Packages

final class PKI[F[_]] extends AnyRef

Self Type
PKI[F]
Source
PKI.scala
Linear Supertypes
AnyRef, Any
Type Hierarchy
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. PKI
  2. AnyRef
  3. Any
Implicitly
  1. by StringFormat
  2. by Ensuring
  3. by ArrowAssoc
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. Protected

Instance Constructors

  1. new PKI(path: String, uri: Uri)(implicit arg0: Concurrent[F], arg1: Client[F], token: Raw)

Value Members

  1. final def !=(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  2. final def ##: Int
    Definition Classes
    AnyRef → Any
  3. def ->[B](y: B): (PKI[F], B)
    Implicit
    This member is added by an implicit conversion from PKI[F] toArrowAssoc[PKI[F]] performed by method ArrowAssoc in scala.Predef.
    Definition Classes
    ArrowAssoc
    Annotations
    @inline()
  4. final def ==(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  5. final def asInstanceOf[T0]: T0
    Definition Classes
    Any
  6. def clone(): AnyRef
    Attributes
    protected[lang]
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.CloneNotSupportedException]) @native()
  7. val deleteRoot: F[Unit]

    Deletes the current CA key.

    Deletes the current CA key. The old CA certificate will still be accessible for reading until a new certificate/key are generated or uploaded. This endpoint requires sudo capabilities.

  8. def ensuring(cond: (PKI[F]) => Boolean, msg: => Any): PKI[F]
    Implicit
    This member is added by an implicit conversion from PKI[F] toEnsuring[PKI[F]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  9. def ensuring(cond: (PKI[F]) => Boolean): PKI[F]
    Implicit
    This member is added by an implicit conversion from PKI[F] toEnsuring[PKI[F]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  10. def ensuring(cond: Boolean, msg: => Any): PKI[F]
    Implicit
    This member is added by an implicit conversion from PKI[F] toEnsuring[PKI[F]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  11. def ensuring(cond: Boolean): PKI[F]
    Implicit
    This member is added by an implicit conversion from PKI[F] toEnsuring[PKI[F]] performed by method Ensuring in scala.Predef.
    Definition Classes
    Ensuring
  12. final def eq(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  13. def equals(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef → Any
  14. def finalize(): Unit
    Attributes
    protected[lang]
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.Throwable])
  15. def formatted(fmtstr: String): String
    Implicit
    This member is added by an implicit conversion from PKI[F] toStringFormat[PKI[F]] performed by method StringFormat in scala.Predef.
    Definition Classes
    StringFormat
    Annotations
    @inline()
  16. def generateCertificate(role: String, names: Names, ttl: Duration = Duration.Undefined, privateKeyFormat: Format = KeySettings.Format.Der): F[Certificate]

    Generates a new set of credentials (private key and certificate) based on the role named in the endpoint.

    Generates a new set of credentials (private key and certificate) based on the role named in the endpoint. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store.

    role

    Specifies the name of the role to create the certificate against.

    names

    Specifies the names of the certificate (common name and various SANs - Subject Alternative Names)

    ttl

    Specifies requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.

    privateKeyFormat

    Specifies the format for marshaling the private key. Defaults to Der which will return key PEM-encoded. The other option is Pkcs8 which will return the key marshalled as PEM-encoded PKCS8.

  17. def generateIntermediate(type: Type, names: Names, subject: Subject = Subject(), keySettings: KeySettings = KeySettings(), serialNumber: Option[String] = None): F[CSR]

    Generates a new private key and a CSR for signing.

    Generates a new private key and a CSR for signing. If using Vault as a root, and for many other CAs, the various parameters on the final certificate are set at signing time and may or may not honor the parameters set here.

    This will overwrite any previously existing CA private key.

    This is mostly meant as a helper function, and not all possible parameters that can be set in a CSR are supported.

    names

    Specifies the names of the certificate (common name and various SANs - Subject Alternative Names)

    subject

    Specifies subject fields of the certificate.

    keySettings

    Specifies the settings regarding the private key.

    serialNumber

    Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in Names using OID 2.5.4.5.

