org.springframework.vault.core

Interface VaultPkiOperations

All Known Implementing Classes:

VaultPkiTemplate

public interface VaultPkiOperations

Interface that specifies PKI backend-related operations.

The PKI secret backend for Vault generates X.509 certificates dynamically based on configured roles. This means services can get certificates needed for both client and server authentication without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.

Author:

Mark Paluch

See Also:

https://www.vaultproject.io/docs/secrets/pki/index.html

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static class	VaultPkiOperations.Encoding

Method Summary

Modifier and Type	Method and Description
InputStream	getCrl(VaultPkiOperations.Encoding encoding) Retrieves the current CRL in raw form.
VaultCertificateResponse	issueCertificate(String roleName, VaultCertificateRequest certificateRequest) Requests a certificate bundle (private key and certificate) from Vault's PKI backend given a roleName and VaultCertificateRequest.
void	revoke(String serialNumber) Revokes a certificate using its serial number.
VaultSignCertificateRequestResponse	signCertificateRequest(String roleName, String csr, VaultCertificateRequest certificateRequest) Signs a CSR using Vault's PKI backend given a roleName, csr and VaultCertificateRequest.

Method Detail

issueCertificate

VaultCertificateResponse issueCertificate(String roleName,
                                          VaultCertificateRequest certificateRequest)
                                   throws VaultException

Requests a certificate bundle (private key and certificate) from Vault's PKI backend given a roleName and VaultCertificateRequest. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store. Certificates use DER format and are base64 encoded.

Parameters:

roleName - must not be empty or null.

certificateRequest - must not be null.

Returns:

the VaultCertificateResponse containing a CertificateBundle .

Throws:

VaultException

See Also:

POST /pki/issue/[role name]

signCertificateRequest

VaultSignCertificateRequestResponse signCertificateRequest(String roleName,
                                                           String csr,
                                                           VaultCertificateRequest certificateRequest)
                                                    throws VaultException

Signs a CSR using Vault's PKI backend given a roleName, csr and VaultCertificateRequest. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store. Certificates use DER format and are base64 encoded.

Parameters:

roleName - must not be empty or null.

csr - must not be empty or null.

certificateRequest - must not be null.

Returns:

the VaultCertificateResponse containing a Certificate .

Throws:

VaultException

Since:

2.0

See Also:

POST /pki/sign/[role name]

revoke

void revoke(String serialNumber)
     throws VaultException

Revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A successful revocation will rotate the CRL

Parameters:

serialNumber - must not be empty or null.

Throws:

VaultException

Since:

2.0

See Also:

POST /pki/revoke

getCrl

@Nullable
InputStream getCrl(VaultPkiOperations.Encoding encoding)
                      throws VaultException

Retrieves the current CRL in raw form. This endpoint is suitable for usage in the CRL distribution points extension in a CA certificate. This is a bare endpoint that does not return a standard Vault data structure. Returns data VaultPkiOperations.Encoding.DER or VaultPkiOperations.Encoding.PEM encoded.

If Vault reports no content under the CRL URL, then the result of this method call is null.

Returns:

InputStream containing the encoded CRL or null if Vault responds with 204 No Content.

Throws:

VaultException

Since:

2.0

See Also:

GET /pki/crl