Commit graph

17 commits

Author SHA1 Message Date
Jeff Mitchell d8e2179a42 Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274)
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell e4eb6e9020 Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
Calvin Leung Huang a00a7815f6 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Jeff Mitchell 822d86ad90 Change storage of entries from colons to hyphens and add a
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
2017-04-18 11:14:23 -04:00
vishalnayak 2e23f1a992 pki: Appended error to error message 2016-12-19 10:49:32 -05:00
vishalnayak ba1cc709bd PKI: Added error to the error message 2016-12-19 10:47:29 -05:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell d899f9d411 Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Jeff Mitchell c57b646848 Check role key type and bits when signing CSR.
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a
concatenated PEM file.

Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00