> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate ICP-Brasil certificate

> Prerequisite: this is the first step of the onboarding chain (certificate → readiness → connectivity-test → submit); rotate the certificate before activating it (see activateCertificate), checking readiness (see getReadiness), or submitting any operation. Performs an evidence-emitting hot-reload of the ICP-Brasil/RSFN certificate pair. The new certificate must already exist on disk under the configured base path; this endpoint only swaps the in-memory pointer and emits an audit record. Idempotent — replaying the same X-Idempotency key with the same body returns the cached response. The response NEVER includes the private key path or key material.



## OpenAPI

````yaml en/openapi/v3-current/spb.yaml post /v1/str/certificates/rotate
openapi: 3.1.0
info:
  contact:
    email: contact@lerian.studio
    name: Lerian Studio
    url: https://lerian.studio
  description: >-
    OpenAPI 3.1 surface for Lerian SPB, the direct integration between the
    institution and the Brazilian Payment System (SPB) over the National
    Financial System Network (RSFN). It covers the Reserve Transfer System
    (STR): message registry and capability catalog, operation lifecycle (bank
    transfers, IBS repasses, liquidity transfers, returns and cancellations),
    reserve-account and schedule queries, alçada governance, reconciliation, and
    event delivery.
  license:
    name: Lerian Studio General License
  title: Lerian SPB API
  version: 1.0.0
servers:
  - url: https://spb.sandbox.lerian.net
security: []
tags:
  - description: Immutable audit-record trails for STR operations and lifecycle events.
    name: Audit
  - description: >-
      STR capability catalog describing supported message types and their
      constraints.
    name: Capabilities
  - description: >-
      ICP-Brasil certificate inventory with hot-reloadable rotation and
      activation.
    name: Certificates
  - description: >-
      Maker-checker approval queue for emissions parked above their alçada band:
      list pending, sign (approve), and deny.
    name: EmissionApprovals
  - description: Webhook event-delivery records with retry control for failed dispatches.
    name: EventDeliveries
  - description: Operation event catalog enumerating the emitted domain event types.
    name: Events
  - description: >-
      Inbound GEN-family notice log (GEN0001 connectivity echo, GEN0004
      transmission error, GEN0005 administrative notice).
    name: GenNotices
  - description: >-
      SPB alçada governance: the value-band table and per-message-type signature
      requirements, hot-reloaded at runtime.
    name: Governance
  - description: >-
      Read raw STR message status: list messages and read a single message by
      NUOp.
    name: Messages
  - description: Aggregated operational summaries and metrics across STR operations.
    name: OperationalIntelligence
  - description: >-
      STR operation lifecycle for bank transfers and IBS repasses, including
      returns and cancellations.
    name: Operations
  - description: >-
      Service readiness state covering startup self-probes and dependency
      health.
    name: Readiness
  - description: Reconciliation cases and the actions that resolve operation discrepancies.
    name: Reconciliation
  - description: >-
      STR reports suite: synchronous, date-ranged aggregate reports (financial
      movement, rejected transactions, volumetria) over Lerian SPB's own
      transmission record.
    name: Reports
  - description: >-
      STR0013 reserve-account balance and STR0014 statement (extrato,
      message-mode) queries and their async results.
    name: ReserveQueries
  - description: >-
      GEN0019 participant responsável roster: full-replacement updates announced
      to BACEN.
    name: Responsibles
  - description: STR operating-window schedule governing when operations may be sent.
    name: Schedule
  - description: >-
      STR0001 single-party schedule queries (consulta de horários do STR) and
      their async STR0001R1 grid results.
    name: ScheduleQueries
  - description: Runtime SPB configuration settings for the STR integration.
    name: Settings
  - description: Webhook endpoint registration and management for event delivery.
    name: Webhooks
  - description: >-
      Flow (mandatory order): certificate → readiness → connectivity-test →
      submit. Activate a certificate, confirm the rail reports ready, pass a
      connectivity test, then submit an operation. Each step is its own
      resource; a submit must not be attempted before readiness passes.
    name: onboarding
  - description: >-
      Flow (mandatory order): parent operation SETTLED → return/cancel. A return
      or cancellation is a sub-resource of a settled parent operation; the
      {operationId}/{endToEndID} path segment enforces the parent structurally.
    name: lifecycle
paths:
  /v1/str/certificates/rotate:
    post:
      tags:
        - Certificates
        - onboarding
      summary: Rotate ICP-Brasil certificate
      description: >-
        Prerequisite: this is the first step of the onboarding chain
        (certificate → readiness → connectivity-test → submit); rotate the
        certificate before activating it (see activateCertificate), checking
        readiness (see getReadiness), or submitting any operation. Performs an
        evidence-emitting hot-reload of the ICP-Brasil/RSFN certificate pair.
        The new certificate must already exist on disk under the configured base
        path; this endpoint only swaps the in-memory pointer and emits an audit
        record. Idempotent — replaying the same X-Idempotency key with the same
        body returns the cached response. The response NEVER includes the
        private key path or key material.
      operationId: rotateCertificate
      parameters:
        - description: Idempotency key (primary).
          in: header
          name: X-Idempotency
          schema:
            description: Idempotency key (primary).
            type: string
        - description: Idempotency key (legacy alias for X-Idempotency).
          in: header
          name: X-Idempotency-Key
          schema:
            description: Idempotency key (legacy alias for X-Idempotency).
            type: string
        - description: Idempotency key TTL in seconds (overrides the configured default).
          in: header
          name: X-TTL
          schema:
            description: Idempotency key TTL in seconds (overrides the configured default).
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RotateCertificateRequest'
        required: true
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RotateCertificateResponseWire'
          description: OK
        default:
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Detail'
          description: Error
      security:
        - BearerAuth: []
components:
  schemas:
    RotateCertificateRequest:
      additionalProperties: false
