2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: PKI - Secrets Engines - HTTP API
|
|
|
|
|
sidebar_title: PKI
|
|
|
|
|
description: This is the API documentation for the Vault PKI secrets engine.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
# PKI Secrets Engine (API)
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This is the API documentation for the Vault PKI secrets engine. For general
|
|
|
|
|
information about the usage and operation of the PKI secrets engine, please see
|
2020-01-22 20:05:41 +00:00
|
|
|
|
the [PKI documentation](/docs/secrets/pki).
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This documentation assumes the PKI secrets engine is enabled at the `/pki` path
|
|
|
|
|
in Vault. Since it is possible to enable secrets engines at any location, please
|
2017-03-09 02:47:35 +00:00
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
2017-05-23 13:19:47 +00:00
|
|
|
|
## Table of Contents
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- [Read CA Certificate](#read-ca-certificate)
|
|
|
|
|
- [Read CA Certificate Chain](#read-ca-certificate-chain)
|
|
|
|
|
- [Read Certificate](#read-certificate)
|
|
|
|
|
- [List Certificates](#list-certificates)
|
|
|
|
|
- [Submit CA Information](#submit-ca-information)
|
|
|
|
|
- [Read CRL Configuration](#read-crl-configuration)
|
|
|
|
|
- [Set CRL Configuration](#set-crl-configuration)
|
|
|
|
|
- [Read URLs](#read-urls)
|
|
|
|
|
- [Set URLs](#set-urls)
|
|
|
|
|
- [Read CRL](#read-crl)
|
|
|
|
|
- [Rotate CRLs](#rotate-crls)
|
|
|
|
|
- [Generate Intermediate](#generate-intermediate)
|
|
|
|
|
- [Set Signed Intermediate](#set-signed-intermediate)
|
|
|
|
|
- [Generate Certificate](#generate-certificate)
|
|
|
|
|
- [Revoke Certificate](#revoke-certificate)
|
2020-03-31 19:21:16 +00:00
|
|
|
|
- [Create/Update Role](#create-update-role)
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- [Read Role](#read-role)
|
|
|
|
|
- [List Roles](#list-roles)
|
|
|
|
|
- [Delete Role](#delete-role)
|
|
|
|
|
- [Generate Root](#generate-root)
|
|
|
|
|
- [Delete Root](#delete-root)
|
|
|
|
|
- [Sign Intermediate](#sign-intermediate)
|
|
|
|
|
- [Sign Self-Issued](#sign-self-issued)
|
|
|
|
|
- [Sign Certificate](#sign-certificate)
|
|
|
|
|
- [Sign Verbatim](#sign-verbatim)
|
|
|
|
|
- [Tidy](#tidy)
|
2017-05-23 13:19:47 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Read CA Certificate
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
This endpoint retrieves the CA certificate _in raw DER-encoded form_. This is a
|
2017-08-15 18:00:40 +00:00
|
|
|
|
bare endpoint that does not return a standard Vault data structure and cannot
|
2017-12-11 16:10:28 +00:00
|
|
|
|
be read by the Vault CLI; use `/pki/cert` for that. If `/pem` is added to the
|
|
|
|
|
endpoint, the CA certificate is returned in PEM format.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `GET` | `/pki/ca(/pem)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/ca/pem
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
<binary DER-encoded certificate>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CA Certificate Chain
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves the CA certificate chain, including the CA _in PEM
|
|
|
|
|
format_. This is a bare endpoint that does not return a standard Vault data
|
2017-12-11 16:10:28 +00:00
|
|
|
|
structure and cannot be read by the Vault CLI; use `/pki/cert` for that.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `GET` | `/pki/ca_chain` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/ca_chain
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
<PEM-encoded certificate chain>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Certificate
|
|
|
|
|
|
2017-04-02 21:02:11 +00:00
|
|
|
|
This endpoint retrieves one of a selection of certificates. This endpoint returns the certificate in PEM formatting in the
|
2017-12-11 16:10:28 +00:00
|
|
|
|
`certificate` key of the JSON object, which is a standard Vault response that is readable by the Vault CLI.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
|
|
|
|
| `GET` | `/pki/cert/:serial` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `serial` `(string: <required>)` – Specifies the serial of the key to read.
|
2017-12-11 16:10:28 +00:00
|
|
|
|
This is part of the request URL. Valid values for `serial` are:
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `<serial>` for the certificate with the given serial number
|
|
|
|
|
- `ca` for the CA certificate
|
|
|
|
|
- `crl` for the current CRL
|
|
|
|
|
- `ca_chain` for the CA trust chain or a serial number in either hyphen-separated or colon-separated octal format
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/cert/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n..."
