diff --git a/pinecrypt/server/api/tag.py b/pinecrypt/server/api/tag.py
index b958c85..7d7535d 100644
--- a/pinecrypt/server/api/tag.py
+++ b/pinecrypt/server/api/tag.py
@@ -1,13 +1,33 @@
-from pinecrypt.server import db
+from pinecrypt.server import authority, db
 from pinecrypt.server.decorators import serialize, csrf_protection
 from .utils.firewall import login_required, authorize_admin
+from bson import ObjectId
+import falcon
+
 
 class TagResource(object):
+
+    @serialize
+    @login_required
+    @authorize_admin
+    def on_get_cn(self, req, resp, cn):
+        try:
+            id = authority.get_common_name_id(cn)
+        except ValueError:
+            raise falcon.HTTPNotFound("Unknown Common name",
+            "Object not found with common name %s" % cn)
+
+        id = authority.get_common_name_id(cn)
+        url = req.forwarded_uri.replace(cn, "id/%s" % id)
+
+        resp.status = falcon.HTTP_307
+        resp.location = url
+
     @serialize
     @login_required
     @authorize_admin
     def on_get(self, req, resp, id):
-        tags = db.certificates.find_one({"_id": db.ObjectId(id), "status": "signed"}).get("tags")
+        tags = db.certificates.find_one({"_id": ObjectId(id), "status": "signed"}).get("tags")
         return tags
 
     @csrf_protection
@@ -17,7 +37,7 @@ class TagResource(object):
         # TODO: Sanitize input
         key, value = req.get_param("key", required=True), req.get_param("value", required=True)
         db.certificates.update_one({
-            "_id": db.ObjectId(id),
+            "_id": ObjectId(id),
             "status": "signed"
         }, {
             "$addToSet": {"tags": "%s=%s" % (key, value)}
@@ -36,26 +56,25 @@ class TagDetailResource(object):
         value = req.get_param("value", required=True)
         # TODO: Make atomic https://docs.mongodb.com/manual/reference/operator/update-array/
         db.certificates.find_one_and_update({
-            "_id": db.ObjectId(id),
+            "_id": ObjectId(id),
             "status": "signed"
         }, {
             "$pull": {"tags": tag}
         })
 
         db.certificates.find_one_and_update({
-            "_id": db.ObjectId(id),
+            "_id": ObjectId(id),
             "status": "signed"
         }, {
             "$addToSet": {"tags": "%s=%s" % (key, value)}
         })
 
-
     @csrf_protection
     @login_required
     @authorize_admin
     def on_delete(self, req, resp, id, tag):
         db.certificates.find_one_and_update({
-            "_id": db.ObjectId(id),
+            "_id": ObjectId(id),
             "status": "signed"
         }, {
             "$pull": {"tags": tag}
diff --git a/pinecrypt/server/cli.py b/pinecrypt/server/cli.py
index 72940ae..4f613b2 100644
--- a/pinecrypt/server/cli.py
+++ b/pinecrypt/server/cli.py
@@ -398,6 +398,7 @@ def pinecone_serve_backend():
 
     # CN to Id api call
     app.add_route("/api/signed/{cn}", SignedCertificateDetailResource(), suffix="cn")
+    app.add_route("/api/signed/{cn}/tag", TagResource(), suffix="cn")
 
     # Certificate authority API calls
     app.add_route("/api/certificate", CertificateAuthorityResource())