2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
|
layout: api
|
|
|
|
|
page_title: PKI - Secrets Engines - HTTP API
|
|
|
|
|
description: This is the API documentation for the Vault PKI secrets engine.
|
2017-03-09 02:47:35 +00:00
|
|
|
|
---
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
# PKI Secrets Engine (API)
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This is the API documentation for the Vault PKI secrets engine. For general
|
|
|
|
|
information about the usage and operation of the PKI secrets engine, please see
|
2020-01-22 20:05:41 +00:00
|
|
|
|
the [PKI documentation](/docs/secrets/pki).
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This documentation assumes the PKI secrets engine is enabled at the `/pki` path
|
|
|
|
|
in Vault. Since it is possible to enable secrets engines at any location, please
|
2017-03-09 02:47:35 +00:00
|
|
|
|
update your API calls accordingly.
|
|
|
|
|
|
2017-05-23 13:19:47 +00:00
|
|
|
|
## Table of Contents
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- [Read CA Certificate](#read-ca-certificate)
|
|
|
|
|
- [Read CA Certificate Chain](#read-ca-certificate-chain)
|
|
|
|
|
- [Read Certificate](#read-certificate)
|
2022-02-07 14:47:13 +00:00
|
|
|
|
- [Read Raw Certificate](#read-raw-certificate)
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- [List Certificates](#list-certificates)
|
|
|
|
|
- [Submit CA Information](#submit-ca-information)
|
|
|
|
|
- [Read CRL Configuration](#read-crl-configuration)
|
|
|
|
|
- [Set CRL Configuration](#set-crl-configuration)
|
|
|
|
|
- [Read URLs](#read-urls)
|
|
|
|
|
- [Set URLs](#set-urls)
|
|
|
|
|
- [Read CRL](#read-crl)
|
|
|
|
|
- [Rotate CRLs](#rotate-crls)
|
|
|
|
|
- [Generate Intermediate](#generate-intermediate)
|
|
|
|
|
- [Set Signed Intermediate](#set-signed-intermediate)
|
|
|
|
|
- [Generate Certificate](#generate-certificate)
|
|
|
|
|
- [Revoke Certificate](#revoke-certificate)
|
2020-03-31 19:21:16 +00:00
|
|
|
|
- [Create/Update Role](#create-update-role)
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- [Read Role](#read-role)
|
|
|
|
|
- [List Roles](#list-roles)
|
|
|
|
|
- [Delete Role](#delete-role)
|
|
|
|
|
- [Generate Root](#generate-root)
|
|
|
|
|
- [Delete Root](#delete-root)
|
|
|
|
|
- [Sign Intermediate](#sign-intermediate)
|
|
|
|
|
- [Sign Self-Issued](#sign-self-issued)
|
|
|
|
|
- [Sign Certificate](#sign-certificate)
|
|
|
|
|
- [Sign Verbatim](#sign-verbatim)
|
|
|
|
|
- [Tidy](#tidy)
|
2022-02-15 16:04:21 +00:00
|
|
|
|
- [Tidy Status](#tidy-status)
|
2022-02-08 19:01:19 +00:00
|
|
|
|
- [Managed Key](#managed-keys) (Enterprise Only)
|
2017-05-23 13:19:47 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Read CA Certificate
|
2017-03-09 02:47:35 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
This endpoint retrieves the CA certificate _in raw DER-encoded form_. This is a
|
2017-08-15 18:00:40 +00:00
|
|
|
|
bare endpoint that does not return a standard Vault data structure and cannot
|
2017-12-11 16:10:28 +00:00
|
|
|
|
be read by the Vault CLI; use `/pki/cert` for that. If `/pem` is added to the
|
|
|
|
|
endpoint, the CA certificate is returned in PEM format.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `GET` | `/pki/ca(/pem)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/ca/pem
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```text
|
2017-03-16 18:26:09 +00:00
|
|
|
|
<binary DER-encoded certificate>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CA Certificate Chain
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves the CA certificate chain, including the CA _in PEM
|
|
|
|
|
format_. This is a bare endpoint that does not return a standard Vault data
|
2017-12-11 16:10:28 +00:00
|
|
|
|
structure and cannot be read by the Vault CLI; use `/pki/cert` for that.
|
2022-02-07 19:37:01 +00:00
|
|
|
|
Additionally, note that this doesn't include the root authority and so may
|
|
|
|
|
return empty data depending on configuration; use `/pki/cert/ca_chain`'s
|
|
|
|
|
`ca_chain` JSON data field for the entire chain including issuing authority.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------- |
|
|
|
|
|
| `GET` | `/pki/ca_chain` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/ca_chain
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```text
|
2017-03-16 18:26:09 +00:00
|
|
|
|
<PEM-encoded certificate chain>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Certificate
|
|
|
|
|
|
2017-04-02 21:02:11 +00:00
|
|
|
|
This endpoint retrieves one of a selection of certificates. This endpoint returns the certificate in PEM formatting in the
|
2017-12-11 16:10:28 +00:00
|
|
|
|
`certificate` key of the JSON object, which is a standard Vault response that is readable by the Vault CLI.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
|
|
|
|
| `GET` | `/pki/cert/:serial` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `serial` `(string: <required>)` – Specifies the serial of the key to read.
|
2017-12-11 16:10:28 +00:00
|
|
|
|
This is part of the request URL. Valid values for `serial` are:
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `<serial>` for the certificate with the given serial number
|
|
|
|
|
- `ca` for the CA certificate
|
|
|
|
|
- `crl` for the current CRL
|
2022-02-07 19:37:01 +00:00
|
|
|
|
- `ca_chain` for the CA trust chain; intermediate certificates in the `certificate`
|
|
|
|
|
field, full chain in the `ca_chain` field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/cert/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n..."
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2022-02-07 14:47:13 +00:00
|
|
|
|
## Read Raw Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves one of a selection of certificates _in raw DER-encoded
|
|
|
|
|
form_. This is a bare endpoint that does not return a standard Vault data
|
|
|
|
|
structure and cannot be read by the Vault CLI; use `/pki/cert/:serial` for that. If
|
|
|
|
|
`/pem` is added to the endpoint, the selected certificate is returned in PEM format.
|
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------- |
|
|
|
|
|
| `GET` | `/pki/cert/:serial/raw(/pem)` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `serial` `(string: <required>)` – Specifies the serial number of the
|
|
|
|
|
certificate to select, in hyphen-separated or colon-separated octal.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
http://127.0.0.1:8200/v1/pki/cert/39:dd:2e.../raw
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
<binary DER-encoded certificate>
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## List Certificates
|
|
|
|
|
|
|
|
|
|
This endpoint returns a list of the current certificates by serial number only.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------- |
|
|
|
|
|
| `LIST` | `/pki/certs` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/certs
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": [
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
|
|
|
|
|
"26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
|
|
|
|
|
]
|
|
|
|
|
},
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"wrap_info": null,
|
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
2017-03-16 18:26:09 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Submit CA Information
|
|
|
|
|
|
|
|
|
|
This endpoint allows submitting the CA information for the backend via a PEM
|
2018-01-03 15:59:18 +00:00
|
|
|
|
file containing the CA certificate and its private key, concatenated.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
May optionally append additional CA certificates. Useful when creating an
|
2018-01-03 15:59:18 +00:00
|
|
|
|
intermediate CA to ensure a full chain is returned when signing or generating
|
|
|
|
|
certificates.