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Certificates
|
|
|
|
|
|
|
|
|
|
This endpoint returns a list of the current certificates by serial number only.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------- |
|
|
|
|
|
| `LIST` | `/pki/certs` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/certs
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": [
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
|
|
|
|
|
"26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
|
|
|
|
|
]
|
|
|
|
|
},
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"wrap_info": null,
|
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
2017-03-16 18:26:09 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Submit CA Information
|
|
|
|
|
|
|
|
|
|
This endpoint allows submitting the CA information for the backend via a PEM
|
2018-01-03 15:59:18 +00:00
|
|
|
|
file containing the CA certificate and its private key, concatenated.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
May optionally append additional CA certificates. Useful when creating an
|
2018-01-03 15:59:18 +00:00
|
|
|
|
intermediate CA to ensure a full chain is returned when signing or generating
|
|
|
|
|
certificates.
|
|
|
|
|
|
|
|
|
|
Not needed if you are generating a self-signed root certificate, and not used
|
|
|
|
|
if you have a signed intermediate CA certificate with a generated key (use the
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`/pki/intermediate/set-signed` endpoint for that). _If you have already set a
|
|
|
|
|
certificate and key, they will be overridden._
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------- |
|
|
|
|
|
| `POST` | `/pki/config/ca` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `pem_bundle` `(string: <required>)` – Specifies the key and certificate concatenated in PEM format.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data "@payload.json" \
|
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/ca
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Note that if you provide the data through the HTTP API it must be
|
|
|
|
|
JSON-formatted, with newlines replaced with `\n`, like so:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CRL Configuration
|
|
|
|
|
|
|
|
|
|
This endpoint allows getting the duration for which the generated CRL should be
|
|
|
|
|
marked valid.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `GET` | `/pki/config/crl` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"disable": false,
|
|
|
|
|
"expiry": "72h"
|
|
|
|
|
},
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set CRL Configuration
|
|
|
|
|
|
|
|
|
|
This endpoint allows setting the duration for which the generated CRL should be
|
2018-08-21 15:20:57 +00:00
|
|
|
|
marked valid. If the CRL is disabled, it will return a signed but zero-length
|
|
|
|
|
CRL for any request. If enabled, it will re-build the CRL.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
~> Note: Disabling the CRL does not affect whether revoked certificates are
|
|
|
|
|
stored internally. Certificates that have been revoked when a role's
|
|
|
|
|
certificate storage is enabled will continue to be marked and stored as
|
|
|
|
|
revoked until `tidy` has been run with the desired safety buffer. Re-enabling
|
|
|
|
|
CRL generation will then result in all such certificates becoming a part of
|
|
|
|
|
the CRL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `POST` | `/pki/config/crl` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `expiry` `(string: "72h")` – Specifies the time until expiration.
|
2018-08-21 15:20:57 +00:00
|
|
|
|
- `disable` `(bool: false)` – Disables or enables CRL building.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"expiry": "48h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read URLs
|
|
|
|
|
|
|
|
|
|
This endpoint fetches the URLs to be encoded in generated certificates.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `GET` | `/pki/config/urls` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/urls
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"issuing_certificates": ["<url1>", "<url2>"],
|
|
|
|
|
"crl_distribution_points": ["<url1>", "<url2>"],
|
2017-11-06 17:05:07 +00:00
|
|
|
|
"ocsp_servers": ["<url1>", "<url2>"]
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set URLs
|
|
|
|
|
|
|
|
|
|
This endpoint allows setting the issuing certificate endpoints, CRL distribution
|
|
|
|
|
points, and OCSP server endpoints that will be encoded into issued certificates.
|
|
|
|
|
You can update any of the values at any time without affecting the other
|
|
|
|
|
existing values. To remove the values, simply use a blank string as the
|
|
|
|
|
parameter.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/config/urls` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `issuing_certificates` `(array<string>: nil)` – Specifies the URL values for
|
2017-10-03 20:13:57 +00:00
|
|
|
|
the Issuing Certificate field. This can be an array or a comma-separated
|
|
|
|
|
string list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `crl_distribution_points` `(array<string>: nil)` – Specifies the URL values
|
2017-10-03 20:13:57 +00:00
|
|
|
|
for the CRL Distribution Points field. This can be an array or a
|
|
|
|
|
comma-separated string list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `ocsp_servers` `(array<string>: nil)` – Specifies the URL values for the OCSP
|
2017-10-03 20:13:57 +00:00
|
|
|
|
Servers field. This can be an array or a comma-separated string list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"ocsp_servers": ["https://..."]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/urls
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CRL
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves the current CRL **in raw DER-encoded form**. This
|
|
|
|
|
endpoint is suitable for usage in the CRL Distribution Points extension in a CA
|
|
|
|
|
certificate. This is a bare endpoint that does not return a standard Vault data
|
2017-12-11 16:10:28 +00:00
|
|
|
|
structure and cannot be parsed by the Vault CLI; use `/pki/cert/crl` in that case.
