> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Upload or rotate the Dataprev client certificate

> Stores (or rotates) the tenant's ICP-Brasil A1 client certificate (PEM cert+key) for the Dataprev rail in the tenant secret store and upserts non-secret metadata. The certificate is validated before storage. The response NEVER carries secret material.



## OpenAPI

````yaml en/openapi/v3-current/consignado.yaml put /v1/credentials/dataprev/certificate
openapi: 3.1.0
info:
  contact:
    email: contact@lerian.studio
    name: Lerian Studio
    url: https://lerian.studio
  description: >-
    OpenAPI 3.1 surface for Lerian Consignado — Dataprev, the credit-journey
    rail that custodies each tenant's Dataprev access credentials. It covers
    per-tenant credential status plus client-certificate and OAuth2 credential
    rotation. Secret material is written to the tenant secret store and is never
    returned by any operation.
  license:
    name: Lerian Studio General License
  title: Lerian Consignado API
  version: 1.0.0
servers: []
security:
  - BearerAuth: []
tags:
  - description: Per-tenant external-rail credential custody (upload + status)
    name: Credentials
paths:
  /v1/credentials/dataprev/certificate:
    put:
      tags:
        - Credentials
      summary: Upload or rotate the Dataprev client certificate
      description: >-
        Stores (or rotates) the tenant's ICP-Brasil A1 client certificate (PEM
        cert+key) for the Dataprev rail in the tenant secret store and upserts
        non-secret metadata. The certificate is validated before storage. The
        response NEVER carries secret material.
      operationId: putDataprevCertificate
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PutCertificateRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CredentialStatusResponse'
          description: OK
        default:
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Detail'
          description: Error
      security:
        - BearerAuth: []
components:
  schemas:
    PutCertificateRequest:
      additionalProperties: false
      properties:
        certPem:
          description: PEM-encoded ICP-Brasil A1 client certificate chain.
          maxLength: 1048576
          minLength: 1
          type: string
        keyPem:
          description: PEM-encoded private key for the client certificate.
          maxLength: 1048576
          minLength: 1
          type: string
      required:
        - certPem
        - keyPem
      type: object
    CredentialStatusResponse:
      additionalProperties: false
      properties:
        certFingerprint:
          description: >-
            SHA-256 hex fingerprint of the stored certificate (absent when
            none).
          examples:
            - 3b1f...c0
          type: string
        certNotAfter:
          description: RFC 3339 cert expiry (UTC); absent when no cert is stored.
          examples:
            - '2027-01-01T00:00:00Z'
          format: date-time
          type: string
        certPresent:
          description: Whether a client certificate is stored for the tenant.
          type: boolean
        oauthPresent:
          description: Whether OAuth2 client_credentials are stored for the tenant.
          type: boolean
        provider:
          description: External rail the credentials belong to.
          examples:
            - dataprev
          type: string
        updatedAt:
          description: Last-update timestamp (RFC 3339, UTC).
          examples:
            - '2026-06-23T12:00:00Z'
          format: date-time
          type: string
      required:
        - provider
        - certPresent
        - oauthPresent
        - updatedAt
      type: object
    Detail:
      additionalProperties: false
      properties:
        code:
          description: >-
            Stable, machine-readable domain error code scoped to the emitting
            service (format: <SERVICE>-NNNN).
          examples:
            - ERR-0001
          type: string
        detail:
          description: >-
            A human-readable explanation specific to this occurrence of the
            problem.
          examples:
            - Property foo is required but is missing.
          type: string
        errors:
          description: Optional list of individual error details
          items:
            $ref: '#/components/schemas/ErrorDetail'
          type:
            - array
            - 'null'
        instance:
          description: >-
            A URI reference that identifies the specific occurrence of the
            problem.
          examples:
            - https://example.com/error-log/abc123
          format: uri
          type: string
        status:
          description: HTTP status code
          examples:
            - 400
          format: int64
          type: integer
        title:
          description: >-
            A short, human-readable summary of the problem type. This value
            should not change between occurrences of the error.
          examples:
            - Bad Request
          type: string
        type:
          default: about:blank
          description: A URI reference to human-readable documentation for the error.
          examples:
            - https://example.com/errors/example
          format: uri
          type: string
      type: object
    ErrorDetail:
      additionalProperties: false
      properties:
        location:
          description: >-
            Where the error occurred, e.g. 'body.items[3].tags' or
            'path.thing-id'
          type: string
        message:
          description: Error message text
          type: string
        value:
          description: The value at the given location
      type: object
  securitySchemes:
    BearerAuth:
      bearerFormat: JWT
      description: JWT bearer token issued by the identity provider.
      scheme: bearer
      type: http

````