|
|
|
|
|
|
|
|
|
|
Not needed if you are generating a self-signed root certificate, and not used
|
|
|
|
|
if you have a signed intermediate CA certificate with a generated key (use the
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`/pki/intermediate/set-signed` endpoint for that). _If you have already set a
|
|
|
|
|
certificate and key, they will be overridden._
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------- |
|
|
|
|
|
| `POST` | `/pki/config/ca` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `pem_bundle` `(string: <required>)` – Specifies the unencrypted private key
|
|
|
|
|
and certificate, concatenated in PEM format.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data "@payload.json" \
|
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/ca
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Note that if you provide the data through the HTTP API it must be
|
|
|
|
|
JSON-formatted, with newlines replaced with `\n`, like so:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END CERTIFICATE-----"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CRL Configuration
|
|
|
|
|
|
|
|
|
|
This endpoint allows getting the duration for which the generated CRL should be
|
|
|
|
|
marked valid.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `GET` | `/pki/config/crl` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"disable": false,
|
|
|
|
|
"expiry": "72h"
|
|
|
|
|
},
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set CRL Configuration
|
|
|
|
|
|
|
|
|
|
This endpoint allows setting the duration for which the generated CRL should be
|
2018-08-21 15:20:57 +00:00
|
|
|
|
marked valid. If the CRL is disabled, it will return a signed but zero-length
|
|
|
|
|
CRL for any request. If enabled, it will re-build the CRL.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
~> Note: Disabling the CRL does not affect whether revoked certificates are
|
|
|
|
|
stored internally. Certificates that have been revoked when a role's
|
|
|
|
|
certificate storage is enabled will continue to be marked and stored as
|
|
|
|
|
revoked until `tidy` has been run with the desired safety buffer. Re-enabling
|
|
|
|
|
CRL generation will then result in all such certificates becoming a part of
|
|
|
|
|
the CRL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `POST` | `/pki/config/crl` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `expiry` `(string: "72h")` – The amount of time the generated CRL should be valid.
|
2018-08-21 15:20:57 +00:00
|
|
|
|
- `disable` `(bool: false)` – Disables or enables CRL building.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"expiry": "48h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/crl
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read URLs
|
|
|
|
|
|
|
|
|
|
This endpoint fetches the URLs to be encoded in generated certificates.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `GET` | `/pki/config/urls` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/urls
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"issuing_certificates": ["<url1>", "<url2>"],
|
|
|
|
|
"crl_distribution_points": ["<url1>", "<url2>"],
|
2017-11-06 17:05:07 +00:00
|
|
|
|
"ocsp_servers": ["<url1>", "<url2>"]
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set URLs
|
|
|
|
|
|
|
|
|
|
This endpoint allows setting the issuing certificate endpoints, CRL distribution
|
|
|
|
|
points, and OCSP server endpoints that will be encoded into issued certificates.
|
|
|
|
|
You can update any of the values at any time without affecting the other
|
|
|
|
|
existing values. To remove the values, simply use a blank string as the
|
|
|
|
|
parameter.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/config/urls` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `issuing_certificates` `(array<string>: nil)` – Specifies the URL values for
|
2017-10-03 20:13:57 +00:00
|
|
|
|
the Issuing Certificate field. This can be an array or a comma-separated
|
2022-02-25 19:06:41 +00:00
|
|
|
|
string list. See also [RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
|
|
|
|
|
for information about about the Authority Information Access field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `crl_distribution_points` `(array<string>: nil)` – Specifies the URL values
|
2017-10-03 20:13:57 +00:00
|
|
|
|
for the CRL Distribution Points field. This can be an array or a
|
2022-02-25 19:06:41 +00:00
|
|
|
|
comma-separated string list. See also [RFC 5280 Section 4.2.1.13](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13)
|
|
|
|
|
for information about the CRL Distribution Points field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `ocsp_servers` `(array<string>: nil)` – Specifies the URL values for the OCSP
|
2022-02-25 19:06:41 +00:00
|
|
|
|
Servers field. This can be an array or a comma-separated string list. See also
|
|
|
|
|
[RFC 5280 Section 4.2.2.1](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1)
|
|
|
|
|
for information about about the Authority Information Access field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"ocsp_servers": ["https://..."]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/config/urls
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read CRL
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves the current CRL **in raw DER-encoded form**. This
|
|
|
|
|
endpoint is suitable for usage in the CRL Distribution Points extension in a CA
|
|
|
|
|
certificate. This is a bare endpoint that does not return a standard Vault data
|
2017-12-11 16:10:28 +00:00
|
|
|
|
structure and cannot be parsed by the Vault CLI; use `/pki/cert/crl` in that case.
|
|
|
|
|
If `/pem` is added to the endpoint, the CRL is returned in PEM format.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
This is an unauthenticated endpoint.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------- |
|
|
|
|
|
| `GET` | `/pki/crl(/pem)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/crl/pem
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
<binary DER-encoded CRL>
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Rotate CRLs
|
|
|
|
|
|
2017-10-11 15:29:26 +00:00
|
|
|
|
This endpoint forces a rotation of the CRL. This can be used by administrators
|
|
|
|
|
to cut the size of the CRL if it contains a number of certificates
|
|
|
|
|
that have now expired, but has not been rotated due to no further
|
2017-03-16 18:26:09 +00:00
|
|
|
|
certificates being revoked.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `GET` | `/pki/crl/rotate` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/crl/rotate
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"success": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new private key and a CSR for signing. If using Vault
|
|
|
|
|
as a root, and for many other CAs, the various parameters on the final
|
|
|
|
|
certificate are set at signing time and may or may not honor the parameters set
|
|
|
|
|
here. _This will overwrite any previously existing CA private key._
|
|
|
|
|
|
2022-02-08 19:01:19 +00:00
|
|
|
|
Note that this API supports [Managed Keys](/docs/enterprise/managed-keys),
|
|
|
|
|
additional details are available [below](#managed-keys) in a dedicated section.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
This is mostly meant as a helper function, and not all possible parameters that
|
|
|
|
|
can be set in a CSR are supported.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------------- |
|
|
|
|
|
| `POST` | `/pki/intermediate/generate/:type` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` – Specifies the type of the intermediate to
|
|
|
|
|
create. If `exported`, the private key will be returned in the response; if
|
2020-01-18 00:18:09 +00:00
|
|
|
|
`internal` the private key will not be returned and _cannot be retrieved
|
2022-02-08 19:01:19 +00:00
|
|
|
|
later_. `kms` is also supported [see below](#managed-keys). This is part of the request URL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
certificate. If more than one `common_name` is desired, specify the
|
|
|
|
|
alternative names in the `alt_names` list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2019-04-19 05:24:20 +00:00
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. This can be
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
|
|
|
|
|
base64 encoded. If `pem_bundle`, the `csr` field will contain the private key
|
|
|
|
|
(if exported) and CSR, concatenated.
|
|
|
|
|
|
2019-04-19 05:24:20 +00:00
|
|
|
|
- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
|
2017-11-06 17:05:07 +00:00
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2021-10-05 15:28:49 +00:00
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`, `ed25519`
|
2017-03-16 18:26:09 +00:00
|
|
|
|
or `ec`.
|
|
|
|
|
|
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
|
2020-06-08 15:26:56 +00:00
|
|
|
|
changed to a valid value if the `key_type` is `ec`, e.g., 224, 256, 384 or 521.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting CSR. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting CSR. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
|
|
|
|
|
2022-02-08 19:01:19 +00:00
|
|
|
|
### Managed Keys Parameters
|
|
|
|
|
See [Managed Keys](#managed-keys) for additional details on this feature, if
|
|
|
|
|
`type` was set to `kms`. One of the following parameters must be set
|
|
|
|
|
|
|
|
|
|
- `managed_key_name` `(string: "")` – The managed key's configured name.