|
|
|
|
|
If `/pem` is added to the endpoint, the CRL is returned in PEM format.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------- |
|
|
|
|
|
| `GET` | `/pki/crl(/pem)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/crl/pem
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
<binary DER-encoded CRL>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Rotate CRLs
|
|
|
|
|
|
2017-10-11 15:29:26 +00:00
|
|
|
|
This endpoint forces a rotation of the CRL. This can be used by administrators
|
|
|
|
|
to cut the size of the CRL if it contains a number of certificates
|
|
|
|
|
that have now expired, but has not been rotated due to no further
|
2017-03-16 18:26:09 +00:00
|
|
|
|
certificates being revoked.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `GET` | `/pki/crl/rotate` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/crl/rotate
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"success": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new private key and a CSR for signing. If using Vault
|
|
|
|
|
as a root, and for many other CAs, the various parameters on the final
|
|
|
|
|
certificate are set at signing time and may or may not honor the parameters set
|
|
|
|
|
here. _This will overwrite any previously existing CA private key._
|
|
|
|
|
|
|
|
|
|
This is mostly meant as a helper function, and not all possible parameters that
|
|
|
|
|
can be set in a CSR are supported.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------------- |
|
|
|
|
|
| `POST` | `/pki/intermediate/generate/:type` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` – Specifies the type of the intermediate to
|
|
|
|
|
create. If `exported`, the private key will be returned in the response; if
|
2020-01-18 00:18:09 +00:00
|
|
|
|
`internal` the private key will not be returned and _cannot be retrieved
|
|
|
|
|
later_. This is part of the request URL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
|
|
|
|
certificate.
|
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2019-04-19 05:24:20 +00:00
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. This can be
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
|
|
|
|
|
base64 encoded. If `pem_bundle`, the `csr` field will contain the private key
|
|
|
|
|
(if exported) and CSR, concatenated.
|
|
|
|
|
|
2019-04-19 05:24:20 +00:00
|
|
|
|
- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
|
2017-11-06 17:05:07 +00:00
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
|
|
|
|
|
or `ec`.
|
|
|
|
|
|
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
|
2019-08-14 14:08:41 +00:00
|
|
|
|
changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "www.example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2019-10-25 16:21:55 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/intermediate/generate/exported
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE REQUEST-----\n",
|
|
|
|
|
"private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEAwsANtGz9gS3o5SwTSlOG1l-----END RSA PRIVATE KEY-----",
|
|
|
|
|
"private_key_type": "rsa"
|
|
|
|
|
},
|
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set Signed Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint allows submitting the signed CA certificate corresponding to a
|
|
|
|
|
private key generated via `/pki/intermediate/generate`. The certificate should
|
2019-04-22 23:10:38 +00:00
|
|
|
|
be submitted in PEM format; see the documentation for
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[/pki/config/ca](/api/secret/pki#submit-ca-information) for some
|
2017-03-16 18:26:09 +00:00
|
|
|
|
hints on submitting.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------- |
|
|
|
|
|
| `POST` | `/pki/intermediate/set-signed` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
## Parameters
|
|
|
|
|
|
|
|
|
|
- `certificate` `(string: <required>)` – Specifies the certificate in PEM
|
2018-03-19 23:44:07 +00:00
|
|
|
|
format. May optionally append additional CA certificates to populate the
|
|
|
|
|
whole chain, which will then enable returning the full chain from issue and
|
|
|
|
|
sign operations.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/intermediate/set-signed
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new set of credentials (private key and certificate)
|
|
|
|
|
based on the role named in the endpoint. The issuing CA certificate is returned
|
|
|
|
|
as well, so that only the root CA need be in a client's trust store.
|
|
|
|
|
|
|
|
|
|
**The private key is _not_ stored. If you do not save the private key, you will
|
2017-05-02 11:52:55 +00:00
|
|
|
|
need to request a new certificate.**
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/issue/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create the
|
|
|
|
|
certificate against. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
|
|
|
|
certificate. If the CN is allowed by role policy, it will be issued.
|
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies requested Subject Alternative Names, in
|
|
|
|
|
a comma-delimited list. These can be host names or email addresses; they will
|
|
|
|
|
be parsed into their respective fields. If any requested names do not match
|
|
|
|
|
role policy, the entire request will be denied.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies requested IP Subject Alternative Names,
|
|
|
|
|
in a comma-delimited list. Only valid if the role allows IP SANs (which is the
|
|
|
|
|
default).