  18. def generateRoot(type: Type, names: Names, subject: Subject, ttl: Duration = Duration.Undefined, permittedDNSDomains: Array[String] = Array.empty, keySettings: KeySettings = KeySettings(), serialNumber: Option[String] = None, maxPathLength: Integer = -1): F[Certificate]

    Generates a new self-signed CA certificate and private key.

    Generates a new self-signed CA certificate and private key. If type is Exported, the private key will be returned; if it is Internal the private key will not be returned and cannot be retrieved later. Distribution points use the values set via config/urls.

    As with other issued certificates, Vault will automatically revoke the generated root at the end of its lease period; the CA certificate will sign its own CRL.

    As of Vault 0.8.1, if a CA cert/key already exists, this function will not overwrite it; it must be deleted first. Previous versions of Vault would overwrite the existing cert/key with new values.

    names

    Specifies the names of the certificate (common name and various SANs - Subject Alternative Names)

    subject

    Specifies subject fields of the certificate.

    ttl

    Specifies the requested Time To Live (after which the certificate will be expired). This cannot be larger than the engine's max (or, if set to Undefined, the default, the system max).

    permittedDNSDomains

    the DNS domains for which certificates are allowed to be issued or signed by this CA certificate. Note that subdomains are allowed, as per RFC.

    keySettings

    Specifies the settings regarding the private key.

    serialNumber

    Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in Names using OID 2.5.4.5.

    maxPathLength

    Specifies the maximum path length to encode in the generated certificate. -1 means no limit. Unless the signing certificate has a maximum path length set, in which case the path length is set to one less than that of the signing certificate. A limit of 0 means a literal path length of zero.

  19. final def getClass(): Class[_ <: AnyRef]
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  20. def hashCode(): Int
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  21. final def isInstanceOf[T0]: Boolean
    Definition Classes
    Any
  22. def listCertificates(implicit P: Parallel[F]): F[List[X509Certificate]]

    Returns the current certificates.

  23. val listCertificatesSerials: F[List[String]]

    Returns the serial numbers of the current certificates.

  24. final def ne(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  25. final def notify(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  26. final def notifyAll(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  27. val path: String
  28. val readCACertificate: F[X509Certificate]

    Retrieves the CA certificate.

  29. val readCACertificateChain: F[List[X509Certificate]]

    Retrieves the CA certificate chain, including the CA.

  30. val readCACertificateChainPem: F[String]

    Retrieves the CA certificate chain, including the CA in PEM format.

  31. val readCACertificatePem: F[String]

    Retrieves the CA certificate in a PEM format.

  32. val readCRL: F[X509CRL]

    Retrieves the current CRL.

  33. val readCRLConfiguration: F[CRLConfiguration]

    returns

    the duration for which the generated CRL should be marked valid.

  34. val readCRLPem: F[String]

    Retrieves the current CRL in a PEM format.

  35. def readCertificate(serial: BigInteger): F[Option[X509Certificate]]

    Retrieves the certificate with the given serial.

  36. def readCertificate(serial: String): F[Option[X509Certificate]]

    Retrieves the certificate with the given serial.

    Retrieves the certificate with the given serial.

    To read the CA certificate {@see readCACertificate}. To read the CA chain {@see readCACertificateChain}. To read the CRL {@see readCRL}.

    serial

    Specifies the serial of the certificate to read. must be hex encoded and hyphen-separated. See {@see PKI.toSerialString}.

  37. val readURLs: F[URLs]

    returns

    the URLs to be encoded in generated certificates.

  38. def revoke(certificate: X509Certificate): F[Unit]

    Revokes a certificate using its serial number.

    Revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A successful revocation will rotate the CRL.

  39. def revoke(serial: String): F[Unit]

    Revokes a certificate using its serial number.

    Revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A successful revocation will rotate the CRL.

  40. val rotateCRLs: F[Unit]

    Forces a rotation of the CRL.

