Package io.quarkus.vault.pki

Class RoleOptions

  • public class RoleOptions
extends Object
    Options for PKI roles.

    • Field Detail

      • timeToLive

        public String timeToLive
        Specifies default request time-to-live.

        Value is specified as a string duration with time suffix. Hour is the largest supported suffix.

      • maxTimeToLive

        public String maxTimeToLive
        Specifies maximum allowed time-to-live.

        Value is specified as a string duration with time suffix. Hour is the largest supported suffix.

      • allowLocalhost

        public Boolean allowLocalhost
        Specifies if clients can request certificates for localhost as one of the requested common names.

      • allowedDomains

        public List<String> allowedDomains
        Specifies domains allowed on issued certificates.

      • allowBareDomains

        public Boolean allowBareDomains
        Specifies if clients can request certificates matching the value of the actual domains themselves.

      • allowSubdomains

        public Boolean allowSubdomains
        Specifies if clients can request certificates with a Common Name (CN) that is a subdomain of the domains allowed by the other role options. This includes wildcard subdomains.

      • allowGlobsInAllowedDomains

        public Boolean allowGlobsInAllowedDomains
        Allows names specified in allowedDomains to contain glob patterns (e.g. ftp*.example.com).

      • allowAnyName

        public Boolean allowAnyName
        Specifies if clients can request any Common Name (CN).

      • enforceHostnames

        public Boolean enforceHostnames
        Specifies if only valid host names are allowed for Common Names, DNS Subject Alternative Names, and the host part of email addresses.

      • allowIpSubjectAlternativeNames

        public Boolean allowIpSubjectAlternativeNames
        Specifies if clients can request IP Subject Alternative Names.

      • allowedUriSubjectAlternativeNames

        public List<String> allowedUriSubjectAlternativeNames
        Defines allowed URI Subject Alternative Names.

        Values can contain glob patterns (e.g. spiffe://hostname/*).

      • allowedOtherSubjectAlternativeNames

        public List<String> allowedOtherSubjectAlternativeNames
        Defines allowed custom OID/UTF8-string Subject Alternative Names.

        The format is the same as OpenSSL: ;: where the only current valid type is UTF8.

      • serverFlag

        public Boolean serverFlag
        Specifies if certificates are flagged for server use.

      • clientFlag

        public Boolean clientFlag
        Specifies if certificates are flagged for client use.

      • codeSigningFlag

        public Boolean codeSigningFlag
        Specifies if certificates are flagged for code signing use.

      • emailProtectionFlag

        public Boolean emailProtectionFlag
        Specifies if certificates are flagged for email protection use.

      • keyType

        public CertificateKeyType keyType
        Specifies the type of private keys to generate and the type of key expected for submitted CSRs.

      • keyUsages

        public List<CertificateKeyUsage> keyUsages
        Specifies the allowed key usage constraint on issued certificates.

      • extendedKeyUsages

        public List<CertificateExtendedKeyUsage> extendedKeyUsages
        Specifies the allowed extended key usage constraint on issued certificates.

      • extendedKeyUsageOIDs

        public List<String> extendedKeyUsageOIDs
        Specifies extended key usage OIDs.

      • subjectOrganization

        public String subjectOrganization
        Specifies Organization (O) of the subject on issued certificates.

      • subjectOrganizationalUnit

        public String subjectOrganizationalUnit
        Specifies Organizational Unit (OU) of the subject on issued certificates.

      • subjectStreetAddress

        public String subjectStreetAddress
        Specifies Street Address of the subject on issued certificates.

      • subjectPostalCode

        public String subjectPostalCode
        Specifies Postal Code of the subject on issued certificates.

      • subjectLocality

        public String subjectLocality
        Specifies Locality (L) of the subject on issued certificates.

      • subjectProvince

        public String subjectProvince
        Specifies Province (ST) of the subject on issued certificates.

      • subjectCountry

        public String subjectCountry
        Specifies Country (C) of the subject on issued certificates.

      • allowedSubjectSerialNumbers

        public List<String> allowedSubjectSerialNumbers
        Specifies allowed Serial Number (SERIALNUMBER) values of the subject on issued certificates.

      • generateLease

        public Boolean generateLease
        Specifies if certificates issued/signed against this role will have Vault leases attached to them.

      • noStore

        public Boolean noStore
        Flag determining if certificates issued/signed against this role will be stored in the storage backend.

      • requireCommonName

        public Boolean requireCommonName
        Flag determining if the Common Name (CN) field is required when generating a certificate.

      • policyOIDs

        public List<String> policyOIDs
        List of policy OIDs.

      • basicConstraintsValidForNonCA

        public Boolean basicConstraintsValidForNonCA
        Mark Basic Constraints valid when issuing non-CA certificates.

      • notBeforeDuration

        public String notBeforeDuration
        Specifies the duration by which to backdate on issued certificates not-before.

        Value is specified as a string duration with time suffix. Hour is the largest supported suffix.

    • Constructor Detail

      • RoleOptions

        public RoleOptions()