Package io.quarkus.vault

Interface VaultPKISecretEngine

  • All Known Implementing Classes:
    VaultPKIManager
    public interface VaultPKISecretEngine
    A service that interacts with Hashicorp's Vault PKI secret engine to issue certificates & manage certificate authorities.
    See Also:
    PKI

    • Method Detail

      • getCertificateAuthority

        CertificateData.PEM getCertificateAuthority()
        Retrieves the engine's CA certificate (PEM encoded).
        Returns:
        Certificate authority certificate.

      • getCertificateAuthority

        CertificateData getCertificateAuthority​(DataFormat format)
        Retrieves the engine's CA certificate.
        Parameters:
        format - Format of the returned certificate data.
        Returns:
        Certificate authority certificate.

      • configCertificateAuthority

        void configCertificateAuthority​(String pemBundle)
        Configures the engine's CA.
        Parameters:
        pemBundle - PEM encoded bundle including the CA, with optional chain, and private key.

      • configURLs

        void configURLs​(ConfigURLsOptions options)
        Configures engine's URLs for issuing certificates, CRL distribution points, and OCSP servers.
        Parameters:
        options - URL options.

      • readURLsConfig

        ConfigURLsOptions readURLsConfig()
        Read engine's configured URLs for issuing certificates, CRL distribution points, and OCSP servers.
        Returns:
        URL options.

      • configCRL

        void configCRL​(ConfigCRLOptions options)
        Configures engine's CRL.
        Parameters:
        options - CRL options.

      • readCRLConfig

        ConfigCRLOptions readCRLConfig()
        Read engine's CRL configuration.
        Returns:
        URL options.

      • getCertificateAuthorityChain

        CAChainData.PEM getCertificateAuthorityChain()
        Retrieves the engine's CA chain (PEM encoded).
        Returns:
        Certificate authority chain.

      • getCertificateRevocationList

        CRLData.PEM getCertificateRevocationList()
        Retrieves the engine's CRL (PEM encoded).
        Returns:
        Certificate revocation list.

      • getCertificateRevocationList

        CRLData getCertificateRevocationList​(DataFormat format)
        Retrieves the engine's CRL.
        Parameters:
        format - Format of the returned crl data.
        Returns:
        Certificate revocation list.

      • rotateCertificateRevocationList

        boolean rotateCertificateRevocationList()
        Forces a rotation of the associated CRL.

      • getCertificates

        List<String> getCertificates()
        List all issued certificate serial numbers.
        Returns:
        List of certificate serialize numbers.

      • getCertificate

        CertificateData.PEM getCertificate​(String serial)
        Retrieve a specific certificate (PEM encoded).
        Parameters:
        serial - Serial number of certificate.
        Returns:
        Certificate or null if no certificate exists.

      • generateCertificate

        GeneratedCertificate generateCertificate​(String role,
                                         GenerateCertificateOptions options)
        Generates a public/private key pair and certificate issued from the engine's CA using the provided options.
        Parameters:
        role - Name of role used to create certificate.
        options - Certificate generation options.
        Returns:
        Generated certificate and private key.

      • signRequest

        SignedCertificate signRequest​(String role,
                              String pemSigningRequest,
                              GenerateCertificateOptions options)
        Generates a certificate issued from the engine's CA using the provided Certificate Signing Request and options.
        Parameters:
        role - Name of role used to create certificate.
        pemSigningRequest - Certificate Signing Request (PEM encoded).
        options - Certificate generation options.
        Returns:
        Generated certificate.

      • revokeCertificate

        OffsetDateTime revokeCertificate​(String serialNumber)
        Revokes a certificate.
        Parameters:
        serialNumber - Serial number of certificate.
        Returns:
        Time of certificates revocation.

      • updateRole

        void updateRole​(String role,
                RoleOptions options)
        Updates, or creates, a role.
        Parameters:
        role - Name of role.
        options - Options for role.

      • getRole

        RoleOptions getRole​(String role)
        Retrieve current options for a role.
        Parameters:
        role - Name of role.
        Returns:
        Options for the role or null if role does not exist.

      • getRoles

        List<String> getRoles()
        Lists existing role names.
        Returns:
        List of role names.

      • deleteRole

        void deleteRole​(String role)
        Deletes a role.
        Parameters:
        role - Name of role.

      • deleteRoot

        void deleteRoot()
        Deletes the engine's current CA.

      • signIntermediateCA

        SignedCertificate signIntermediateCA​(String pemSigningRequest,
                                     SignIntermediateCAOptions options)
        Generates an intermediate CA certificate issued from the engine's CA using the provided Certificate Signing Request and options.
        Parameters:
        pemSigningRequest - Certificate Signing Request (PEM encoded).
        options - Signing options.
        Returns:
        Generated certificate.

      • generateIntermediateCSR

        GeneratedIntermediateCSRResult generateIntermediateCSR​(GenerateIntermediateCSROptions options)
        Generates a Certificate Signing Request and private key for the engine's CA. Use this to generate a CSR and for the engine's CA that can be used by another CA to issue an intermediate CA certificate. After generating the intermediate CA setSignedIntermediateCA(String) must be used to set the engine's CA certificate. This will overwrite any previously existing CA private key for the engine.
        Parameters:
        options - Options for CSR generation.
        Returns:
        Generated CSR and, if key export is enabled, private key.
        See Also:
        setSignedIntermediateCA(String)

      • tidy

        void tidy​(TidyOptions options)
        Tidy up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.
        Parameters:
        options - Tidy options.