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies requested Time To Live. Cannot be greater
|
|
|
|
|
than the role's `max_ttl` value. If not provided, the role's `ttl` value will
|
|
|
|
|
be used. Note that the role values default to system values if not explicitly
|
|
|
|
|
set.
|
|
|
|
|
|
|
|
|
|
- `format` `(string: "")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
|
|
|
|
|
base64 encoded. If `pem_bundle`, the `certificate` field will contain the
|
|
|
|
|
private key and certificate, concatenated; if the issuing CA is not a
|
|
|
|
|
Vault-derived self-signed root, this will be included as well.
|
|
|
|
|
|
2017-11-06 17:05:07 +00:00
|
|
|
|
- `private_key_format` `(string: "")` – Specifies the format for marshaling the
|
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "www.example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/issue/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
|
|
|
|
|
"private_key_type": "rsa",
|
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2020-01-18 00:18:09 +00:00
|
|
|
|
},
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"warnings": "",
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Revoke Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint revokes a certificate using its serial number. This is an
|
|
|
|
|
alternative option to the standard method of revoking using Vault lease IDs. A
|
|
|
|
|
successful revocation will rotate the CRL.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------ |
|
|
|
|
|
| `POST` | `/pki/revoke` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `serial_number` `(string: <required>)` – Specifies the serial number of the
|
|
|
|
|
certificate to revoke, in hyphen-separated or colon-separated octal.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"serial_number": "39:dd:2e..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/revoke
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"revocation_time": 1433269787
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
2017-05-01 14:40:18 +00:00
|
|
|
|
This endpoint creates or updates the role definition. Note that the
|
|
|
|
|
`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
|
|
|
|
|
`allow_any_name` attributes are additive; between them nearly and across
|
|
|
|
|
multiple roles nearly any issuing policy can be accommodated. `server_flag`,
|
|
|
|
|
`client_flag`, and `code_signing_flag` are additive as well. If a client
|
|
|
|
|
requests a certificate that is not allowed by the CN policy in the role, the
|
|
|
|
|
request is denied.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `ttl` `(string: "")` – Specifies the Time To Live value provided as a string
|
2020-01-18 00:18:09 +00:00
|
|
|
|
duration with time suffix. Hour is the largest suffix. If not set, uses the
|
2017-03-16 18:26:09 +00:00
|
|
|
|
system default value or the value of `max_ttl`, whichever is shorter.
|
|
|
|
|
|
|
|
|
|
- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
|
|
|
|
|
string duration with time suffix. Hour is the largest suffix. If not set,
|
|
|
|
|
defaults to the system maximum lease TTL.
|
|
|
|
|
|
|
|
|
|
- `allow_localhost` `(bool: true)` – Specifies if clients can request
|
|
|
|
|
certificates for `localhost` as one of the requested common names. This is
|
|
|
|
|
useful for testing and to allow clients on a single host to talk securely.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `allowed_domains` `(list: [])` – Specifies the domains of the role. This is
|
2017-12-11 18:13:35 +00:00
|
|
|
|
used with the `allow_bare_domains` and `allow_subdomains` options.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `allow_bare_domains` `(bool: false)` – Specifies if clients can request
|
|
|
|
|
certificates matching the value of the actual domains themselves; e.g. if a
|
|
|
|
|
configured domain set with `allowed_domains` is `example.com`, this allows
|
|
|
|
|
clients to actually request a certificate containing the name `example.com` as
|
|
|
|
|
one of the DNS values on the final certificate. In some scenarios, this can be
|
|
|
|
|
considered a security risk.
|
|
|
|
|
|
|
|
|
|
- `allow_subdomains` `(bool: false)` – Specifies if clients can request
|
|
|
|
|
certificates with CNs that are subdomains of the CNs allowed by the other role
|
|
|
|
|
options. _This includes wildcard subdomains._ For example, an
|
|
|
|
|
`allowed_domains` value of `example.com` with this option set to true will
|
|
|
|
|
allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. This
|
|
|
|
|
is redundant when using the `allow_any_name` option.
|
|
|
|
|
|
2017-05-01 14:40:18 +00:00
|
|
|
|
- `allow_glob_domains` `(bool: false)` - Allows names specified in
|
|
|
|
|
`allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
|
|
|
|
|
will be allowed to request certificates with names matching the glob
|
|
|
|
|
patterns.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `allow_any_name` `(bool: false)` – Specifies if clients can request any CN.
|
|
|
|
|
Useful in some circumstances, but make sure you understand whether it is
|
|
|
|
|
appropriate for your installation before enabling it.
|
|
|
|
|
|
|
|
|
|
- `enforce_hostnames` `(bool: true)` – Specifies if only valid host names are
|
|
|
|
|
allowed for CNs, DNS SANs, and the host part of email addresses.