|
|
|
|
|
|
|
|
|
|
- `managed_key_id` `(string: "")` – The managed key's UUID.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "www.example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2019-10-25 16:21:55 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/intermediate/generate/exported
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE REQUEST-----\n",
|
|
|
|
|
"private_key": "-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEAwsANtGz9gS3o5SwTSlOG1l-----END RSA PRIVATE KEY-----",
|
|
|
|
|
"private_key_type": "rsa"
|
|
|
|
|
},
|
|
|
|
|
"warnings": null,
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Set Signed Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint allows submitting the signed CA certificate corresponding to a
|
|
|
|
|
private key generated via `/pki/intermediate/generate`. The certificate should
|
2019-04-22 23:10:38 +00:00
|
|
|
|
be submitted in PEM format; see the documentation for
|
2020-01-22 20:05:41 +00:00
|
|
|
|
[/pki/config/ca](/api/secret/pki#submit-ca-information) for some
|
2017-03-16 18:26:09 +00:00
|
|
|
|
hints on submitting.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------- |
|
|
|
|
|
| `POST` | `/pki/intermediate/set-signed` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
## Parameters
|
|
|
|
|
|
|
|
|
|
- `certificate` `(string: <required>)` – Specifies the certificate in PEM
|
2018-03-19 23:44:07 +00:00
|
|
|
|
format. May optionally append additional CA certificates to populate the
|
|
|
|
|
whole chain, which will then enable returning the full chain from issue and
|
|
|
|
|
sign operations.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/intermediate/set-signed
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint generates a new set of credentials (private key and certificate)
|
|
|
|
|
based on the role named in the endpoint. The issuing CA certificate is returned
|
|
|
|
|
as well, so that only the root CA need be in a client's trust store.
|
|
|
|
|
|
|
|
|
|
**The private key is _not_ stored. If you do not save the private key, you will
|
2017-05-02 11:52:55 +00:00
|
|
|
|
need to request a new certificate.**
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/issue/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create the
|
|
|
|
|
certificate against. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
certificate. If the CN is allowed by role policy, it will be issued. If more
|
|
|
|
|
than one `common_name` is desired, specify the alternative names in the
|
|
|
|
|
`alt_names` list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies requested Subject Alternative Names, in
|
|
|
|
|
a comma-delimited list. These can be host names or email addresses; they will
|
|
|
|
|
be parsed into their respective fields. If any requested names do not match
|
|
|
|
|
role policy, the entire request will be denied.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies requested IP Subject Alternative Names,
|
|
|
|
|
in a comma-delimited list. Only valid if the role allows IP SANs (which is the
|
|
|
|
|
default).
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
2022-02-25 19:06:41 +00:00
|
|
|
|
Names, in a comma-delimited list. If any requested URIs do not match role policy,
|
|
|
|
|
the entire request will be denied.
|
2018-06-15 19:32:25 +00:00
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies requested Time To Live. Cannot be greater
|
|
|
|
|
than the role's `max_ttl` value. If not provided, the role's `ttl` value will
|
|
|
|
|
be used. Note that the role values default to system values if not explicitly
|
2022-02-25 19:06:41 +00:00
|
|
|
|
set. See `not_after` as an alternative for setting an absolute end date
|
|
|
|
|
(rather than a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`pem`, `der`, or `pem_bundle`; defaults to `pem`. If `der`, the output is
|
|
|
|
|
base64 encoded. If `pem_bundle`, the `certificate` field will contain the
|
|
|
|
|
private key and certificate, concatenated; if the issuing CA is not a
|
|
|
|
|
Vault-derived self-signed root, this will be included as well.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
|
2017-11-06 17:05:07 +00:00
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "www.example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/issue/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
|
|
|
|
|
"private_key_type": "rsa",
|
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2020-01-18 00:18:09 +00:00
|
|
|
|
},
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"warnings": "",
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Revoke Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint revokes a certificate using its serial number. This is an
|
|
|
|
|
alternative option to the standard method of revoking using Vault lease IDs. A
|
|
|
|
|
successful revocation will rotate the CRL.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------ |
|
|
|
|
|
| `POST` | `/pki/revoke` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `serial_number` `(string: <required>)` – Specifies the serial number of the
|
|
|
|
|
certificate to revoke, in hyphen-separated or colon-separated octal.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"serial_number": "39:dd:2e..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/revoke
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"revocation_time": 1433269787
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
2017-05-01 14:40:18 +00:00
|
|
|
|
This endpoint creates or updates the role definition. Note that the
|
|
|
|
|
`allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and
|
|
|
|
|
`allow_any_name` attributes are additive; between them nearly and across
|
|
|
|
|
multiple roles nearly any issuing policy can be accommodated. `server_flag`,
|
|
|
|
|
`client_flag`, and `code_signing_flag` are additive as well. If a client
|
|
|
|
|
requests a certificate that is not allowed by the CN policy in the role, the
|
|
|
|
|
request is denied.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `POST` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to create. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the Time To Live value to be used for the
|
|
|
|
|
validity period of the requested certificate, provided as a string duration
|
|
|
|
|
with time suffix. Hour is the largest suffix. If not set, uses the system
|
|
|
|
|
default value or the value of `max_ttl`, whichever is shorter. See
|
|
|
|
|
`not_after` as an alternative for setting an absolute end date (rather
|
|
|
|
|
than a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `max_ttl` `(string: "")` – Specifies the maximum Time To Live provided as a
|
|
|
|
|
string duration with time suffix. Hour is the largest suffix. If not set,
|
|
|
|
|
defaults to the system maximum lease TTL.
|
|
|
|
|
|
|
|
|
|
- `allow_localhost` `(bool: true)` – Specifies if clients can request
|
|
|
|
|
certificates for `localhost` as one of the requested common names. This is
|
|
|
|
|
useful for testing and to allow clients on a single host to talk securely.
|
|
|
|
|
|
2022-02-24 13:42:11 +00:00
|
|
|
|
~> **Note**: This strictly applies to `localhost` and `localdomain` when this
|
|
|
|
|
option is enabled. Additionally, even if this option is disabled, if either
|
|
|
|
|
name is included in `allowed_domains`, the match rules for that option
|
|
|
|
|
could permit issuance of a certificate for `localhost`.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `allowed_domains` `(list: [])` – Specifies the domains this role is allowed
|
|
|
|
|
to issue certificates for. This is used with the `allow_bare_domains`,
|
|
|
|
|
`allow_subdomains`, and `allow_glob_domains` options to determine the type
|
|
|
|
|
of matching between these domains and the values of common name, DNS-typed
|
|
|
|
|
SAN entries, and Email-typed SAN entries. When `allow_any_name` is used,
|
|
|
|
|
this attribute has no effect.
|
2022-02-24 13:42:11 +00:00
|
|
|
|
|
|
|
|
|
~> **Note**: The three options `allow_bare_domains`, `allow_subdomains`, and
|
|
|
|
|
`allow_glob_domains` are each independent of each other. That is, at least
|
|
|
|
|
one type of allowed matching must describe the relationship between the
|
|
|
|
|
`allowed_domains` list and the names on the issued certificate. For example,
|
|
|
|
|
given `allowed_domain=foo.*.example.com` and `allow_subdomains=true` and
|
|
|
|
|
`allow_glob_domains=true`, a request for `bar.foo.baz.example.com` won't
|
|
|
|
|
be permitted, even though it `foo.baz.example.com` matches the glob
|
|
|
|
|
`foo.*.example.com` and `bar` is a subdomain of that.
|
|
|
|
|
|
|
|
|
|
- `allowed_domains_template` `(bool: false)` – When set, `allowed_domains`
|
2020-08-20 13:54:52 +00:00
|
|
|
|
may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
|
2022-02-25 19:06:41 +00:00
|
|
|
|
Non-templated domains are also still permitted.
