open-vault/website/source/api/auth/cert/index.html.md

385 lines
11 KiB
Markdown
Raw Normal View History

2017-08-08 16:28:17 +00:00
---
layout: "api"
page_title: "TLS Certificate - Auth Methods - HTTP API"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "TLS Certificates"
sidebar_current: "api-http-auth-cert"
2017-08-08 16:28:17 +00:00
description: |-
This is the API documentation for the Vault TLS Certificate authentication
method.
2017-08-08 16:28:17 +00:00
---
# TLS Certificate Auth Method (API)
2017-08-08 16:28:17 +00:00
This is the API documentation for the Vault TLS Certificate authentication
method. For general information about the usage and operation of the TLS
Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert.html).
2017-08-08 16:28:17 +00:00
This documentation assumes the TLS Certificate method is mounted at the
2017-09-21 21:14:40 +00:00
`/auth/cert` path in Vault. Since it is possible to enable auth methods at any
2017-08-08 16:28:17 +00:00
location, please update your API calls accordingly.
## Create CA Certificate Role
Sets a CA cert and associated parameters in a role name.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/cert/certs/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: <required>)` - The name of the certificate role.
- `certificate` `(string: <required>)` - The PEM-format CA certificate.
- `allowed_names` `(string: "")` - DEPRECATED: Please use the individual
`allowed_X_sans` parameters instead. Constrain the Common and Alternative
Names in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of patterns. Authentication requires at least one Name
matching at least one pattern. If not set, defaults to allowing all names.
- `allowed_common_names` `(string: "" or array: [])` - Constrain the Common
Names in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of patterns. Authentication requires at least one Name
matching at least one pattern. If not set, defaults to allowing all names.
- `allowed_dns_sans` `(string: "" or array: [])` - Constrain the Alternative
Names in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of patterns. Authentication requires at least one DNS
matching at least one pattern. If not set, defaults to allowing all dns.
- `allowed_email_sans` `(string: "" or array: [])` - Constrain the Alternative
Names in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of patterns. Authentication requires at least one
Email matching at least one pattern. If not set, defaults to allowing all
emails.
- `allowed_uri_sans` `(string: "" or array: [])` - Constrain the Alternative
Names in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of URI patterns. Authentication requires at least one
URI matching at least one pattern. If not set, defaults to allowing all URIs.
- `allowed_organizational_units` `(string: "" or array: [])` - Constrain the
Organizational Units (OU) in the client certificate with a [globbed pattern]
(https://github.com/ryanuber/go-glob/blob/master/README.md#example). Value is
a comma-separated list of OU patterns. Authentication requires at least one
OU matching at least one pattern. If not set, defaults to allowing all OUs.
- `required_extensions` `(string: "" or array: [])` - Require specific Custom
Extension OIDs to exist and match the pattern. Value is a comma separated
string or array of `oid:value`. Expects the extension value to be some type
of ASN1 encoded string. All conditions _must_ be met. Supports globbing on
`value`.
- `policies` `(string: "")` - A comma-separated list of policies to set on
tokens issued when authenticating against this CA certificate.
- `display_name` `(string: "")` - The `display_name` to set on tokens issued
when authenticating against this CA certificate. If not set, defaults to the
2017-08-08 16:28:17 +00:00
name of the role.
- `ttl` `(string: "")` - The TTL of the token, provided in either number of
seconds (`3600`) or a time duration (`1h`). If not provided, the token is
valid for the the mount or system default TTL time, in that order.
- `max_ttl` `(string: "")` - Duration in either number of seconds (`3600`) or a
time duration (`1h`) after which the issued token can no longer be renewed.
- `period` `(string: "")` - Duration in either number of seconds (`3600`) or a
time duration (`1h`). If set, the generated token is a periodic token; so long
as it is renewed it never expires unless `max_ttl` is also set, but the TTL
set on the token at each renewal is fixed to the value specified here. If this
value is modified, the token will pick up the new value at its next renewal.
2018-05-09 22:39:55 +00:00
- `bound_cidrs` `(string: "", or list: [])` If set, restricts usage of the
certificates to client IPs falling within the range of the specified
CIDR(s).