|
|
|
|
|
|
|
|
|
|
- `allow_ip_sans` `(bool: true)` – Specifies if clients can request IP Subject
|
|
|
|
|
Alternative Names. No authorization checking is performed except to verify
|
|
|
|
|
that the given values are valid IP addresses.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `allowed_uri_sans` `(string: "")` - Defines allowed URI Subject
|
|
|
|
|
Alternative Names. No authorization checking is performed except to verify
|
|
|
|
|
that the given values are valid URIs. This can be a comma-delimited list or
|
2020-01-18 00:18:09 +00:00
|
|
|
|
a JSON string slice. Values can contain glob patterns (e.g.
|
2018-06-15 19:32:25 +00:00
|
|
|
|
`spiffe://hostname/*`).
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `allowed_other_sans` `(string: "")` – Defines allowed custom OID/UTF8-string
|
2020-01-18 00:18:09 +00:00
|
|
|
|
SANs. This can be a comma-delimited list or a JSON string slice, where
|
|
|
|
|
each element has the same format as OpenSSL: `<oid>;<type>:<value>`, but
|
|
|
|
|
the only valid type is `UTF8` or `UTF-8`. The `value` part of an element
|
2019-12-11 15:16:44 +00:00
|
|
|
|
may be a `*` to allow any value with that OID.
|
|
|
|
|
Alternatively, specifying a single `*` will allow any `other_sans` input.
|
2018-02-16 22:19:34 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `server_flag` `(bool: true)` – Specifies if certificates are flagged for
|
|
|
|
|
server use.
|
|
|
|
|
|
|
|
|
|
- `client_flag` `(bool: true)` – Specifies if certificates are flagged for
|
2018-12-10 15:24:47 +00:00
|
|
|
|
client use.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `code_signing_flag` `(bool: false)` – Specifies if certificates are flagged
|
|
|
|
|
for code signing use.
|
|
|
|
|
|
|
|
|
|
- `email_protection_flag` `(bool: false)` – Specifies if certificates are
|
|
|
|
|
flagged for email protection use.
|
|
|
|
|
|
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the type of key to generate for
|
2018-05-19 16:20:37 +00:00
|
|
|
|
generated private keys and the type of key expected for submitted CSRs.
|
|
|
|
|
Currently, `rsa` and `ec` are supported, or when signing CSRs `any` can be
|
|
|
|
|
specified to allow keys of either type and with any bit size (subject to >
|
|
|
|
|
1024 bits for RSA keys).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use for the
|
2019-08-14 14:08:41 +00:00
|
|
|
|
generated keys. This will need to be changed for `ec` keys, e.g., 224 or 521.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2017-12-11 18:13:35 +00:00
|
|
|
|
- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
|
|
|
|
|
drop the `KeyUsage` part of the value. Values are not case-sensitive. To
|
2017-12-11 18:13:35 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2018-06-15 22:20:43 +00:00
|
|
|
|
- `ext_key_usage` `(list: [])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed extended key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
|
|
|
|
|
drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
|
2018-06-15 22:20:43 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
|
|
|
|
|
2019-03-07 19:07:10 +00:00
|
|
|
|
- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `use_csr_common_name` `(bool: true)` – When used with the CSR signing
|
|
|
|
|
endpoint, the common name in the CSR will be used instead of taken from the
|
|
|
|
|
JSON data. This does `not` include any requested SANs in the CSR; use
|
|
|
|
|
`use_csr_sans` for that.
|
|
|
|
|
|
|
|
|
|
- `use_csr_sans` `(bool: true)` – When used with the CSR signing endpoint, the
|
|
|
|
|
subject alternate names in the CSR will be used instead of taken from the JSON
|
|
|
|
|
data. This does `not` include the common name in the CSR; use
|
|
|
|
|
`use_csr_common_name` for that.
|
|
|
|
|
|
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `generate_lease` `(bool: false)` – Specifies if certificates issued/signed
|
2017-03-16 18:26:09 +00:00
|
|
|
|
against this role will have Vault leases attached to them. Certificates can be
|
|
|
|
|
added to the CRL by `vault revoke <lease_id>` when certificates are associated
|
2020-01-18 00:18:09 +00:00
|
|
|
|
with leases. It can also be done using the `pki/revoke` endpoint. However,
|
2017-03-16 18:26:09 +00:00
|
|
|
|
when lease generation is disabled, invoking `pki/revoke` would be the only way
|
2018-11-27 12:47:34 +00:00
|
|
|
|
to add the certificates to the CRL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2017-04-07 18:25:47 +00:00
|
|
|
|
- `no_store` `(bool: false)` – If set, certificates issued/signed against this
|
2018-02-09 18:42:19 +00:00
|
|
|
|
role will not be stored in the storage backend. This can improve performance
|
|
|
|
|
when issuing large numbers of certificates. However, certificates issued in
|
|
|
|
|
this way cannot be enumerated or revoked, so this option is recommended only
|
2020-01-18 00:18:09 +00:00
|
|
|
|
for certificates that are non-sensitive, or extremely short-lived. This
|
2018-02-09 18:42:19 +00:00
|
|
|
|
option implies a value of `false` for `generate_lease`.