      properties:
        certificateRef:
          description: >-
            Operator-supplied reference to the new certificate material
            (filesystem path or secrets-manager URI), validated against the
            configured cert directory before any read.
          examples:
            - /etc/lerian/certs/2026-q2/icp-brasil.crt
          maxLength: 2048
          minLength: 1
          type: string
        privateKeyRef:
          description: >-
            Operator-supplied reference to the new private-key material
            (filesystem path or secrets-manager URI), validated against the
            configured cert directory before any read.
          examples:
            - /etc/lerian/certs/2026-q2/icp-brasil.key
          maxLength: 2048
          minLength: 1
          type: string
        reason:
          description: >-
            Optional operator rationale recorded in the audit evidence (max 512
            chars).
          examples:
            - Quarterly rotation per ICP-Brasil policy
          maxLength: 512
          type: string
      required:
        - certificateRef
        - privateKeyRef
      type: object
    RotateCertificateResponseWire:
      additionalProperties: false
      properties:
        auditId:
          description: UUID of the audit record written for this rotation.
          examples:
            - a1b2c3d4-e5f6-7890-abcd-ef1234567890
          format: uuid
          type: string
        certificate:
          $ref: '#/components/schemas/CertificateStatusWire'
          description: State of the certificate after the rotation hot-reload.
        correlationId:
          description: >-
            Request-scoped correlation identifier echoing X-Request-ID, for
            pivoting from response to trace.
          examples:
            - req-7a3f9c2e
          type: string
        readiness:
          $ref: '#/components/schemas/ReadinessSummary'
          description: >-
            Optional post-rotation readiness summary; omitted when readiness
            lookup is unavailable.
      required:
        - certificate
        - auditId
        - correlationId
      type: object
    Detail:
      additionalProperties: false
      properties:
        code:
          description: >-
            Stable, machine-readable domain error code scoped to the emitting
            service (format: <SERVICE>-NNNN).
          examples:
            - ERR-0001
          type: string
        detail:
          description: >-
            A human-readable explanation specific to this occurrence of the
            problem.
          examples:
            - Property foo is required but is missing.
          type: string
        errors:
          description: Optional list of individual error details
          items:
            $ref: '#/components/schemas/ErrorDetail'
          type:
            - array
            - 'null'
        instance:
          description: >-
            A URI reference that identifies the specific occurrence of the
            problem.
          examples:
            - https://example.com/error-log/abc123
          format: uri
          type: string
        status:
          description: HTTP status code
          examples:
            - 400
          format: int64
          type: integer
        title:
          description: >-
            A short, human-readable summary of the problem type. This value
            should not change between occurrences of the error.
          examples:
            - Bad Request
          type: string
        type:
          default: about:blank
          description: A URI reference to human-readable documentation for the error.
          examples:
            - https://example.com/errors/example
          format: uri
          type: string
      type: object
    CertificateStatusWire:
      additionalProperties: false
      properties:
        certificateId:
          description: Certificate-state row UUID.
          examples:
            - 550e8400-e29b-41d4-a716-446655440000
          format: uuid
          type: string
        daysUntilExpiry:
          description: Whole days remaining until expiry; null when expiry is unknown.
          examples:
            - 45
          format: int64
          type: integer
        expiresAt:
          description: RFC3339 UTC expiry timestamp; null when unknown.
          examples:
            - '2027-05-04T18:30:00Z'
          format: date-time
          type: string
        purpose:
          description: >-
            Role this certificate serves: OUTBOUND_SIGNING (signs submissions),
            INBOUND_PROCESS, BACEN_VERIFICATION, or EXTERNAL_RAIL.
          examples:
            - OUTBOUND_SIGNING
          type: string
        readinessImpact:
          description: >-
            Effect of this certificate's state on service readiness: NONE,
            WARNING, or BLOCKER.
          examples:
            - NONE
          type: string
        status:
          description: >-
            Current validity state: VALID, EXPIRING (within the warning window),
            EXPIRED, INVALID, or MISSING.
          examples:
            - VALID
          type: string
        updatedAt:
          description: RFC3339 UTC timestamp of the last certificate-state update.
          examples:
            - '2026-05-04T18:30:00Z'
          format: date-time
          type: string
      required:
        - certificateId
        - purpose
        - status
        - readinessImpact
        - updatedAt
      type: object
    ReadinessSummary:
      additionalProperties: false
      properties:
        blockers:
          description: >-
            Messages for conditions that block readiness; empty when there are
            none.
          examples:
            - - 'redis: connection refused'
          items:
            type: string
          type:
            - array
            - 'null'
        status:
          description: Aggregate readiness status.
          examples:
            - READY
          type: string
        warnings:
          description: >-
            Messages for non-blocking conditions that need attention; empty when
            there are none.
          examples:
            - - certificate expires in 12 days
          items:
            type: string
          type:
            - array
            - 'null'
      required:
        - status
        - blockers
        - warnings
      type: object
    ErrorDetail:
      additionalProperties: false
      properties:
        location:
          description: >-
            Where the error occurred, e.g. 'body.items[3].tags' or
            'path.thing-id'
          type: string
        message:
          description: Error message text
          type: string
        value:
          description: The value at the given location
      type: object
  securitySchemes:
    BearerAuth:
      bearerFormat: JWT
      description: JWT bearer token issued by the identity provider.
      scheme: bearer
      type: http

````