Package org.springframework.vault.core
Interface VaultPkiOperations
- All Known Implementing Classes:
VaultPkiTemplate
public interface VaultPkiOperations
Interface that specifies PKI backend-related operations.
The PKI secret backend for Vault generates X.509 certificates dynamically based on configured roles. This means services can get certificates needed for both client and server authentication without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.
- Author:
- Mark Paluch, Nanne Baars
- See Also:
-
Nested Class Summary
-
Method Summary
Modifier and TypeMethodDescriptiongetCrl
(VaultPkiOperations.Encoding encoding) Retrieves the current CRL in raw form.getIssuerCertificate
(String issuer) Retrieves the specified issuer's certificate.getIssuerCertificate
(String issuer, VaultPkiOperations.Encoding encoding) Retrieves the specified issuer's certificate.issueCertificate
(String roleName, VaultCertificateRequest certificateRequest) Requests a certificate bundle (private key and certificate) from Vault's PKI backend given aroleName
andVaultCertificateRequest
.void
Revokes a certificate using its serial number.signCertificateRequest
(String roleName, String csr, VaultCertificateRequest certificateRequest)
-
Method Details
-
issueCertificate
VaultCertificateResponse issueCertificate(String roleName, VaultCertificateRequest certificateRequest) throws VaultException Requests a certificate bundle (private key and certificate) from Vault's PKI backend given aroleName
andVaultCertificateRequest
. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store.- Parameters:
roleName
- must not be empty or null.certificateRequest
- must not be null.- Returns:
- the
VaultCertificateResponse
containing aCertificateBundle
. - Throws:
VaultException
- See Also:
-
signCertificateRequest
VaultSignCertificateRequestResponse signCertificateRequest(String roleName, String csr, VaultCertificateRequest certificateRequest) throws VaultException Signs a CSR using Vault's PKI backend given aroleName
,csr
andVaultCertificateRequest
. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store.- Parameters:
roleName
- must not be empty or null.csr
- must not be empty or null.certificateRequest
- must not be null.- Returns:
- the
VaultCertificateResponse
containing aCertificate
. - Throws:
VaultException
- Since:
- 2.0
- See Also:
-
revoke
Revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A successful revocation will rotate the CRL- Parameters:
serialNumber
- must not be empty or null.- Throws:
VaultException
- Since:
- 2.0
- See Also:
-
getCrl
Retrieves the current CRL in raw form. This endpoint is suitable for usage in the CRL distribution points extension in a CA certificate. This is a bare endpoint that does not return a standard Vault data structure. Returns dataVaultPkiOperations.Encoding.DER
orVaultPkiOperations.Encoding.PEM
encoded.If Vault reports no content under the CRL URL, then the result of this method call is null.
- Returns:
InputStream
containing the encoded CRL or null if Vault responds with 204 No Content.- Throws:
VaultException
- Since:
- 2.0
- See Also:
-
getIssuerCertificate
Retrieves the specified issuer's certificate. Includes the fullca_chain
of the issuer.- Parameters:
issuer
- reference to an existing issuer, either by Vault-generated identifier, or the name assigned to an issuer. Pass the literal stringdefault
to refer to the currently configured issuer.- Returns:
- the
VaultIssuerCertificateRequestResponse
containing aCertificate
- Throws:
VaultException
- Since:
- 3.1
- See Also:
-
getIssuerCertificate
InputStream getIssuerCertificate(String issuer, VaultPkiOperations.Encoding encoding) throws VaultException Retrieves the specified issuer's certificate. Includes the fullca_chain
of the issuer.- Parameters:
issuer
- reference to an existing issuer, either by Vault-generated identifier, or the name assigned to an issuer. Pass the literal stringdefault
to refer to the currently configured issuer.encoding
- encoding to use.- Returns:
InputStream
containing the encoded certificate.- Throws:
VaultException
- Since:
- 3.1
- See Also:
-