|
2020-08-20 13:54:52 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `allow_bare_domains` `(bool: false)` – Specifies if clients can request
|
|
|
|
|
certificates matching the value of the actual domains themselves; e.g. if a
|
|
|
|
|
configured domain set with `allowed_domains` is `example.com`, this allows
|
|
|
|
|
clients to actually request a certificate containing the name `example.com` as
|
|
|
|
|
one of the DNS values on the final certificate. In some scenarios, this can be
|
2022-02-24 13:42:11 +00:00
|
|
|
|
considered a security risk. Note that when an `allowed_domain` field contains
|
|
|
|
|
a potential wildcard character (for example, `allowed_domains=*.example.com`)
|
|
|
|
|
and `allow_bare_domains` and `allow_wildcard_certificates` are both enabled,
|
|
|
|
|
issuance of a wildcard certificate for `*.example.com` will be permitted.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `allow_subdomains` `(bool: false)` – Specifies if clients can request
|
|
|
|
|
certificates with CNs that are subdomains of the CNs allowed by the other role
|
|
|
|
|
options. _This includes wildcard subdomains._ For example, an
|
|
|
|
|
`allowed_domains` value of `example.com` with this option set to true will
|
2022-02-24 13:42:11 +00:00
|
|
|
|
allow `foo.example.com` and `bar.example.com` as well as `*.example.com`. To
|
|
|
|
|
restrict issuance of wildcards by this option, see `allow_wildcard_certificates`
|
|
|
|
|
below. This option is redundant when using the `allow_any_name` option.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2017-05-01 14:40:18 +00:00
|
|
|
|
- `allow_glob_domains` `(bool: false)` - Allows names specified in
|
|
|
|
|
`allowed_domains` to contain glob patterns (e.g. `ftp*.example.com`). Clients
|
|
|
|
|
will be allowed to request certificates with names matching the glob
|
|
|
|
|
patterns.
|
|
|
|
|
|
2022-02-24 13:42:11 +00:00
|
|
|
|
~> **Note**: These globs behave like shell-style globs and can match
|
|
|
|
|
across multiple domain parts. For example, `allowed_domains=*.example.com`
|
|
|
|
|
with `allow_glob_domains` enabled will match not only `foo.example.com` but
|
|
|
|
|
also `baz.bar.foo.example.com`.
|
|
|
|
|
|
|
|
|
|
~> **Warning**: Glob patterns will match wildcard domains and permit their
|
|
|
|
|
issuance unless otherwise restricted by `allow_wildcard_certificates`. For
|
|
|
|
|
instance, with `allowed_domains=*.*.example.com` and both `allow_glob_domains`
|
|
|
|
|
and `allow_wildcard_certificates` enabled, we will permit the issuance of
|
|
|
|
|
a wildcard certificate for `*.foo.example.com`.
|
|
|
|
|
|
|
|
|
|
- `allow_wildcard_certificates` `(bool: true)` - Allows the issuance of
|
|
|
|
|
certificates with [RFC 6125](https://tools.ietf.org/html/rfc6125) wildcards
|
|
|
|
|
in the CN field. When set to `false`, this prevents wildcards from being
|
|
|
|
|
issued even if they would've been allowed by an option above. We support
|
|
|
|
|
the following four wildcard types:
|
|
|
|
|
|
|
|
|
|
- `*.example.com`, a single wildcard as the entire left-most label,
|
|
|
|
|
- `foo*.example.com`, a single suffixed wildcard in the left-most label,
|
|
|
|
|
- `*foo.example.com`, a single prefixed wildcard in the left-most label, and
|
|
|
|
|
- `f*o.example.com`, a single interior wildcard in the left-most label.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `allow_any_name` `(bool: false)` – Specifies if clients can request any CN.
|
|
|
|
|
Useful in some circumstances, but make sure you understand whether it is
|
2022-02-24 13:42:11 +00:00
|
|
|
|
appropriate for your installation before enabling it. Note that both
|
|
|
|
|
`enforce_hostnames` and `allow_wildcard_certificates` are still checked,
|
|
|
|
|
which may introduce limitations on issuance with this option.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `enforce_hostnames` `(bool: true)` – Specifies if only valid host names are
|
|
|
|
|
allowed for CNs, DNS SANs, and the host part of email addresses.
|
|
|
|
|
|
|
|
|
|
- `allow_ip_sans` `(bool: true)` – Specifies if clients can request IP Subject
|
|
|
|
|
Alternative Names. No authorization checking is performed except to verify
|
|
|
|
|
that the given values are valid IP addresses.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `allowed_uri_sans` `(string: "")` - Defines allowed URI Subject
|
|
|
|
|
Alternative Names. No authorization checking is performed except to verify
|
|
|
|
|
that the given values are valid URIs. This can be a comma-delimited list or
|
2020-01-18 00:18:09 +00:00
|
|
|
|
a JSON string slice. Values can contain glob patterns (e.g.
|
2018-06-15 19:32:25 +00:00
|
|
|
|
`spiffe://hostname/*`).
|
|
|
|
|
|
2021-12-15 15:18:28 +00:00
|
|
|
|
- `allowed_uri_sans_template` `()bool: false)` – When set, `allowed_uri_sans`
|
|
|
|
|
may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
|
2022-02-25 19:06:41 +00:00
|
|
|
|
Non-templated domains are also still permitted.
|
2021-12-15 15:18:28 +00:00
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `allowed_other_sans` `(string: "")` – Defines allowed custom OID/UTF8-string
|
2020-01-18 00:18:09 +00:00
|
|
|
|
SANs. This can be a comma-delimited list or a JSON string slice, where
|
|
|
|
|
each element has the same format as OpenSSL: `<oid>;<type>:<value>`, but
|
|
|
|
|
the only valid type is `UTF8` or `UTF-8`. The `value` part of an element
|
2019-12-11 15:16:44 +00:00
|
|
|
|
may be a `*` to allow any value with that OID.
|
|
|
|
|
Alternatively, specifying a single `*` will allow any `other_sans` input.
|
2018-02-16 22:19:34 +00:00
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `allowed_serial_numbers` `(string: "")` - If set, an array of allowed serial
|
|
|
|
|
numbers to be requested during certificate issuance. These values support
|
|
|
|
|
shell-style globbing. When empty, custom-specified serial numbers will be
|
|
|
|
|
forbidden. It is strongly recommended to allow Vault to generate random
|
|
|
|
|
serial numbers instead.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `server_flag` `(bool: true)` – Specifies if certificates are flagged for
|
2022-02-25 19:06:41 +00:00
|
|
|
|
server authentication use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
|
|
|
|
|
for information about the Extended Key Usage field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `client_flag` `(bool: true)` – Specifies if certificates are flagged for
|
2022-02-25 19:06:41 +00:00
|
|
|
|
client authentication use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
|
|
|
|
|
for information about the Extended Key Usage field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `code_signing_flag` `(bool: false)` – Specifies if certificates are flagged
|
2022-02-25 19:06:41 +00:00
|
|
|
|
for code signing use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
|
|
|
|
|
for information about the Extended Key Usage field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `email_protection_flag` `(bool: false)` – Specifies if certificates are
|
2022-02-25 19:06:41 +00:00
|
|
|
|
flagged for email protection use. See [RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
|
|
|
|
|
for information about the Extended Key Usage field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the type of key to generate for
|
2018-05-19 16:20:37 +00:00
|
|
|
|
generated private keys and the type of key expected for submitted CSRs.
|
2022-02-25 19:06:41 +00:00
|
|
|
|
Currently, `rsa`, `ec`, and `ed25519` are supported, or when signing
|
|
|
|
|
existing CSRs, `any` can be specified to allow keys of either type
|
|
|
|
|
and with any bit size (subject to >1024 bits for RSA keys).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
generated keys. Allowed values are 0 (universal default); with
|
|
|
|
|
`key_type=rsa`, allowed values are: 2048 (default), 3072, or
|
|
|
|
|
4096; with `key_type=ec`, allowed values are: 224, 256 (default),
|
|
|
|
|
384, or 521; ignored with `key_type=ed25519`.
