case class Role(ttl: Duration = Duration.Undefined, maxTtl: Duration = Duration.Undefined, allowLocalhost: Boolean = true, allowBareDomains: Boolean = true, allowSubdomains: Boolean = true, allowGlobDomains: Boolean = true, allowAnyName: Boolean = false, allowIPSans: Boolean = true, allowedDomains: Seq[String] = Seq.empty, allowedUriSans: Seq[String] = Seq.empty, allowedOtherSans: Seq[String] = Seq.empty, serverFlag: Boolean = true, clientFlag: Boolean = true, codeSigningFlag: Boolean = false, emailProtectionFlag: Boolean = false, keyType: KeySettings.Type = KeySettings.Type.RSA, keyBits: Int = 2048, keyUsage: Seq[String] = Seq("DigitalSignature", "KeyAgreement", "KeyEncipherment"), extKeyUsage: Seq[String] = Seq.empty, extKeyUsageOids: String = "", useCsrCommonName: Boolean = true, useCsrSans: Boolean = true, requireCn: Boolean = true, subject: Subject, serialNumber: String = "", generateLease: Boolean = false, noStore: Boolean = false, policyIdentifiers: Seq[String] = Seq.empty, basicConstraintsValidForNonCa: Boolean = false, notBeforeDuration: Duration = Duration.Undefined) extends Product with Serializable
- ttl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) to set as the TTL for issued tokens and at renewal time.
- maxTtl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which the issued token can no longer be renewed.
- allowLocalhost
Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.
- allowBareDomains
Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
- allowSubdomains
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
- allowGlobDomains
Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.
- allowAnyName
Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
- allowIPSans
Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.
- allowedDomains
Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.
- allowedUriSans
Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/).
- allowedOtherSans
Defines allowed custom OID/UTF8-string SANs. This field supports globbing. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8 (or UTF-8). This can be a comma-delimited list or a JSON string slice. All values, including globbing values, must use the correct syntax, with the exception being a single * which allows any OID and any value (but type must still be UTF8).
- serverFlag
Specifies if certificates are flagged for server use.
- clientFlag
Specifies if certificates are flagged for client use.
- codeSigningFlag
Specifies if certificates are flagged for code signing use.
- emailProtectionFlag
Specifies if certificates are flagged for email protection use.
- keyType
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
- keyBits
Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.
- keyUsage
Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsage
Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsageOids
(string: "") - A comma-separated string or list of extended key usage oids.
- useCsrCommonName
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans for that.
- useCsrSans
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName for that.
- requireCn
If set to false, makes the commonName field optional while generating a certificate.
- subject
Specifies subject fields of the certificate.
- serialNumber
Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the altNames map using OID 2.5.4.5.
- generateLease
Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke <leaseId> when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.
- noStore
If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease.
- policyIdentifiers
A comma-separated string or list of policy OIDs.
- basicConstraintsValidForNonCa
Mark Basic Constraints valid when issuing non-CA certificates.
- notBeforeDuration
Specifies the duration by which to backdate the NotBefore property.
- Source
- Role.scala
- Alphabetic
- By Inheritance
- Role
- Serializable
- Product
- Equals
- AnyRef
- Any
- by StringFormat
- by Ensuring
- by ArrowAssoc
- Hide All
- Show All
- Public
- Protected
Instance Constructors
- new Role(ttl: Duration = Duration.Undefined, maxTtl: Duration = Duration.Undefined, allowLocalhost: Boolean = true, allowBareDomains: Boolean = true, allowSubdomains: Boolean = true, allowGlobDomains: Boolean = true, allowAnyName: Boolean = false, allowIPSans: Boolean = true, allowedDomains: Seq[String] = Seq.empty, allowedUriSans: Seq[String] = Seq.empty, allowedOtherSans: Seq[String] = Seq.empty, serverFlag: Boolean = true, clientFlag: Boolean = true, codeSigningFlag: Boolean = false, emailProtectionFlag: Boolean = false, keyType: KeySettings.Type = KeySettings.Type.RSA, keyBits: Int = 2048, keyUsage: Seq[String] = Seq("DigitalSignature", "KeyAgreement", "KeyEncipherment"), extKeyUsage: Seq[String] = Seq.empty, extKeyUsageOids: String = "", useCsrCommonName: Boolean = true, useCsrSans: Boolean = true, requireCn: Boolean = true, subject: Subject, serialNumber: String = "", generateLease: Boolean = false, noStore: Boolean = false, policyIdentifiers: Seq[String] = Seq.empty, basicConstraintsValidForNonCa: Boolean = false, notBeforeDuration: Duration = Duration.Undefined)
- ttl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) to set as the TTL for issued tokens and at renewal time.