2017-08-08 16:28:17 +00:00
### Sample Payload
```json
{
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
2018-05-09 22:39:55 +00:00
"display_name": "test",
"bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"]
2017-08-08 16:28:17 +00:00
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
2017-08-08 16:28:17 +00:00
```
## Read CA Certificate Role
Gets information associated with the named role.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/cert/certs/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: <required>)` - The name of the certificate role.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
"display_name": "test",
"policies": "",
"allowed_names": "",
"required_extensions": "",
"ttl": 2764800,
"max_ttl": 2764800,
"period": 0
2017-08-08 16:28:17 +00:00
},
"warnings": null,
"auth": null
}
```
## List Certificate Roles
Lists configured certificate names.
| Method | Path |
| :--------------------------- | :--------------------- |
| `LIST` | `/auth/cert/certs` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/certs
```
2017-08-08 16:28:17 +00:00
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": [
"cert1",
2017-08-08 16:28:17 +00:00
"cert2"
]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Delete Certificate Role
Deletes the named role and CA cert from the method mount.
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `DELETE` | `/auth/cert/certs/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: <required>)` - The name of the certificate role.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
2017-08-08 16:28:17 +00:00
```
## Create CRL
Sets a named CRL.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/cert/crls/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
2017-08-08 16:28:17 +00:00
- `name` `(string: <required>)` - The name of the CRL.
- `crl` `(string: <required>)` - The PEM format CRL.
### Sample Payload
```json
{
"crl": "-----BEGIN X509 CRL-----\n...\n-----END X509 CRL-----"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2019-04-19 05:20:46 +00:00
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
2017-08-08 16:28:17 +00:00
```
## Read CRL
Gets information associated with the named CRL (currently, the serial
numbers contained within). As the serials can be integers up to an
arbitrary size, these are returned as strings.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/cert/crls/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: <required>)` - The name of the CRL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"auth": null,
"data": {
"serials": {
"13": {}
}
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"warnings": null
}
```
## Delete CRL
2017-08-08 16:28:17 +00:00
Deletes the named CRL from the auth method mount.
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `DELETE` | `/auth/cert/crls/:name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: <required>)` - The name of the CRL.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/crls/cert1
2017-08-08 16:28:17 +00:00
```
## Configure TLS Certificate Method
2017-08-08 16:28:17 +00:00
Configuration options for the method.
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/cert/config` |
2017-08-08 16:28:17 +00:00
### Parameters
- `disable_binding` `(boolean: false)` - If set, during renewal, skips the
matching of presented client identity with the client identity used during
login.
2017-08-08 16:28:17 +00:00
### Sample Payload
```json
{
"disable_binding": true
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2019-04-19 05:20:46 +00:00
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
2017-08-08 16:28:17 +00:00
```
## Login with TLS Certificate Method
2017-08-08 16:28:17 +00:00
Log in and fetch a token. If there is a valid chain to a CA configured in the
method and all role constraints are matched, a token will be issued. If the
certificate has DNS SANs in it, each of those will be verified. If Common Name
is required to be verified, then it should be a fully qualified DNS domain name
and must be duplicated as a DNS SAN (see
https://tools.ietf.org/html/rfc6125#section-2.3)
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/cert/login` |
2017-08-08 16:28:17 +00:00
### Parameters
- `name` `(string: "")` - Authenticate against only the named certificate role,
2017-08-08 16:28:17 +00:00
returning its policy list if successful. If not set, defaults to trying all
certificate roles and returning any one that matches.
### Sample Payload
```json
{
"name": "cert1"
}
```
### Sample Request
```
$ curl \
--request POST \
--cert cert.pem \
--key key.pem \
2019-04-19 05:20:46 +00:00
--data @payload.json \
https://127.0.0.1:8200/v1/auth/cert/login
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"auth": {
"client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",
"policies": [
"web",
2017-08-08 16:28:17 +00:00
"stage"
],
"lease_duration": 3600,
"renewable": true,
}
}
```