|
|
|
|
|
|
|
|
|
|
- `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
|
|
|
|
|
optional while generating a certificate.
|
2017-04-07 18:25:47 +00:00
|
|
|
|
|
2018-04-09 02:09:29 +00:00
|
|
|
|
- `policy_identifiers` `(list: [])` – A comma-separated string or list of policy
|
2018-10-02 15:10:43 +00:00
|
|
|
|
OIDs.
|
2018-04-09 02:09:29 +00:00
|
|
|
|
|
|
|
|
|
- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
|
|
|
|
|
valid when issuing non-CA certificates.
|
|
|
|
|
|
2018-10-02 15:10:43 +00:00
|
|
|
|
- `not_before_duration` `(duration: "30s")` – Specifies the duration by which to backdate the NotBefore property.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2017-12-11 18:13:35 +00:00
|
|
|
|
"allowed_domains": ["example.com"],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"allow_subdomains": true
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Role
|
|
|
|
|
|
|
|
|
|
This endpoint queries the role definition.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `GET` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to read. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"allow_any_name": false,
|
|
|
|
|
"allow_ip_sans": true,
|
|
|
|
|
"allow_localhost": true,
|
|
|
|
|
"allow_subdomains": false,
|
2017-12-11 18:13:35 +00:00
|
|
|
|
"allowed_domains": ["example.com", "foobar.com"],
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"allowed_uri_sans": ["example.com", "spiffe://*"],
|
|
|
|
|
"allowed_other_sans": [
|
|
|
|
|
"1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com",
|
|
|
|
|
"1.3.6.1.4.1.311.20.2.4;UTF-8:*"
|
|
|
|
|
],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"client_flag": true,
|
|
|
|
|
"code_signing_flag": false,
|
|
|
|
|
"key_bits": 2048,
|
|
|
|
|
"key_type": "rsa",
|
|
|
|
|
"ttl": "6h",
|
|
|
|
|
"max_ttl": "12h",
|
|
|
|
|
"server_flag": true
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
2017-03-16 18:26:09 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
|
|
|
|
This endpoint returns a list of available roles. Only the role names are
|
|
|
|
|
returned, not any values.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------- |
|
|
|
|
|
| `LIST` | `/pki/roles` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"auth": null,
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": ["dev", "prod"]
|
|
|
|
|
},
|
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Role
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the role definition. Deleting a role **does not**
|
|
|
|
|
revoke certificates previously issued under this role.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :----------------- |
|
|
|
|
|
| `DELETE` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to delete. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Root
|
|
|
|
|
|
2017-08-15 18:00:40 +00:00
|
|
|
|
This endpoint generates a new self-signed CA certificate and private key. If
|
|
|
|
|
the path ends with `exported`, the private key will be returned in the
|
2020-01-18 00:18:09 +00:00
|
|
|
|
response; if it is `internal` the private key will not be returned and _cannot
|
|
|
|
|
be retrieved later_. Distribution points use the values set via `config/urls`.
|
2017-08-15 18:00:40 +00:00
|
|
|
|
|
|
|
|
|
As with other issued certificates, Vault will automatically revoke the
|
|
|
|
|
generated root at the end of its lease period; the CA certificate will sign its
|
|
|
|
|
own CRL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2018-12-10 15:24:47 +00:00
|
|
|
|
As of Vault 0.8.1, if a CA cert/key already exists, this function will not
|
|
|
|
|
overwrite it; it must be deleted first. Previous versions of Vault would
|
|
|
|
|
overwrite the existing cert/key with new values.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/generate/:type` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` – Specifies the type of the root to
|
|
|
|
|
create. If `exported`, the private key will be returned in the response; if
|
2020-01-18 00:18:09 +00:00
|
|
|
|
`internal` the private key will not be returned and _cannot be retrieved
|
|
|
|
|
later_. This is part of the request URL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
|
|
|
|
certificate.
|
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
|
2017-09-20 20:05:00 +00:00
|
|
|
|
certificate will be expired). This cannot be larger than the engine's max (or,
|
|
|
|
|
if not set, the system max).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the private key (if
|
|
|
|
|
exported) and certificate, concatenated; if the issuing CA is not a
|
|
|
|
|
Vault-derived self-signed root, this will be included as well.
