA or Ed25519.
publicKeyPem*stringMatching public key (SPKI PEM).
subject*stringSubject Distinguished Name, e.g. "CN=example.com,O=Example,C=US".
subjectAlternativeNamesstring""Comma-separated SAN entries — DNS:host, IP:1.2.3.4, URI:..., email:...
signatureAlgorithmenum (RSASSA-PKCS1-v1_5 | RSA-PSS | Ed25519)"RSASSA-PKCS1-v1_5"Signature algorithm. Must match the private key type.
hashenum (SHA-256 | SHA-384 | SHA-512)"SHA-256"Hash algorithm (RSA only).

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call3 units against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size16 KiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size16 KiB
Timeout30s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the rsa-csr example.


curl -X POST https://api.xtract.bot/api/csr-generate \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "privateKeyPem": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO+Tokrkjy6Egb\n/irJHkLzlTm2vebJHKThQvP/zRP+izzKqFb12ijLhDH5uTRTn0aDaAyV4vyqKRJS\nQHwmWRCywAWHX1Y334JZ8K+1dDALT9BgEEp0N8dMt2xf14ngKUlbCfHK+vpvj18h\n/yr1n1Pqj9sqQkZy7aPKBaZWy+QZ/EAC04t+TvgFgCy4Wu3XDKf8Pi407KqvMHAG\nCuozFl6aNIwZNiQYw3h7qagD+XaQrnIy5RnOW+Cjx4ae+r5jAzW8FLL6/5fixfBF\nw8Tsy/RQ6ZVCsd07eIoYtMZSxdLdxt46MBUfJshYK2Qmy++oMcN/VQF7+muKd7Vf\nEs3G8+ZDAgMBAAECggEAFwx0REvjzw5a6vGvacBwUFQQZkvjToJIzaxyqRx2qono\nJnmQmfjDVoUnXgKZPhkxZRIbOUygU+Q5eRC+kvC3zEFALZcqeekVMApToTUrtknL\nJg6/mfsQrObtrd5m8pVlUdZevaIhSREmvSnQKKG4sFnkSJc/mTEt6ZhokkSIr2wp\nDE3/LOHujh2T3y1R5tiSf7BU3+ab9FFZPrQWf7bvlYqWxe8G3GfO5UI3g0zlBorl\n6XDYRQkHZAfd2/DlVlJB9kLpBpedyLxpydeM3QrszTBYAknO+MlxkYsGuWzoxstx\nQbQFcnqwQmLhkD31g2niwMdYBjm+3YhWSIrn9CToKQKBgQDJjJ2T0kfH534xpq8I\nmUHHEx0KzQLQNOC8TaCj0NnhGX9Ixt+ofdjlwaQ254nUsYJEeTXHFghPMw4UAv3k\nWBG59CNyyhXUKrszyBO07+cfkWfG7MdxdqZHbyIOA+lCTVTq5yysPLQnYs2tKtAK\nvCaX0TAPXh2uhJBC1p9D08Fz6QKBgQC1mXHsJjQ/B60RrZUb10gbHDYrPSalu8+z\n2SzE0MghwReyMjV6Sk4gDtJM+YziAOdDka2Rw0aEiT5Y0g9jsw18uLVfxHlPNbWB\nMlWnOYk3CmiGUbQ6H0OUAj8jYUw9DoUAps7ZlsjW4LO7AOwjXxCGjInIMjKBGin9\nLukmbP3JSwKBgEzDiszfXUmNKOo+QxIyVPQ+mmQfuz+TtDjkFBfwltt+O5V7cXoa\nHH89po7m1v80cJol1E60XIvVtTn3/b13saCylMHGqFO7xrstLBxQ9yV12yHP0xKr\nDx/L+xt9b9052OrzC3e6Ux9hKVcYJE7CZKyUFwrzXLi4cr2SQuyxfU/pAoGAazMU\nlAGNb/O5D6l3TwMLlq1VsLqdeNJgbttx2REiQwK4WUHYXcNFURlOvY/GwZck7bcu\nTdCHbS+TNV1zJjiJaqmir9DMh5y983FiLKADRxGG2Fuc136jJtkYqmsCVTyf+N1/\nV+Tx1B67GlYWD19L4xFNOHehZqKqTMIHcd5/BfcCgYEAhxmFtlE73J1nMMfYoViY\n+l++KcLndQmKeS7/Dd7hkNSIbXyacN1O7vE6RSGnA0zt2mqOmqIbhFRSr3NTyix1\nRZrMTZHB7qLG45y0PkPbMnOykuGs6opC9ElShoXk9TGIYTu64uPTzlgZc4dzQTk8\nI4NAVr+nRtOVSSek7N8syro=\n-----END PRIVATE KEY-----",
  "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjvk6JK5I8uhIG/4qyR5C\n85U5tr3myRyk4ULz/80T/os8yqhW9dooy4Qx+bk0U59Gg2gMleL8qikSUkB8JlkQ\nssAFh19WN9+CWfCvtXQwC0/QYBBKdDfHTLdsX9eJ4ClJWwnxyvr6b49fIf8q9Z9T\n6o/bKkJGcu2jygWmVsvkGfxAAtOLfk74BYAsuFrt1wyn/D4uNOyqrzBwBgrqMxZe\nmjSMGTYkGMN4e6moA/l2kK5yMuUZzlvgo8eGnvq+YwM1vBSy+v+X4sXwRcPE7Mv0\nUOmVQrHdO3iKGLTGUsXS3cbeOjAVHybIWCtkJsvvqDHDf1UBe/prine1XxLNxvPm\nQwIDAQAB\n-----END PUBLIC KEY-----",
  "subject": "CN=demo.xtract.bot,O=xtract.bot,C=AU",
  "subjectAlternativeNames": "DNS:demo.xtract.bot,DNS:www.demo.xtract.bot"
}'