    Forces a rotation of the CRL. This can be used by administrators to cut the size of the CRL if it contains a number of certificates that have now expired, but has not been rotated due to no further certificates being revoked.

  41. def setCRLConfiguration(config: CRLConfiguration): F[Unit]

    Sets the duration for which the generated CRL should be marked valid.

    Sets the duration for which the generated CRL should be marked valid. If the CRL is disabled, it will return a signed but zero-length CRL for any request. If enabled, it will re-build the CRL.

    Note: Disabling the CRL does not affect whether revoked certificates are stored internally. Certificates that have been revoked when a role's certificate storage is enabled will continue to be marked and stored as revoked until tidy has been run with the desired safety buffer. Re-enabling CRL generation will then result in all such certificates becoming a part of the CRL.

  42. def setSignedIntermediate(certificate: X509Certificate): F[Unit]
  43. def setSignedIntermediate(certificatePEM: String): F[Unit]

    Submits the signed CA certificate corresponding to a private key generated via /pki/intermediate/generate.

    Submits the signed CA certificate corresponding to a private key generated via /pki/intermediate/generate. The certificate should be submitted in PEM format; see the documentation for /pki/config/ca for some hints on submitting.

    certificatePEM

    Specifies the certificate in PEM format. May optionally append additional CA certificates to populate the whole chain, which will then enable returning the full chain from issue and sign operations.

  44. def setURLs(urls: URLs): F[Unit]

    Sets the issuing certificate endpoints, CRL distribution points, and OCSP server endpoints that will be encoded into issued certificates.

    Sets the issuing certificate endpoints, CRL distribution points, and OCSP server endpoints that will be encoded into issued certificates. You can update any of the values at any time without affecting the other existing values.

    urls

    the urls to use.

  45. def signCertificate(role: String, csr: String, names: Names, ttl: Duration = Duration.Undefined): F[Certificate]

    Signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint.

    Signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store.

    role

    Specifies the name of the role to sign the csr against.

    csr

    Specifies the PEM-encoded CSR.

    names

    Specifies the names of the certificate (common name and various SANs - Subject Alternative Names)

    ttl

    Specifies requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.

  46. def signIntermediate(csr: String, names: Names, subject: Subject = Subject(), ttl: Duration = Duration.Undefined, permittedDNSDomains: Array[String] = Array.empty, useCsrValues: Boolean = false, serialNumber: Option[String] = None, maxPathLength: Integer = -1): F[Certificate]

    Uses the configured CA certificate to issue a certificate with appropriate values for acting as an intermediate CA.

    Uses the configured CA certificate to issue a certificate with appropriate values for acting as an intermediate CA. Distribution points use the values set via config/urls. Values set in the CSR are ignored unless use_csr_values is set to true, in which case the values from the CSR are used verbatim.

    csr

    Specifies the PEM-encoded CSR.

    names

    Specifies the names of the certificate (common name and various SANs - Subject Alternative Names)

    subject

    Specifies subject fields of the certificate.

    ttl

    Specifies the requested Time To Live (after which the certificate will be expired). This cannot be larger than the engine's max (or, if not set, the system max). However, this can be after the expiration of the signing CA.

    permittedDNSDomains

    the DNS domains for which certificates are allowed to be issued or signed by this CA certificate. Note that subdomains are allowed, as per RFC.

    useCsrValues

    If set to true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using the values provided in the other parameters to this path; 2) Any key usages (for instance, non-repudiation) requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; 3) Extensions requested in the CSR will be copied into the issued certificate.

    serialNumber

    Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in Names using OID 2.5.4.5.

    maxPathLength

    Specifies the maximum path length to encode in the generated certificate. -1 means no limit. Unless the signing certificate has a maximum path length set, in which case the path length is set to one less than that of the signing certificate. A limit of 0 means a literal path length of zero.

