Package io.quarkus.vault.runtime

Class VaultPKIManager

java.lang.Object

io.quarkus.vault.runtime.VaultPKIManager

All Implemented Interfaces:

VaultPKISecretEngine

@ApplicationScoped
public class VaultPKIManager
extends Object
implements VaultPKISecretEngine

Constructor Summary

Constructors

Constructor	Description
VaultPKIManager(VaultAuthManager vaultAuthManager, VaultInternalPKISecretEngine vaultInternalPKISecretEngine)
VaultPKIManager(String mount, VaultAuthManager vaultAuthManager, VaultInternalPKISecretEngine vaultInternalPKISecretEngine)

Method Summary

Modifier and Type	Method	Description
void	configCertificateAuthority(String pemBundle)	Configures the engine's CA.
void	configCRL(ConfigCRLOptions options)	Configures engine's CRL.
void	configURLs(ConfigURLsOptions options)	Configures engine's URLs for issuing certificates, CRL distribution points, and OCSP servers.
void	deleteRole(String role)	Deletes a role.
void	deleteRoot()	Deletes the engine's current CA.
GeneratedCertificate	generateCertificate(String role, GenerateCertificateOptions options)	Generates a public/private key pair and certificate issued from the engine's CA using the provided options.
GeneratedIntermediateCSRResult	generateIntermediateCSR(GenerateIntermediateCSROptions options)	Generates a Certificate Signing Request and private key for the engine's CA.
GeneratedRootCertificate	generateRoot(GenerateRootOptions options)	Generates a self-signed root as the engine's CA.
CertificateData.PEM	getCertificate(String serial)	Retrieve a specific certificate (PEM encoded).
CertificateData.PEM	getCertificateAuthority()	Retrieves the engine's CA certificate (PEM encoded).
CertificateData	getCertificateAuthority(DataFormat format)	Retrieves the engine's CA certificate.
CAChainData.PEM	getCertificateAuthorityChain()	Retrieves the engine's CA chain (PEM encoded).
CRLData.PEM	getCertificateRevocationList()	Retrieves the engine's CRL (PEM encoded).
CRLData	getCertificateRevocationList(DataFormat format)	Retrieves the engine's CRL.
List<String>	getCertificates()	List all issued certificate serial numbers.
RoleOptions	getRole(String role)	Retrieve current options for a role.
List<String>	getRoles()	Lists existing role names.
ConfigCRLOptions	readCRLConfig()	Read engine's CRL configuration.
ConfigURLsOptions	readURLsConfig()	Read engine's configured URLs for issuing certificates, CRL distribution points, and OCSP servers.
OffsetDateTime	revokeCertificate(String serialNumber)	Revokes a certificate.
boolean	rotateCertificateRevocationList()	Forces a rotation of the associated CRL.
void	setSignedIntermediateCA(String pemCert)	Sets the engine's intermediate CA certificate, signed by another CA.
SignedCertificate	signIntermediateCA(String pemSigningRequest, SignIntermediateCAOptions options)	Generates an intermediate CA certificate issued from the engine's CA using the provided Certificate Signing Request and options.
SignedCertificate	signRequest(String role, String pemSigningRequest, GenerateCertificateOptions options)	Generates a certificate issued from the engine's CA using the provided Certificate Signing Request and options.
void	tidy(TidyOptions options)	Tidy up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.
void	updateRole(String role, RoleOptions options)	Updates, or creates, a role.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

VaultPKIManager

@Inject
public VaultPKIManager(VaultAuthManager vaultAuthManager,
                       VaultInternalPKISecretEngine vaultInternalPKISecretEngine)

VaultPKIManager

VaultPKIManager(String mount,
                VaultAuthManager vaultAuthManager,
                VaultInternalPKISecretEngine vaultInternalPKISecretEngine)

Method Detail

getCertificateAuthority

public CertificateData.PEM getCertificateAuthority()

Description copied from interface: VaultPKISecretEngine

Retrieves the engine's CA certificate (PEM encoded).

Specified by:

getCertificateAuthority in interface VaultPKISecretEngine

Returns:

Certificate authority certificate.

getCertificateAuthority

public CertificateData getCertificateAuthority(DataFormat format)

Description copied from interface: VaultPKISecretEngine

Retrieves the engine's CA certificate.

Specified by:

getCertificateAuthority in interface VaultPKISecretEngine

Parameters:

format - Format of the returned certificate data.

Returns:

Certificate authority certificate.

configCertificateAuthority

public void configCertificateAuthority(String pemBundle)

Description copied from interface: VaultPKISecretEngine

Configures the engine's CA.

Specified by:

configCertificateAuthority in interface VaultPKISecretEngine

Parameters:

pemBundle - PEM encoded bundle including the CA, with optional chain, and private key.

configURLs

public void configURLs(ConfigURLsOptions options)

Description copied from interface: VaultPKISecretEngine

Configures engine's URLs for issuing certificates, CRL distribution points, and OCSP servers.

Specified by:

configURLs in interface VaultPKISecretEngine

Parameters:

options - URL options.

readURLsConfig

public ConfigURLsOptions readURLsConfig()

Description copied from interface: VaultPKISecretEngine

Read engine's configured URLs for issuing certificates, CRL distribution points, and OCSP servers.

