public interface VaultPkiOperations
The PKI secret backend for Vault generates X.509 certificates dynamically based on configured roles. This means services can get certificates needed for both client and server authentication without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.
Modifier and Type | Interface and Description |
---|---|
static class |
VaultPkiOperations.Encoding |
Modifier and Type | Method and Description |
---|---|
InputStream |
getCrl(VaultPkiOperations.Encoding encoding)
Retrieves the current CRL in raw form.
|
VaultCertificateResponse |
issueCertificate(String roleName,
VaultCertificateRequest certificateRequest)
Requests a certificate bundle (private key and certificate) from Vault's PKI
backend given a
roleName and VaultCertificateRequest . |
void |
revoke(String serialNumber)
Revokes a certificate using its serial number.
|
VaultSignCertificateRequestResponse |
signCertificateRequest(String roleName,
String csr,
VaultCertificateRequest certificateRequest)
|
VaultCertificateResponse issueCertificate(String roleName, VaultCertificateRequest certificateRequest) throws VaultException
roleName
and VaultCertificateRequest
. The issuing
CA certificate is returned as well, so that only the root CA need be in a client's
trust store. Certificates use DER format and are base64 encoded.roleName
- must not be empty or null.certificateRequest
- must not be null.VaultCertificateResponse
containing a CertificateBundle
.VaultException
VaultSignCertificateRequestResponse signCertificateRequest(String roleName, String csr, VaultCertificateRequest certificateRequest) throws VaultException
roleName
, csr
and
VaultCertificateRequest
. The issuing CA certificate is returned as well, so
that only the root CA need be in a client's trust store. Certificates use DER
format and are base64 encoded.roleName
- must not be empty or null.csr
- must not be empty or null.certificateRequest
- must not be null.VaultCertificateResponse
containing a
Certificate
.VaultException
void revoke(String serialNumber) throws VaultException
serialNumber
- must not be empty or null.VaultException
@Nullable InputStream getCrl(VaultPkiOperations.Encoding encoding) throws VaultException
VaultPkiOperations.Encoding.DER
or VaultPkiOperations.Encoding.PEM
encoded.
If Vault reports no content under the CRL URL, then the result of this method call is null.
InputStream
containing the encoded CRL or null
if Vault responds with 204 No Content.VaultException
Copyright © 2016–2020 Pivotal Software, Inc.. All rights reserved.