  47. def signSelfIssued(certificate: X509Certificate): F[Certificate]
  48. def signSelfIssued(certificatePem: String): F[Certificate]
  49. def signVerbatim(csr: String, role: Option[String] = None, keyUsage: Array[String] = Array("DigitalSignature", "KeyAgreement", "KeyEncipherment"), extendedKeyUsage: Array[String] = Array.empty, extendedKeyUsageOIDs: Array[String] = Array.empty, ttl: Duration = Duration.Undefined, format: Format = Format.Pem): F[Certificate]

    Signs a new certificate based upon the provided CSR.

    Signs a new certificate based upon the provided CSR. Values are taken verbatim from the CSR; the only restriction is that this endpoint will refuse to issue an intermediate CA certificate (see the /pki/root/sign-intermediate endpoint for that functionality.) This is a potentially dangerous endpoint and only highly trusted users should have access.

    csr

    Specifies the PEM-encoded CSR.

    role

    Specifies a role. If set, the following parameters from the role will have effect: ttl, max_ttl, generate_lease, and no_store.

    keyUsage

    Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

    extendedKeyUsage

    Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

    extendedKeyUsageOIDs

    Specifies the allowed extended key usage OIDs.

    ttl

    Specifies the requested Time To Live. Cannot be greater than the engine's max_ttl value. If not provided, the engine's ttl value will be used, which defaults to system values if not explicitly set.

    format

    Specifies the format for returned data. If Der the output is base64 encoded. If Pem the output is base64 PEM encoded. If Pem_Bundle the certificate field will contain the private key (if exported) and certificate, concatenated; if the issuing CA is not a Vault-derived self-signed root, this will be included as well.

  50. def submitCAInformation(pemBundle: String): F[Unit]

    This endpoint allows submitting the CA information for the backend via a PEM file containing the CA certificate and its private key, concatenated.

    This endpoint allows submitting the CA information for the backend via a PEM file containing the CA certificate and its private key, concatenated.

    May optionally append additional CA certificates. Useful when creating an intermediate CA to ensure a full chain is returned when signing or generating certificates.

    Not needed if you are generating a self-signed root certificate, and not used if you have a signed intermediate CA certificate with a generated key (use the /pki/intermediate/set-signed endpoint for that).

    If you have already set a certificate and key, they will be overridden.

    pemBundle

    Specifies the key and certificate concatenated in PEM format.

  51. final def synchronized[T0](arg0: => T0): T0
    Definition Classes
    AnyRef
  52. def tidy(tidyCertStore: Boolean = false, tidyRevokedCerts: Boolean = false, safetyBuffer: Duration = Duration.Undefined): F[Unit]

    Allows tidying up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.

    Allows tidying up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.

    tidyCertStore

    Specifies whether to tidy up the certificate store.

    tidyRevokedCerts

    Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.

    safetyBuffer

    Specifies A duration (given as an integer number of seconds or a string; defaults to 72h) used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep certificates from being removed from the CRL that, due to clock skew, might still be considered valid on other hosts. For a certificate to be expunged, the time must be after the expiration time of the certificate (according to the local clock) plus the duration of safety_buffer.

  53. def toString(): String
    Definition Classes
    AnyRef → Any
  54. val uri: Uri
  55. final def wait(): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException])
  56. final def wait(arg0: Long, arg1: Int): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException])
  57. final def wait(arg0: Long): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException]) @native()
  58. object roles extends RolesCRUD[F, Role]

Deprecated Value Members

  1. def [B](y: B): (PKI[F], B)
    Implicit
    This member is added by an implicit conversion from PKI[F] toArrowAssoc[PKI[F]] performed by method ArrowAssoc in scala.Predef.
    Definition Classes
    ArrowAssoc
    Annotations
    @deprecated
    Deprecated

    (Since version 2.13.0) Use -> instead. If you still wish to display it as one character, consider using a font with programming ligatures such as Fira Code.

Inherited from AnyRef

Inherited from Any

Inherited by implicit conversion StringFormat fromPKI[F] to StringFormat[PKI[F]]

Inherited by implicit conversion Ensuring fromPKI[F] to Ensuring[PKI[F]]

Inherited by implicit conversion ArrowAssoc fromPKI[F] to ArrowAssoc[PKI[F]]

Ungrouped