|
|
|
|
|
|
2017-11-06 17:05:07 +00:00
|
|
|
|
- `private_key_format` `(string: "")` – Specifies the format for marshaling the
|
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`
|
|
|
|
|
or `ec`.
|
|
|
|
|
|
2019-08-14 14:08:41 +00:00
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
|
|
|
|
|
changed to a valid value if the `key_type` is `ec`, e.g., 224 or 521.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
|
|
|
|
|
the generated certificate. `-1` means no limit. Unless the signing certificate
|
|
|
|
|
has a maximum path length set, in which case the path length is set to one
|
2020-01-18 00:18:09 +00:00
|
|
|
|
less than that of the signing certificate. A limit of `0` means a literal
|
2017-03-16 18:26:09 +00:00
|
|
|
|
path length of zero.
|
|
|
|
|
|
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2017-08-15 20:10:36 +00:00
|
|
|
|
- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
|
|
|
|
|
array) containing DNS domains for which certificates are allowed to be issued
|
2018-07-11 16:44:49 +00:00
|
|
|
|
or signed by this CA certificate. Note that subdomains are allowed, as per
|
2017-08-15 20:10:36 +00:00
|
|
|
|
[RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/generate/internal
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-08-15 18:00:40 +00:00
|
|
|
|
## Delete Root
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the current CA key (the old CA certificate will still be
|
|
|
|
|
accessible for reading until a new certificate/key are generated or uploaded).
|
|
|
|
|
_This endpoint requires sudo/root privileges._
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :---------- |
|
|
|
|
|
| `DELETE` | `/pki/root` |
|
2017-08-15 18:00:40 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root
|
2017-08-15 18:00:40 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Sign Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint uses the configured CA certificate to issue a certificate with
|
|
|
|
|
appropriate values for acting as an intermediate CA. Distribution points use the
|
|
|
|
|
values set via `config/urls`. Values set in the CSR are ignored unless
|
|
|
|
|
`use_csr_values` is set to true, in which case the values from the CSR are used
|
|
|
|
|
verbatim.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/sign-intermediate` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
|
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
|
|
|
|
certificate.
|
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
|
2017-09-20 20:05:00 +00:00
|
|
|
|
certificate will be expired). This cannot be larger than the engine's max (or,
|
|
|
|
|
if not set, the system max). However, this can be after the expiration of the
|
2017-09-13 15:42:45 +00:00
|
|
|
|
signing CA.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
|
|
|
|
- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
|
|
|
|
|
the generated certificate. `-1`, means no limit, unless the signing
|
|
|
|
|
certificate has a maximum path length set, in which case the path length is
|
2020-01-18 00:18:09 +00:00
|
|
|
|
set to one less than that of the signing certificate. A limit of `0` means a
|
2017-03-16 18:26:09 +00:00
|
|
|
|
literal path length of zero.
|
|
|
|
|
|
|
|
|
|
- `exclude_cn_from_sans` `(string: "")` – Specifies the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
|
|
|
|
- `use_csr_values` `(bool: false)` – If set to `true`, then: 1) Subject
|
|
|
|
|
information, including names and alternate names, will be preserved from the
|
|
|
|
|
CSR rather than using the values provided in the other parameters to this
|
|
|
|
|
path; 2) Any key usages (for instance, non-repudiation) requested in the CSR
|
|
|
|
|
will be added to the basic set of key usages used for CA certs signed by this
|
|
|
|
|
path; 3) Extensions requested in the CSR will be copied into the issued
|
|
|
|
|
certificate.
|
|
|
|
|
|
2017-08-15 20:10:36 +00:00
|
|
|
|
- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
|
|
|
|
|
array) containing DNS domains for which certificates are allowed to be issued
|
|
|
|
|
or signed by this CA certificate. Supports subdomains via a `.` in front of
|
|
|
|
|
the domain, as per
|
|
|
|
|
[RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
2018-02-16 22:19:34 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "...",
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/sign-intermediate
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
2017-09-01 03:07:15 +00:00
|
|
|
|
## Sign Self-Issued
|
|
|
|
|
|
|
|
|
|
This endpoint uses the configured CA certificate to sign a self-issued
|
|
|
|
|
certificate (which will usually be a self-signed certificate as well).
|
|
|
|
|
|
|
|
|
|
**_This is an extremely privileged endpoint_**. The given certificate will be
|
|
|
|
|
signed as-is with only minimal validation performed (is it a CA cert, and is it
|
|
|
|
|
actually self-issued). The only values that will be changed will be the
|
2017-09-13 15:42:45 +00:00
|
|
|
|
authority key ID, the issuer DN, and, if set, any distribution points.
