Type Members

1.  case class CRLConfiguration(expiry: Duration = Duration.Undefined, disable: Boolean = false) extends Product with Serializable
2.  case class CSR(csr: String, privateKey: Option[String] = None, privateKeyType: Option[KeySettings.Type] = None) extends Product with Serializable
3.  case class Certificate(serialNumber: String, certificate: X509Certificate, issuingCa: X509Certificate, caChain: Option[Array[X509Certificate]] = None, privateKey: Option[String] = None, privateKeyType: Option[KeySettings.Type] = None) extends Product with Serializable
4.  sealed trait Format extends EnumEntry with Lowercase
5.  case class KeySettings(keyType: KeySettings.Type = Type.RSA, keyBits: Int = 2048, privateKeyFormat: KeySettings.Format = Format.Der) extends Product with Serializable
6.  case class Names(commonName: String, altNames: Array[String] = Array.empty, ipSans: Array[String] = Array.empty, uriSans: Array[String] = Array.empty, otherSans: Array[String] = Array.empty, excludeCnFromSans: Boolean = false) extends Product with Serializable
   commonName

   the requested CN for the certificate. If the CN is allowed by role policy, it will be issued.

   altNames

   the requested Subject Alternative Names. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied.

   ipSans

   the requested IP Subject Alternative Names. Only valid if the role allows IP SANs (which is the default).

   uriSans

   the requested URI Subject Alternative Names. If any requested URIs do not match role policy, the entire request will be denied.

   otherSans

   custom OID/UTF8-string SANs. These must match values specified on the role in allowed_other_sans (globbing allowed). The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8.

   excludeCnFromSans

   If set, the given commonName will not be included in DNS or Email Subject Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some human-readable identifier.

7.  case class Role(ttl: Duration = Duration.Undefined, maxTtl: Duration = Duration.Undefined, allowLocalhost: Boolean = true, allowBareDomains: Boolean = true, allowSubdomains: Boolean = true, allowGlobDomains: Boolean = true, allowAnyName: Boolean = false, allowIPSans: Boolean = true, allowedDomains: Seq[String] = Seq.empty, allowedUriSans: Seq[String] = Seq.empty, allowedOtherSans: Seq[String] = Seq.empty, serverFlag: Boolean = true, clientFlag: Boolean = true, codeSigningFlag: Boolean = false, emailProtectionFlag: Boolean = false, keyType: KeySettings.Type = KeySettings.Type.RSA, keyBits: Int = 2048, keyUsage: Seq[String] = Seq("DigitalSignature", "KeyAgreement", "KeyEncipherment"), extKeyUsage: Seq[String] = Seq.empty, extKeyUsageOids: String = "", useCsrCommonName: Boolean = true, useCsrSans: Boolean = true, requireCn: Boolean = true, subject: Subject, serialNumber: String = "", generateLease: Boolean = false, noStore: Boolean = false, policyIdentifiers: Seq[String] = Seq.empty, basicConstraintsValidForNonCa: Boolean = false, notBeforeDuration: Duration = Duration.Undefined) extends Product with Serializable
   ttl

   Duration in either an integer number of seconds (3600) or an integer time unit (60m) to set as the TTL for issued tokens and at renewal time.

   maxTtl

   Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which the issued token can no longer be renewed.

   allowLocalhost

   Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.

   allowBareDomains

   Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.

   allowSubdomains

   Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.

   allowGlobDomains

   Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.

   allowAnyName

   Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.

   allowIPSans

   Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.

   allowedDomains

   Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.

   allowedUriSans

   Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/).

   allowedOtherSans

   Defines allowed custom OID/UTF8-string SANs. This field supports globbing. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8 (or UTF-8). This can be a comma-delimited list or a JSON string slice. All values, including globbing values, must use the correct syntax, with the exception being a single * which allows any OID and any value (but type must still be UTF8).

   serverFlag

   Specifies if certificates are flagged for server use.

   clientFlag

   Specifies if certificates are flagged for client use.

   codeSigningFlag

   Specifies if certificates are flagged for code signing use.

   emailProtectionFlag

   Specifies if certificates are flagged for email protection use.

   keyType

   Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).

   keyBits

   Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.

   keyUsage

   Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

   extKeyUsage

   Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

   extKeyUsageOids

   (string: "") - A comma-separated string or list of extended key usage oids.

   useCsrCommonName

   When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans for that.

   useCsrSans

   When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName for that.

   requireCn

   If set to false, makes the commonName field optional while generating a certificate.

   subject

   Specifies subject fields of the certificate.

   serialNumber

   Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the altNames map using OID 2.5.4.5.

   generateLease

   Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke <leaseId> when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.

   noStore

   If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease.

   policyIdentifiers

   A comma-separated string or list of policy OIDs.

   basicConstraintsValidForNonCa

   Mark Basic Constraints valid when issuing non-CA certificates.

   notBeforeDuration

   Specifies the duration by which to backdate the NotBefore property.

8.  case class Subject(ou: Array[String] = Array.empty, organization: Array[String] = Array.empty, country: Array[String] = Array.empty, locality: Array[String] = Array.empty, province: Array[String] = Array.empty, streetAddress: Array[String] = Array.empty, postalCode: Array[String] = Array.empty) extends Product with Serializable
   ou

   the OU (OrganizationalUnit) values in the subject field.

   organization

   the O (Organization) values in the subject field.

   country

   the C (Country) values in the subject field.

   locality

   the L (Locality) values in the subject field.

   province

   the ST (Province) values in the subject field.

   streetAddress

   the Street Address values in the subject field.

   postalCode

   the Postal Code values in the subject field.

9.  sealed trait Type extends EnumEntry with Lowercase
10.  case class URLs(issuingCertificates: Option[Array[Uri]] = None, crlDistributionPoints: Option[Array[Uri]] = None, ocspServers: Option[Array[Uri]] = None) extends Product with Serializable
    issuingCertificates

    Specifies the URL values for the Issuing Certificate field.

    crlDistributionPoints

    Specifies the URL values for the CRL Distribution Points field.

    ocspServers

    pecifies the URL values for the OCSP Servers field.