- maxTtl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which the issued token can no longer be renewed.
- allowLocalhost
Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.
- allowBareDomains
Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
- allowSubdomains
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
- allowGlobDomains
Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.
- allowAnyName
Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
- allowIPSans
Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.
- allowedDomains
Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.
- allowedUriSans
Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/).
- allowedOtherSans
Defines allowed custom OID/UTF8-string SANs. This field supports globbing. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8 (or UTF-8). This can be a comma-delimited list or a JSON string slice. All values, including globbing values, must use the correct syntax, with the exception being a single * which allows any OID and any value (but type must still be UTF8).
- serverFlag
Specifies if certificates are flagged for server use.
- clientFlag
Specifies if certificates are flagged for client use.
- codeSigningFlag
Specifies if certificates are flagged for code signing use.
- emailProtectionFlag
Specifies if certificates are flagged for email protection use.
- keyType
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
- keyBits
Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.
- keyUsage
Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsage
Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsageOids
(string: "") - A comma-separated string or list of extended key usage oids.
- useCsrCommonName
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans for that.
- useCsrSans
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName for that.
- requireCn
If set to false, makes the commonName field optional while generating a certificate.
- subject
Specifies subject fields of the certificate.
- serialNumber
Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the altNames map using OID 2.5.4.5.
- generateLease
Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke <leaseId> when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.
- noStore
If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease.
- policyIdentifiers
A comma-separated string or list of policy OIDs.
- basicConstraintsValidForNonCa
Mark Basic Constraints valid when issuing non-CA certificates.
- notBeforeDuration
Specifies the duration by which to backdate the NotBefore property.
Value Members
- final def !=(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- final def ##: Int
- Definition Classes
- AnyRef → Any
- def ->[B](y: B): (Role, B)
- final def ==(arg0: Any): Boolean
- Definition Classes
- AnyRef → Any
- val allowAnyName: Boolean
- val allowBareDomains: Boolean
- val allowGlobDomains: Boolean
- val allowIPSans: Boolean
- val allowLocalhost: Boolean
- val allowSubdomains: Boolean
- val allowedDomains: Seq[String]
- val allowedOtherSans: Seq[String]
- val allowedUriSans: Seq[String]
- final def asInstanceOf[T0]: T0
- Definition Classes
- Any
- val basicConstraintsValidForNonCa: Boolean
- val clientFlag: Boolean
- def clone(): AnyRef
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.CloneNotSupportedException]) @native()
- val codeSigningFlag: Boolean
- val emailProtectionFlag: Boolean
- def ensuring(cond: (Role) => Boolean, msg: => Any): Role
- def ensuring(cond: (Role) => Boolean): Role
- def ensuring(cond: Boolean, msg: => Any): Role
- def ensuring(cond: Boolean): Role
- final def eq(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- val extKeyUsage: Seq[String]
- val extKeyUsageOids: String
- def finalize(): Unit
- Attributes
- protected[lang]
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.Throwable])
- def formatted(fmtstr: String): String
- val generateLease: Boolean
- final def getClass(): Class[_ <: AnyRef]
- Definition Classes
- AnyRef → Any
- Annotations
- @native()
- final def isInstanceOf[T0]: Boolean
- Definition Classes
- Any
- val keyBits: Int
- val keyType: KeySettings.Type
- val keyUsage: Seq[String]
- val maxTtl: Duration
- final def ne(arg0: AnyRef): Boolean
- Definition Classes
- AnyRef
- val noStore: Boolean
- val notBeforeDuration: Duration
- final def notify(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
- final def notifyAll(): Unit
- Definition Classes
- AnyRef
- Annotations
- @native()
- val policyIdentifiers: Seq[String]
- def productElementNames: Iterator[String]
- Definition Classes
- Product
- val requireCn: Boolean
- val serialNumber: String
- val serverFlag: Boolean
- val subject: Subject
- final def synchronized[T0](arg0: => T0): T0
- Definition Classes
- AnyRef
- val ttl: Duration
- val useCsrCommonName: Boolean
- val useCsrSans: Boolean
- final def wait(): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])
- final def wait(arg0: Long, arg1: Int): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException])
- final def wait(arg0: Long): Unit
- Definition Classes
- AnyRef
- Annotations
- @throws(classOf[java.lang.InterruptedException]) @native()
Deprecated Value Members
- def →[B](y: B): (Role, B)
- Implicit
- This member is added by an implicit conversion from Role toArrowAssoc[Role] performed by method ArrowAssoc in scala.Predef.
- Definition Classes
- ArrowAssoc
- Annotations
- @deprecated
- Deprecated
(Since version 2.13.0) Use
->
instead. If you still wish to display it as one character, consider using a font with programming ligatures such as Fira Code.