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
2017-09-13 15:42:45 +00:00
|
|
|
|
This is generally only needed for root certificate rolling in cases where you
|
|
|
|
|
don't want/can't get access to a CSR (such as if it's a root stored in Vault
|
|
|
|
|
where the key is not exposed). If you don't know whether you need this
|
|
|
|
|
endpoint, you most likely should be using a different endpoint (such as
|
|
|
|
|
`sign-intermediate`).
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
|
|
|
|
This endpoint requires `sudo` capability.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/sign-self-issued` |
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `certificate` `(string: <required>)` – Specifies the PEM-encoded self-issued certificate.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"certificate": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/sign-self-issued
|
2017-09-01 03:07:15 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
2017-09-01 03:07:15 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Sign Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint signs a new certificate based upon the provided CSR and the
|
|
|
|
|
supplied parameters, subject to the restrictions contained in the role named in
|
|
|
|
|
the endpoint. The issuing CA certificate is returned as well, so that only the
|
|
|
|
|
root CA need be in a client's trust store.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `POST` | `/pki/sign/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
|
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
|
|
|
|
certificate. If the CN is allowed by role policy, it will be issued.
|
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields. If any requested names do
|
|
|
|
|
not match role policy, the entire request will be denied.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. Only valid if the role allows IP SANs (which
|
|
|
|
|
is the default).
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Names, in a comma-delimited list. If any requested URIs do not match role policy,
|
2018-06-15 19:32:25 +00:00
|
|
|
|
the entire request will be denied.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
|
|
|
|
|
than the role's `max_ttl` value. If not provided, the role's `ttl` value will
|
|
|
|
|
be used. Note that the role values default to system values if not explicitly
|
|
|
|
|
set.
|
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If set, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "...",
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Sign Verbatim
|
|
|
|
|
|
|
|
|
|
This endpoint signs a new certificate based upon the provided CSR. Values are
|
|
|
|
|
taken verbatim from the CSR; the _only_ restriction is that this endpoint will
|
|
|
|
|
refuse to issue an intermediate CA certificate (see the
|
|
|
|
|
`/pki/root/sign-intermediate` endpoint for that functionality.)
|
|
|
|
|
|
|
|
|
|
**This is a potentially dangerous endpoint and only highly trusted users should
|
|
|
|
|
have access.**
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------- |
|
|
|
|
|
| `POST` | `/pki/sign-verbatim(/:name)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2017-04-18 19:54:31 +00:00
|
|
|
|
- `name` `(string: "")` - Specifies a role. If set, the following parameters
|
|
|
|
|
from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and
|
|
|
|
|
`no_store`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
|
|
|
|
|
|
2018-06-15 22:20:43 +00:00
|
|
|
|
- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
|
|
|
|
|
drop the `KeyUsage` part of the value. Values are not case-sensitive. To
|
2018-06-15 22:20:43 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
|
|
|
|
|
|
|
|
|
- `ext_key_usage` `(list: [])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed extended key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
|
|
|
|
|
drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
|
2018-06-15 22:20:43 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
|
2019-03-07 19:07:10 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
|
2017-09-20 20:05:00 +00:00
|
|
|
|
than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
|
2017-03-16 18:26:09 +00:00
|
|
|
|
will be used, which defaults to system values if not explicitly set.
|
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/sign-verbatim
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/sign-verbatim/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Tidy
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This endpoint allows tidying up the storage backend and/or CRL by removing
|
2017-03-16 18:26:09 +00:00
|
|
|
|
certificates that have expired and are past a certain buffer period beyond their
|
|
|
|
|
expiration time.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------- |
|
|
|
|
|
| `POST` | `/pki/tidy` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `tidy_cert_store` `(bool: false)` Specifies whether to tidy up the certificate
|
|
|
|
|
store.
|
|
|
|
|
|
2018-10-31 01:33:30 +00:00
|
|
|
|
- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked and
|
|
|
|
|
expired certificates, removing them both from the CRL and from storage. The
|
|
|
|
|
CRL will be rotated if this causes any values to be removed.
|
2018-07-13 13:32:32 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `safety_buffer` `(string: "")` Specifies A duration (given as an integer
|
2017-03-16 18:26:09 +00:00
|
|
|
|
number of seconds or a string; defaults to `72h`) used as a safety buffer to
|
|
|
|
|
ensure certificates are not expunged prematurely; as an example, this can keep
|
|
|
|
|
certificates from being removed from the CRL that, due to clock skew, might
|
|
|
|
|
still be considered valid on other hosts. For a certificate to be expunged,
|
|
|
|
|
the time must be after the expiration time of the certificate (according to
|
|
|
|
|
the local clock) plus the duration of `safety_buffer`.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"safety_buffer": "24h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/tidy
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|