package models
- Alphabetic
- Public
- Protected
Type Members
- case class CRLConfiguration(expiry: Duration = Duration.Undefined, disable: Boolean = false) extends Product with Serializable
- case class CSR(csr: String, privateKey: Option[String] = None, privateKeyType: Option[KeySettings.Type] = None) extends Product with Serializable
- case class Certificate(serialNumber: String, certificate: X509Certificate, issuingCa: X509Certificate, caChain: Option[Array[X509Certificate]] = None, privateKey: Option[String] = None, privateKeyType: Option[KeySettings.Type] = None) extends Product with Serializable
- sealed trait Format extends EnumEntry with Lowercase
- case class KeySettings(keyType: KeySettings.Type = Type.RSA, keyBits: Int = 2048, privateKeyFormat: KeySettings.Format = Format.Der) extends Product with Serializable
- case class Names(commonName: String, altNames: Array[String] = Array.empty, ipSans: Array[String] = Array.empty, uriSans: Array[String] = Array.empty, otherSans: Array[String] = Array.empty, excludeCnFromSans: Boolean = false) extends Product with Serializable
- commonName
the requested CN for the certificate. If the CN is allowed by role policy, it will be issued.
- altNames
the requested Subject Alternative Names. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied.
- ipSans
the requested IP Subject Alternative Names. Only valid if the role allows IP SANs (which is the default).
- uriSans
the requested URI Subject Alternative Names. If any requested URIs do not match role policy, the entire request will be denied.
- otherSans
custom OID/UTF8-string SANs. These must match values specified on the role in allowed_other_sans (globbing allowed). The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8.
- excludeCnFromSans
If set, the given commonName will not be included in DNS or Email Subject Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some human-readable identifier.
- case class Role(ttl: Duration = Duration.Undefined, maxTtl: Duration = Duration.Undefined, allowLocalhost: Boolean = true, allowBareDomains: Boolean = true, allowSubdomains: Boolean = true, allowGlobDomains: Boolean = true, allowAnyName: Boolean = false, allowIPSans: Boolean = true, allowedDomains: Seq[String] = Seq.empty, allowedUriSans: Seq[String] = Seq.empty, allowedOtherSans: Seq[String] = Seq.empty, serverFlag: Boolean = true, clientFlag: Boolean = true, codeSigningFlag: Boolean = false, emailProtectionFlag: Boolean = false, keyType: KeySettings.Type = KeySettings.Type.RSA, keyBits: Int = 2048, keyUsage: Seq[String] = Seq("DigitalSignature", "KeyAgreement", "KeyEncipherment"), extKeyUsage: Seq[String] = Seq.empty, extKeyUsageOids: String = "", useCsrCommonName: Boolean = true, useCsrSans: Boolean = true, requireCn: Boolean = true, subject: Subject, serialNumber: String = "", generateLease: Boolean = false, noStore: Boolean = false, policyIdentifiers: Seq[String] = Seq.empty, basicConstraintsValidForNonCa: Boolean = false, notBeforeDuration: Duration = Duration.Undefined) extends Product with Serializable
- ttl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) to set as the TTL for issued tokens and at renewal time.
- maxTtl
Duration in either an integer number of seconds (3600) or an integer time unit (60m) after which the issued token can no longer be renewed.
- allowLocalhost
Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.
- allowBareDomains
Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
- allowSubdomains
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
- allowGlobDomains
Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.
- allowAnyName
Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
- allowIPSans
Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.
- allowedDomains
Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.
- allowedUriSans
Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/).
- allowedOtherSans
Defines allowed custom OID/UTF8-string SANs. This field supports globbing. The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8 (or UTF-8). This can be a comma-delimited list or a JSON string slice. All values, including globbing values, must use the correct syntax, with the exception being a single * which allows any OID and any value (but type must still be UTF8).
- serverFlag
Specifies if certificates are flagged for server use.
- clientFlag
Specifies if certificates are flagged for client use.
- codeSigningFlag
Specifies if certificates are flagged for code signing use.
- emailProtectionFlag
Specifies if certificates are flagged for email protection use.
- keyType
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).
- keyBits
Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.
- keyUsage
Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsage
Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.
- extKeyUsageOids
(string: "") - A comma-separated string or list of extended key usage oids.
- useCsrCommonName
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans for that.
- useCsrSans
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName for that.
- requireCn
If set to false, makes the commonName field optional while generating a certificate.
- subject
Specifies subject fields of the certificate.
- serialNumber
Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the altNames map using OID 2.5.4.5.
- generateLease
Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke <leaseId> when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.
- noStore
If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease.
- policyIdentifiers
A comma-separated string or list of policy OIDs.
- basicConstraintsValidForNonCa
Mark Basic Constraints valid when issuing non-CA certificates.
- notBeforeDuration
Specifies the duration by which to backdate the NotBefore property.
- case class Subject(ou: Array[String] = Array.empty, organization: Array[String] = Array.empty, country: Array[String] = Array.empty, locality: Array[String] = Array.empty, province: Array[String] = Array.empty, streetAddress: Array[String] = Array.empty, postalCode: Array[String] = Array.empty) extends Product with Serializable
- ou
the OU (OrganizationalUnit) values in the subject field.
- organization
the O (Organization) values in the subject field.
- country
the C (Country) values in the subject field.
- locality
the L (Locality) values in the subject field.
- province
the ST (Province) values in the subject field.
- streetAddress
the Street Address values in the subject field.
- postalCode
the Postal Code values in the subject field.
- sealed trait Type extends EnumEntry with Lowercase
- case class URLs(issuingCertificates: Option[Array[Uri]] = None, crlDistributionPoints: Option[Array[Uri]] = None, ocspServers: Option[Array[Uri]] = None) extends Product with Serializable
- issuingCertificates
Specifies the URL values for the Issuing Certificate field.
- crlDistributionPoints
Specifies the URL values for the CRL Distribution Points field.
- ocspServers
pecifies the URL values for the OCSP Servers field.
Value Members
- object CRLConfiguration extends Serializable
- object CSR extends Serializable
- object Certificate extends Serializable
- case object Format extends Enum[Format] with CirceEnum[Format] with Product with Serializable
- object KeySettings extends Serializable
- object Names extends Serializable
- object Role extends Serializable
- object Subject extends Serializable
- case object Type extends Enum[Type] with CirceEnum[Type] with Product with Serializable
- object URLs extends Serializable