|
|
|
|
|
|
|
|
|
|
- `signature_bits` `(int: 0)` - Specifies the number of bits to use in
|
|
|
|
|
the signature algorithm; accepts 256 for SHA-2-256, 384 for SHA-2-384,
|
|
|
|
|
and 512 for SHA-2-512. Defaults to 0 to automatically detect based
|
|
|
|
|
on key length (SHA-2-256 for RSA keys, and matching the curve size
|
|
|
|
|
for NIST P-Curves).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2017-12-11 18:13:35 +00:00
|
|
|
|
- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
|
|
|
|
|
drop the `KeyUsage` part of the value. Values are not case-sensitive. To
|
2022-02-25 19:06:41 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list. See
|
|
|
|
|
[RFC 5280 Section 4.2.1.3](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3)
|
|
|
|
|
for more information about the Key Usage field.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2018-06-15 22:20:43 +00:00
|
|
|
|
- `ext_key_usage` `(list: [])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed extended key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
|
|
|
|
|
drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
|
2022-02-25 19:06:41 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list. See
|
|
|
|
|
[RFC 5280 Section 4.2.1.12](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12)
|
|
|
|
|
for information about the Extended Key Usage field.
|
2018-06-15 22:20:43 +00:00
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended
|
|
|
|
|
key usage oids. Useful for adding EKUs not supported by the Go standard library.
|
2019-03-07 19:07:10 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `use_csr_common_name` `(bool: true)` – When used with the CSR signing
|
|
|
|
|
endpoint, the common name in the CSR will be used instead of taken from the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
JSON data. This does not include any requested SANs in the CSR; use
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`use_csr_sans` for that.
|
|
|
|
|
|
|
|
|
|
- `use_csr_sans` `(bool: true)` – When used with the CSR signing endpoint, the
|
|
|
|
|
subject alternate names in the CSR will be used instead of taken from the JSON
|
2022-02-25 19:06:41 +00:00
|
|
|
|
data. This does not include the common name in the CSR; use
|
2017-03-16 18:26:09 +00:00
|
|
|
|
`use_csr_common_name` for that.
|
|
|
|
|
|
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of issued certificates. This is a comma-separated string or
|
|
|
|
|
JSON array.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `generate_lease` `(bool: false)` – Specifies if certificates issued/signed
|
2017-03-16 18:26:09 +00:00
|
|
|
|
against this role will have Vault leases attached to them. Certificates can be
|
|
|
|
|
added to the CRL by `vault revoke <lease_id>` when certificates are associated
|
2020-01-18 00:18:09 +00:00
|
|
|
|
with leases. It can also be done using the `pki/revoke` endpoint. However,
|
2017-03-16 18:26:09 +00:00
|
|
|
|
when lease generation is disabled, invoking `pki/revoke` would be the only way
|
2022-02-25 19:06:41 +00:00
|
|
|
|
to add the certificates to the CRL. When large number of certificates are
|
|
|
|
|
generated with long lifetimes, it is recommended that lease generation be
|
|
|
|
|
disabled, as large amount of leases adversely affect the startup time of Vault.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2017-04-07 18:25:47 +00:00
|
|
|
|
- `no_store` `(bool: false)` – If set, certificates issued/signed against this
|
2018-02-09 18:42:19 +00:00
|
|
|
|
role will not be stored in the storage backend. This can improve performance
|
|
|
|
|
when issuing large numbers of certificates. However, certificates issued in
|
|
|
|
|
this way cannot be enumerated or revoked, so this option is recommended only
|
2020-01-18 00:18:09 +00:00
|
|
|
|
for certificates that are non-sensitive, or extremely short-lived. This
|
2018-02-09 18:42:19 +00:00
|
|
|
|
option implies a value of `false` for `generate_lease`.
|
|
|
|
|
|
|
|
|
|
- `require_cn` `(bool: true)` - If set to false, makes the `common_name` field
|
|
|
|
|
optional while generating a certificate.
|
2017-04-07 18:25:47 +00:00
|
|
|
|
|
2018-04-09 02:09:29 +00:00
|
|
|
|
- `policy_identifiers` `(list: [])` – A comma-separated string or list of policy
|
2018-10-02 15:10:43 +00:00
|
|
|
|
OIDs.
|
2018-04-09 02:09:29 +00:00
|
|
|
|
|
|
|
|
|
- `basic_constraints_valid_for_non_ca` `(bool: false)` - Mark Basic Constraints
|
|
|
|
|
valid when issuing non-CA certificates.
|
|
|
|
|
|
2018-10-02 15:10:43 +00:00
|
|
|
|
- `not_before_duration` `(duration: "30s")` – Specifies the duration by which to backdate the NotBefore property.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2017-12-11 18:13:35 +00:00
|
|
|
|
"allowed_domains": ["example.com"],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"allow_subdomains": true
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Role
|
|
|
|
|
|
|
|
|
|
This endpoint queries the role definition.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `GET` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to read. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"allow_any_name": false,
|
|
|
|
|
"allow_ip_sans": true,
|
|
|
|
|
"allow_localhost": true,
|
|
|
|
|
"allow_subdomains": false,
|
2017-12-11 18:13:35 +00:00
|
|
|
|
"allowed_domains": ["example.com", "foobar.com"],
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"allowed_uri_sans": ["example.com", "spiffe://*"],
|
|
|
|
|
"allowed_other_sans": [
|
|
|
|
|
"1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com",
|
|
|
|
|
"1.3.6.1.4.1.311.20.2.4;UTF-8:*"
|
|
|
|
|
],
|
2017-03-16 18:26:09 +00:00
|
|
|
|
"client_flag": true,
|
|
|
|
|
"code_signing_flag": false,
|
|
|
|
|
"key_bits": 2048,
|
|
|
|
|
"key_type": "rsa",
|
|
|
|
|
"ttl": "6h",
|
|
|
|
|
"max_ttl": "12h",
|
|
|
|
|
"server_flag": true
|
2017-03-09 02:47:35 +00:00
|
|
|
|
}
|
2017-03-16 18:26:09 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
|
|
|
|
This endpoint returns a list of available roles. Only the role names are
|
|
|
|
|
returned, not any values.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------- |
|
|
|
|
|
| `LIST` | `/pki/roles` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"auth": null,
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": ["dev", "prod"]
|
|
|
|
|
},
|
|
|
|
|
"lease_duration": 2764800,
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Role
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the role definition. Deleting a role **does not**
|
|
|
|
|
revoke certificates previously issued under this role.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :----------------- |
|
|
|
|
|
| `DELETE` | `/pki/roles/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` – Specifies the name of the role to delete. This
|
|
|
|
|
is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/roles/my-role
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Generate Root
|
|
|
|
|
|
2017-08-15 18:00:40 +00:00
|
|
|
|
This endpoint generates a new self-signed CA certificate and private key. If
|
|
|
|
|
the path ends with `exported`, the private key will be returned in the
|
2020-01-18 00:18:09 +00:00
|
|
|
|
response; if it is `internal` the private key will not be returned and _cannot
|
|
|
|
|
be retrieved later_. Distribution points use the values set via `config/urls`.
|
2017-08-15 18:00:40 +00:00
|
|
|
|
|
|
|
|
|
As with other issued certificates, Vault will automatically revoke the
|
|
|
|
|
generated root at the end of its lease period; the CA certificate will sign its
|
|
|
|
|
own CRL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2022-02-08 19:01:19 +00:00
|
|
|
|
Note that this API supports [Managed Keys](/docs/enterprise/managed-keys),
|
|
|
|
|
additional details are available [below](#managed-keys) in a dedicated section.
