org.springframework.vault.core

Class VaultPkiTemplate

java.lang.Object

org.springframework.vault.core.VaultPkiTemplate

All Implemented Interfaces:

VaultPkiOperations

public class VaultPkiTemplate
extends Object
implements VaultPkiOperations

Default implementation of VaultPkiOperations.

Author:

Mark Paluch, Alex Antonov

Nested Class Summary

Nested classes/interfaces inherited from interface org.springframework.vault.core.VaultPkiOperations

VaultPkiOperations.Encoding

Constructor Summary

Constructors

Constructor and Description
VaultPkiTemplate(VaultOperations vaultOperations, String path) Create a new VaultPkiTemplate given VaultOperations and the mount path.

Method Summary

Modifier and Type	Method and Description
InputStream	getCrl(VaultPkiOperations.Encoding encoding) Retrieves the current CRL in raw form.
VaultCertificateResponse	issueCertificate(String roleName, VaultCertificateRequest certificateRequest) Requests a certificate bundle (private key and certificate) from Vault's PKI backend given a roleName and VaultCertificateRequest.
void	revoke(String serialNumber) Revokes a certificate using its serial number.
VaultSignCertificateRequestResponse	signCertificateRequest(String roleName, String csr, VaultCertificateRequest certificateRequest) Signs a CSR using Vault's PKI backend given a roleName, csr and VaultCertificateRequest.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

VaultPkiTemplate

public VaultPkiTemplate(VaultOperations vaultOperations,
                        String path)

Create a new VaultPkiTemplate given VaultOperations and the mount path.

Parameters:

vaultOperations - must not be null.

path - must not be empty or null.

Method Detail

issueCertificate

public VaultCertificateResponse issueCertificate(String roleName,
                                                 VaultCertificateRequest certificateRequest)
                                          throws VaultException

Description copied from interface: VaultPkiOperations

Requests a certificate bundle (private key and certificate) from Vault's PKI backend given a roleName and VaultCertificateRequest. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store. Certificates use DER format and are base64 encoded.

Specified by:

issueCertificate in interface VaultPkiOperations

Parameters:

roleName - must not be empty or null.

certificateRequest - must not be null.

Returns:

the VaultCertificateResponse containing a CertificateBundle .

Throws:

VaultException

See Also:

POST /pki/issue/[role name]

signCertificateRequest

public VaultSignCertificateRequestResponse signCertificateRequest(String roleName,
                                                                  String csr,
                                                                  VaultCertificateRequest certificateRequest)
                                                           throws VaultException

Description copied from interface: VaultPkiOperations

Signs a CSR using Vault's PKI backend given a roleName, csr and VaultCertificateRequest. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store. Certificates use DER format and are base64 encoded.

Specified by:

signCertificateRequest in interface VaultPkiOperations

Parameters:

roleName - must not be empty or null.

csr - must not be empty or null.

certificateRequest - must not be null.

Returns:

the VaultCertificateResponse containing a Certificate .

Throws:

VaultException

See Also:

POST /pki/sign/[role name]

revoke

public void revoke(String serialNumber)
            throws VaultException

Description copied from interface: VaultPkiOperations

Revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A successful revocation will rotate the CRL

Specified by:

revoke in interface VaultPkiOperations

Parameters:

serialNumber - must not be empty or null.

Throws:

VaultException

See Also:

POST /pki/revoke

getCrl

public InputStream getCrl(VaultPkiOperations.Encoding encoding)
                   throws VaultException

Description copied from interface: VaultPkiOperations

Retrieves the current CRL in raw form. This endpoint is suitable for usage in the CRL distribution points extension in a CA certificate. This is a bare endpoint that does not return a standard Vault data structure. Returns data VaultPkiOperations.Encoding.DER or VaultPkiOperations.Encoding.PEM encoded.

If Vault reports no content under the CRL URL, then the result of this method call is null.

Specified by:

getCrl in interface VaultPkiOperations

Returns:

InputStream containing the encoded CRL or null if Vault responds with 204 No Content.

Throws:

VaultException

See Also:

GET /pki/crl