|
|
|
|
|
|
2018-12-10 15:24:47 +00:00
|
|
|
|
As of Vault 0.8.1, if a CA cert/key already exists, this function will not
|
|
|
|
|
overwrite it; it must be deleted first. Previous versions of Vault would
|
|
|
|
|
overwrite the existing cert/key with new values.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/generate/:type` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` – Specifies the type of the root to
|
|
|
|
|
create. If `exported`, the private key will be returned in the response; if
|
2020-01-18 00:18:09 +00:00
|
|
|
|
`internal` the private key will not be returned and _cannot be retrieved
|
2022-02-08 19:01:19 +00:00
|
|
|
|
later_. `kms` is also supported [see below](#managed-keys). This is part of the
|
|
|
|
|
request URL.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
certificate. If more than one `common_name` is desired, specify the
|
|
|
|
|
alternative names in the `alt_names` list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
|
2017-09-20 20:05:00 +00:00
|
|
|
|
certificate will be expired). This cannot be larger than the engine's max (or,
|
2022-02-25 19:06:41 +00:00
|
|
|
|
if not set, the system max). See `not_after` as an alternative for setting an
|
|
|
|
|
absolute end date (rather than a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the private key (if
|
|
|
|
|
exported) and certificate, concatenated; if the issuing CA is not a
|
|
|
|
|
Vault-derived self-signed root, this will be included as well.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `private_key_format` `(string: "der")` – Specifies the format for marshaling the
|
2017-11-06 17:05:07 +00:00
|
|
|
|
private key. Defaults to `der` which will return either base64-encoded DER or
|
|
|
|
|
PEM-encoded DER, depending on the value of `format`. The other option is
|
|
|
|
|
`pkcs8` which will return the key marshalled as PEM-encoded PKCS8.
|
|
|
|
|
|
2021-10-05 15:28:49 +00:00
|
|
|
|
- `key_type` `(string: "rsa")` – Specifies the desired key type; must be `rsa`, `ed25519`
|
2017-03-16 18:26:09 +00:00
|
|
|
|
or `ec`.
|
|
|
|
|
|
2019-08-14 14:08:41 +00:00
|
|
|
|
- `key_bits` `(int: 2048)` – Specifies the number of bits to use. This must be
|
2020-06-08 15:26:56 +00:00
|
|
|
|
changed to a valid value if the `key_type` is `ec`, e.g., 224, 256, 384 or 521.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
|
|
|
|
|
the generated certificate. `-1` means no limit. Unless the signing certificate
|
|
|
|
|
has a maximum path length set, in which case the path length is set to one
|
2020-01-18 00:18:09 +00:00
|
|
|
|
less than that of the signing certificate. A limit of `0` means a literal
|
2017-03-16 18:26:09 +00:00
|
|
|
|
path length of zero.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
2017-03-16 18:26:09 +00:00
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2017-08-15 20:10:36 +00:00
|
|
|
|
- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
|
|
|
|
|
array) containing DNS domains for which certificates are allowed to be issued
|
2018-07-11 16:44:49 +00:00
|
|
|
|
or signed by this CA certificate. Note that subdomains are allowed, as per
|
2017-08-15 20:10:36 +00:00
|
|
|
|
[RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2022-02-08 19:01:19 +00:00
|
|
|
|
### Managed Keys Parameters
|
|
|
|
|
See [Managed Keys](#managed-keys) for additional details on this feature, if
|
|
|
|
|
`type` was set to `kms`. One of the following parameters must be set
|
|
|
|
|
|
|
|
|
|
- `managed_key_name` `(string: "")` – The managed key's configured name.
|
|
|
|
|
|
|
|
|
|
- `managed_key_id` `(string: "")` – The managed key's UUID.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/generate/internal
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2022-02-08 19:01:19 +00:00
|
|
|
|
|
|
|
|
|
|
2017-08-15 18:00:40 +00:00
|
|
|
|
## Delete Root
|
|
|
|
|
|
|
|
|
|
This endpoint deletes the current CA key (the old CA certificate will still be
|
2021-04-20 15:11:35 +00:00
|
|
|
|
accessible for reading until a new certificate/key is generated or uploaded).
|
2017-08-15 18:00:40 +00:00
|
|
|
|
_This endpoint requires sudo/root privileges._
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :---------- |
|
|
|
|
|
| `DELETE` | `/pki/root` |
|
2017-08-15 18:00:40 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-08-15 18:00:40 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root
|
2017-08-15 18:00:40 +00:00
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Sign Intermediate
|
|
|
|
|
|
|
|
|
|
This endpoint uses the configured CA certificate to issue a certificate with
|
|
|
|
|
appropriate values for acting as an intermediate CA. Distribution points use the
|
|
|
|
|
values set via `config/urls`. Values set in the CSR are ignored unless
|
|
|
|
|
`use_csr_values` is set to true, in which case the values from the CSR are used
|
|
|
|
|
verbatim.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/sign-intermediate` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR to be signed.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
certificate. If more than one `common_name` is desired, specify the
|
|
|
|
|
alternative names in the `alt_names` list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields.
|
|
|
|
|
|
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
|
2017-09-20 20:05:00 +00:00
|
|
|
|
certificate will be expired). This cannot be larger than the engine's max (or,
|
|
|
|
|
if not set, the system max). However, this can be after the expiration of the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
signing CA. See `not_after` as an alternative for setting an absolute end date
|
|
|
|
|
(rather than a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
|
|
|
|
- `max_path_length` `(int: -1)` – Specifies the maximum path length to encode in
|
|
|
|
|
the generated certificate. `-1`, means no limit, unless the signing
|
|
|
|
|
certificate has a maximum path length set, in which case the path length is
|
2020-01-18 00:18:09 +00:00
|
|
|
|
set to one less than that of the signing certificate. A limit of `0` means a
|
2017-03-16 18:26:09 +00:00
|
|
|
|
literal path length of zero.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
2017-03-16 18:26:09 +00:00
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
|
|
|
|
- `use_csr_values` `(bool: false)` – If set to `true`, then: 1) Subject
|
|
|
|
|
information, including names and alternate names, will be preserved from the
|
|
|
|
|
CSR rather than using the values provided in the other parameters to this
|
|
|
|
|
path; 2) Any key usages (for instance, non-repudiation) requested in the CSR
|
|
|
|
|
will be added to the basic set of key usages used for CA certs signed by this
|
|
|
|
|
path; 3) Extensions requested in the CSR will be copied into the issued
|
|
|
|
|
certificate.
|
|
|
|
|
|
2017-08-15 20:10:36 +00:00
|
|
|
|
- `permitted_dns_domains` `(string: "")` – A comma separated string (or, string
|
|
|
|
|
array) containing DNS domains for which certificates are allowed to be issued
|
|
|
|
|
or signed by this CA certificate. Supports subdomains via a `.` in front of
|
|
|
|
|
the domain, as per
|
|
|
|
|
[RFC](https://tools.ietf.org/html/rfc5280#section-4.2.1.10).
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `ou` `(string: "")` – Specifies the OU (OrganizationalUnit) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `organization` `(string: "")` – Specifies the O (Organization) values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `country` `(string: "")` – Specifies the C (Country) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `locality` `(string: "")` – Specifies the L (Locality) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `province` `(string: "")` – Specifies the ST (Province) values in the subject
|
|
|
|
|
field of the resulting certificate. This is a comma-separated string or JSON
|
|
|
|
|
array.
|
|
|
|
|
|
|
|
|
|
- `street_address` `(string: "")` – Specifies the Street Address values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
|
|
|
|
- `postal_code` `(string: "")` – Specifies the Postal Code values in the
|
|
|
|
|
subject field of the resulting certificate. This is a comma-separated string
|
|
|
|
|
or JSON array.
|
|
|
|
|
|
2019-03-23 16:14:24 +00:00
|
|
|
|
- `serial_number` `(string: "")` – Specifies the Serial Number, if any.
|
|
|
|
|
Otherwise Vault will generate a random serial for you. If you want more than
|
|
|
|
|
one, specify alternative names in the alt_names map using OID 2.5.4.5.
|
2018-02-16 22:19:34 +00:00
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "...",
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/sign-intermediate
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
2020-01-18 00:18:09 +00:00
|
|
|
|
|
2017-09-01 03:07:15 +00:00
|
|
|
|
## Sign Self-Issued
|
|
|
|
|
|
|
|
|
|
This endpoint uses the configured CA certificate to sign a self-issued
|
|
|
|
|
certificate (which will usually be a self-signed certificate as well).
|
|
|
|
|
|
|
|
|
|
**_This is an extremely privileged endpoint_**. The given certificate will be
|
|
|
|
|
signed as-is with only minimal validation performed (is it a CA cert, and is it
|
|
|
|
|
actually self-issued). The only values that will be changed will be the
|
2017-09-13 15:42:45 +00:00
|
|
|
|
authority key ID, the issuer DN, and, if set, any distribution points.
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
2017-09-13 15:42:45 +00:00
|
|
|
|
This is generally only needed for root certificate rolling in cases where you
|
|
|
|
|
don't want/can't get access to a CSR (such as if it's a root stored in Vault
|
|
|
|
|
where the key is not exposed). If you don't know whether you need this
|
|
|
|
|
endpoint, you most likely should be using a different endpoint (such as
|
|
|
|
|
`sign-intermediate`).
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
|
|
|
|
This endpoint requires `sudo` capability.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------- |
|
|
|
|
|
| `POST` | `/pki/root/sign-self-issued` |
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `certificate` `(string: <required>)` – Specifies the PEM-encoded self-issued certificate.
|
2021-11-01 19:42:25 +00:00
|
|
|
|
- `require_matching_certificate_algorithms` `(bool: false)` - If true, requires
|
|
|
|
|
that the public key algorithm of the CA match that of the submitted certificate.
|
2017-09-01 03:07:15 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"certificate": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-09-01 03:07:15 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/root/sign-self-issued
|
2017-09-01 03:07:15 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 0,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
2017-09-01 03:07:15 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
## Sign Certificate
|
|
|
|
|
|
|
|
|
|
This endpoint signs a new certificate based upon the provided CSR and the
|
|
|
|
|
supplied parameters, subject to the restrictions contained in the role named in
|
|
|
|
|
the endpoint. The issuing CA certificate is returned as well, so that only the
|
|
|
|
|
root CA need be in a client's trust store.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `POST` | `/pki/sign/:name` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
|
|
|
|
|
|
|
|
|
|
- `common_name` `(string: <required>)` – Specifies the requested CN for the
|
2022-02-25 19:06:41 +00:00
|
|
|
|
certificate. If the CN is allowed by role policy, it will be issued. If
|
|
|
|
|
more than one `common_name` is desired, specify the alternative names in
|
|
|
|
|
the `alt_names` list.
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `alt_names` `(string: "")` – Specifies the requested Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. These can be host names or email addresses;
|
|
|
|
|
they will be parsed into their respective fields. If any requested names do
|
|
|
|
|
not match role policy, the entire request will be denied.
|
|
|
|
|
|
2018-02-16 22:19:34 +00:00
|
|
|
|
- `other_sans` `(string: "")` – Specifies custom OID/UTF8-string SANs. These
|
2019-12-11 15:16:44 +00:00
|
|
|
|
must match values specified on the role in `allowed_other_sans` (see role
|
2020-01-18 00:18:09 +00:00
|
|
|
|
creation for allowed_other_sans globbing rules).
|
2019-12-11 15:16:44 +00:00
|
|
|
|
The format is the same as OpenSSL: `<oid>;<type>:<value>` where the
|
2018-02-16 22:19:34 +00:00
|
|
|
|
only current valid type is `UTF8`. This can be a comma-delimited list or a
|
|
|
|
|
JSON string slice.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ip_sans` `(string: "")` – Specifies the requested IP Subject Alternative
|
|
|
|
|
Names, in a comma-delimited list. Only valid if the role allows IP SANs (which
|
|
|
|
|
is the default).
|
|
|
|
|
|
2018-06-15 19:32:25 +00:00
|
|
|
|
- `uri_sans` `(string: "")` – Specifies the requested URI Subject Alternative
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Names, in a comma-delimited list. If any requested URIs do not match role policy,
|
2018-06-15 19:32:25 +00:00
|
|
|
|
the entire request will be denied.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
|
|
|
|
|
than the role's `max_ttl` value. If not provided, the role's `ttl` value will
|
|
|
|
|
be used. Note that the role values default to system values if not explicitly
|
2022-02-25 19:06:41 +00:00
|
|
|
|
set. See `not_after` as an alternative for setting an absolute end date
|
|
|
|
|
(rather than a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `exclude_cn_from_sans` `(bool: false)` – If true, the given `common_name` will
|
2017-03-16 18:26:09 +00:00
|
|
|
|
not be included in DNS or Email Subject Alternate Names (as appropriate).
|
|
|
|
|
Useful if the CN is not a hostname or email address, but is instead some
|
|
|
|
|
human-readable identifier.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "...",
|
|
|
|
|
"common_name": "example.com"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Sign Verbatim
|
|
|
|
|
|
|
|
|
|
This endpoint signs a new certificate based upon the provided CSR. Values are
|
|
|
|
|
taken verbatim from the CSR; the _only_ restriction is that this endpoint will
|
|
|
|
|
refuse to issue an intermediate CA certificate (see the
|
|
|
|
|
`/pki/root/sign-intermediate` endpoint for that functionality.)
|
|
|
|
|
|
|
|
|
|
**This is a potentially dangerous endpoint and only highly trusted users should
|
|
|
|
|
have access.**
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------- |
|
|
|
|
|
| `POST` | `/pki/sign-verbatim(/:name)` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2017-04-18 19:54:31 +00:00
|
|
|
|
- `name` `(string: "")` - Specifies a role. If set, the following parameters
|
|
|
|
|
from the role will have effect: `ttl`, `max_ttl`, `generate_lease`, and
|
|
|
|
|
`no_store`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
|
|
|
|
|
|
2018-06-15 22:20:43 +00:00
|
|
|
|
- `key_usage` `(list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply
|
|
|
|
|
drop the `KeyUsage` part of the value. Values are not case-sensitive. To
|
2018-06-15 22:20:43 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
|
|
|
|
|
|
|
|
|
- `ext_key_usage` `(list: [])` –
|
2020-01-18 00:18:09 +00:00
|
|
|
|
Specifies the allowed extended key usage constraint on issued certificates. Valid
|
|
|
|
|
values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply
|
|
|
|
|
drop the `ExtKeyUsage` part of the value. Values are not case-sensitive. To
|
2018-06-15 22:20:43 +00:00
|
|
|
|
specify no key usage constraints, set this to an empty list.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `ext_key_usage_oids` `(string: "")` - A comma-separated string or list of extended key usage oids.
|
2019-03-07 19:07:10 +00:00
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
- `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
|
2017-09-20 20:05:00 +00:00
|
|
|
|
than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
|
2022-02-25 19:06:41 +00:00
|
|
|
|
will be used, which defaults to system values if not explicitly set. See
|
|
|
|
|
`not_after` as an alternative for setting an absolute end date (rather than
|
|
|
|
|
a relative one).
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
- `format` `(string: "pem")` – Specifies the format for returned data. Can be
|
|
|
|
|
`pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
|
|
|
|
|
`pem_bundle`, the `certificate` field will contain the certificate and, if the
|
|
|
|
|
issuing CA is not a Vault-derived self-signed root, it will be concatenated
|
|
|
|
|
with the certificate.
|
|
|
|
|
|
2022-02-25 19:06:41 +00:00
|
|
|
|
- `not_after` `(string)` – Set the Not After field of the certificate with
|
|
|
|
|
specified date value. The value format should be given in UTC format
|
|
|
|
|
`YYYY-MM-ddTHH:MM:SSZ`. Supports the Y10K end date for IEEE 802.1AR-2018
|
|
|
|
|
standard devices, `9999-12-31T23:59:59Z`.
|
|
|
|
|
|
2017-03-16 18:26:09 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"csr": "..."
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/sign-verbatim
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"lease_id": "pki/sign-verbatim/7ad6cfa5-f04f-c62a-d477-f33210475d05",
|
|
|
|
|
"renewable": false,
|
|
|
|
|
"lease_duration": 21600,
|
|
|
|
|
"data": {
|
|
|
|
|
"certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
|
|
|
|
|
"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
|
2020-01-18 00:18:09 +00:00
|
|
|
|
"ca_chain": [
|
|
|
|
|
"-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
|
|
|
|
|
],
|
2019-02-01 15:29:34 +00:00
|
|
|
|
"serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
|
2017-03-16 18:26:09 +00:00
|
|
|
|
},
|
|
|
|
|
"auth": null
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Tidy
|
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
|
This endpoint allows tidying up the storage backend and/or CRL by removing
|
2017-03-16 18:26:09 +00:00
|
|
|
|
certificates that have expired and are past a certain buffer period beyond their
|
|
|
|
|
expiration time.
|
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------- |
|
|
|
|
|
| `POST` | `/pki/tidy` |
|
2017-03-16 18:26:09 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `tidy_cert_store` `(bool: false)` Specifies whether to tidy up the certificate
|
|
|
|
|
store.
|
|
|
|
|
|
2021-04-19 16:40:40 +00:00
|
|
|
|
- `tidy_revoked_certs` `(bool: false)` Set to true to remove all invalid and
|
|
|
|
|
expired certificates from storage. A revoked storage entry is considered
|
|
|
|
|
invalid if the entry is empty, or the value within the entry is empty. If a
|
|
|
|
|
certificate is removed due to expiry, the entry will also be removed from the
|
|
|
|
|
CRL, and the CRL will be rotated.
|
2018-07-13 13:32:32 +00:00
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
|
- `safety_buffer` `(string: "")` Specifies A duration (given as an integer
|
2017-03-16 18:26:09 +00:00
|
|
|
|
number of seconds or a string; defaults to `72h`) used as a safety buffer to
|
|
|
|
|
ensure certificates are not expunged prematurely; as an example, this can keep
|
|
|
|
|
certificates from being removed from the CRL that, due to clock skew, might
|
|
|
|
|
still be considered valid on other hosts. For a certificate to be expunged,
|
|
|
|
|
the time must be after the expiration time of the certificate (according to
|
|
|
|
|
the local clock) plus the duration of `safety_buffer`.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"safety_buffer": "24h"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2017-03-16 18:26:09 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2018-03-23 15:41:51 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/pki/tidy
|
2017-03-16 18:26:09 +00:00
|
|
|
|
```
|
2021-02-09 17:00:24 +00:00
|
|
|
|
|
2022-02-15 16:04:21 +00:00
|
|
|
|
## Tidy Status
|
|
|
|
|
|
|
|
|
|
This is a read only endpoint that returns information about the current tidy
|
|
|
|
|
operation, or the most recent if none are currently running.
|
|
|
|
|
|
|
|
|
|
The result includes the following fields:
|
|
|
|
|
* `safety_buffer`: the value of this parameter when initiating the tidy operation
|
|
|
|
|
* `tidy_cert_store`: the value of this parameter when initiating the tidy operation
|
|
|
|
|
* `tidy_revoked_certs`: the value of this parameter when initiating the tidy operation
|
|
|
|
|
* `state`: one of *Inactive*, *Running*, *Finished*, *Error*
|
|
|
|
|
* `error`: the error message, if the operation ran into an error
|
|
|
|
|
* `time_started`: the time the operation started
|
|
|
|
|
* `time_finished`: the time the operation finished
|
|
|
|
|
* `message`: One of *Tidying certificate store: checking entry N of TOTAL* or
|
|
|
|
|
*Tidying revoked certificates: checking certificate N of TOTAL*
|
|
|
|
|
* `cert_store_deleted_count`: The number of certificate storage entries deleted
|
|
|
|
|
* `revoked_cert_deleted_count`: The number of revoked certificate entries deleted
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------- |
|
|
|
|
|
| `GET` | `/pki/tidy-status` |
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request GET \
|
|
|
|
|
http://127.0.0.1:8200/v1/pki/tidy-status
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
"data": {
|
|
|
|
|
"safety_buffer": 60,
|
|
|
|
|
"tidy_cert_store": true,
|
|
|
|
|
"tidy_revoked_certs": true,
|
|
|
|
|
"error": null,
|
|
|
|
|
"message": "Tidying certificate store: checking entry 234 of 488",
|
|
|
|
|
"revoked_cert_deleted_count": 0,
|
|
|
|
|
"cert_store_deleted_count": 2,
|
|
|
|
|
"state": "Running",
|
|
|
|
|
"time_started": "2021-10-20T14:52:13.510161-04:00",
|
|
|
|
|
"time_finished": null
|
|
|
|
|
},
|
|
|
|
|
```
|
|
|
|
|
|
2021-02-09 17:00:24 +00:00
|
|
|
|
# Cluster Scalability
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
Most non-introspection operations in the PKI secrets engine require a write to
|
2021-04-19 16:40:40 +00:00
|
|
|
|
storage, and so are forwarded to the cluster's active node for execution.
|
2021-04-06 17:49:04 +00:00
|
|
|
|
This table outlines which operations can be executed on performance standbys
|
2021-02-09 17:00:24 +00:00
|
|
|
|
and thus scale horizontally.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Path | Operations |
|
|
|
|
|
| --------------------------- | -------------------- |
|
|
|
|
|
| ca[/pem] | Read |
|
|
|
|
|
| cert/<em>serial-number</em> | Read |
|
|
|
|
|
| cert/ca_chain | Read |
|
|
|
|
|
| config/crl | Read |
|
|
|
|
|
| certs | List |
|
|
|
|
|
| ca_chain | Read |
|
|
|
|
|
| crl[/pem] | Read |
|
|
|
|
|
| crl/pem | Read |
|
|
|
|
|
| issue | Update <sup>\*</sup> |
|
|
|
|
|
| revoked/\* | Read, List |
|
|
|
|
|
| sign | Update <sup>\*</sup> |
|
|
|
|
|
| sign-verbatim | Update <sup>\*</sup> |
|
2021-02-09 17:00:24 +00:00
|
|
|
|
|
|
|
|
|
\* Only if the corresponding role has `no_store` set to true and `generate_lease`
|
2021-04-06 17:49:04 +00:00
|
|
|
|
set to false. If `generate_lease` is true the lease creation will be forwarded to
|
|
|
|
|
the active node; if `no_store` is false the entire request will be forwarded to
|
2021-02-09 17:00:24 +00:00
|
|
|
|
the active node.
|
2022-02-08 19:01:19 +00:00
|
|
|
|
|
|
|
|
|
# Managed Keys
|
|
|
|
|
|
|
|
|
|
~> Note: Managed keys are an Enterprise only feature.
|
|
|
|
|
|
|
|
|
|
The [Generate Root](#generate-root) and [Generate Intermediate](#generate-intermediate)
|
|
|
|
|
API calls can leverage the Managed Keys feature, delegating operations that
|
|
|
|
|
require private key material to an external system.
|
|
|
|
|
|
|
|
|
|
To leverage a Managed Key, assuming it has already been configured, set the type
|
|
|
|
|
parameter to `kms` within either, [Generate Root](#generate-root) or
|
|
|
|
|
[Generate Intermediate](#generate-intermediate) APIs, and one of either
|
|
|
|
|
`managed_key_name` or `managed_key_id` parameters specifying a Managed Key to use.
|
|
|
|
|
As with the `internal` type for those APIs, if the type parameter is set to `kms`,
|
|
|
|
|
there is no way to read/fetch the private key.
|
|
|
|
|
|
|
|
|
|
The API call will fail if the specified Managed Key is not properly configured or
|
|
|
|
|
arguments detailing private key attributes are specified such as `key_type` or
|
|
|
|
|
`key_bits`.
|
|
|
|
|
|
|
|
|
|
Once either of the certificate APIs have successfully executed, all other PKI
|
|
|
|
|
operations behave the same, with no other special configuration or parameters required.
|