Specified by:

readURLsConfig in interface VaultPKISecretEngine

Returns:

URL options.

configCRL

public void configCRL(ConfigCRLOptions options)

Description copied from interface: VaultPKISecretEngine

Configures engine's CRL.

Specified by:

configCRL in interface VaultPKISecretEngine

Parameters:

options - CRL options.

readCRLConfig

public ConfigCRLOptions readCRLConfig()

Description copied from interface: VaultPKISecretEngine

Read engine's CRL configuration.

Specified by:

readCRLConfig in interface VaultPKISecretEngine

Returns:

URL options.

getCertificateAuthorityChain

public CAChainData.PEM getCertificateAuthorityChain()

Description copied from interface: VaultPKISecretEngine

Retrieves the engine's CA chain (PEM encoded).

Specified by:

getCertificateAuthorityChain in interface VaultPKISecretEngine

Returns:

Certificate authority chain.

getCertificateRevocationList

public CRLData.PEM getCertificateRevocationList()

Description copied from interface: VaultPKISecretEngine

Retrieves the engine's CRL (PEM encoded).

Specified by:

getCertificateRevocationList in interface VaultPKISecretEngine

Returns:

Certificate revocation list.

getCertificateRevocationList

public CRLData getCertificateRevocationList(DataFormat format)

Description copied from interface: VaultPKISecretEngine

Retrieves the engine's CRL.

Specified by:

getCertificateRevocationList in interface VaultPKISecretEngine

Parameters:

format - Format of the returned crl data.

Returns:

Certificate revocation list.

rotateCertificateRevocationList

public boolean rotateCertificateRevocationList()

Description copied from interface: VaultPKISecretEngine

Forces a rotation of the associated CRL.

Specified by:

rotateCertificateRevocationList in interface VaultPKISecretEngine

getCertificates

public List<String> getCertificates()

Description copied from interface: VaultPKISecretEngine

List all issued certificate serial numbers.

Specified by:

getCertificates in interface VaultPKISecretEngine

Returns:

List of certificate serialize numbers.

getCertificate

public CertificateData.PEM getCertificate(String serial)

Description copied from interface: VaultPKISecretEngine

Retrieve a specific certificate (PEM encoded).

Specified by:

getCertificate in interface VaultPKISecretEngine

Parameters:

serial - Serial number of certificate.

Returns:

Certificate or null if no certificate exists.

generateCertificate

public GeneratedCertificate generateCertificate(String role,
                                                GenerateCertificateOptions options)

Description copied from interface: VaultPKISecretEngine

Generates a public/private key pair and certificate issued from the engine's CA using the provided options.

Specified by:

generateCertificate in interface VaultPKISecretEngine

Parameters:

role - Name of role used to create certificate.

options - Certificate generation options.

Returns:

Generated certificate and private key.

signRequest

public SignedCertificate signRequest(String role,
                                     String pemSigningRequest,
                                     GenerateCertificateOptions options)

Description copied from interface: VaultPKISecretEngine

Generates a certificate issued from the engine's CA using the provided Certificate Signing Request and options.

Specified by:

signRequest in interface VaultPKISecretEngine

Parameters:

role - Name of role used to create certificate.

pemSigningRequest - Certificate Signing Request (PEM encoded).

options - Certificate generation options.

Returns:

Generated certificate.

revokeCertificate

public OffsetDateTime revokeCertificate(String serialNumber)

Description copied from interface: VaultPKISecretEngine

Revokes a certificate.

Specified by:

revokeCertificate in interface VaultPKISecretEngine

Parameters:

serialNumber - Serial number of certificate.

Returns:

Time of certificates revocation.

updateRole

public void updateRole(String role,
                       RoleOptions options)

Description copied from interface: VaultPKISecretEngine

Updates, or creates, a role.

Specified by:

updateRole in interface VaultPKISecretEngine

Parameters:

role - Name of role.

options - Options for role.

getRole

public RoleOptions getRole(String role)

Description copied from interface: VaultPKISecretEngine

Retrieve current options for a role.

Specified by:

getRole in interface VaultPKISecretEngine

Parameters:

role - Name of role.

Returns:

Options for the role or null if role does not exist.

getRoles

public List<String> getRoles()

Description copied from interface: VaultPKISecretEngine

Lists existing role names.

Specified by:

getRoles in interface VaultPKISecretEngine

Returns:

List of role names.

deleteRole

public void deleteRole(String role)

Description copied from interface: VaultPKISecretEngine

Deletes a role.

Specified by:

deleteRole in interface VaultPKISecretEngine

Parameters:

role - Name of role.

generateRoot

public GeneratedRootCertificate generateRoot(GenerateRootOptions options)

Description copied from interface: VaultPKISecretEngine

Generates a self-signed root as the engine's CA.

Specified by:

generateRoot in interface VaultPKISecretEngine

Parameters:

options - Generation options.

Returns:

Generated root certificate.

deleteRoot

public void deleteRoot()

Description copied from interface: VaultPKISecretEngine

Deletes the engine's current CA.

Specified by:

deleteRoot in interface VaultPKISecretEngine

signIntermediateCA

public SignedCertificate signIntermediateCA(String pemSigningRequest,
                                            SignIntermediateCAOptions options)

Description copied from interface: VaultPKISecretEngine

Generates an intermediate CA certificate issued from the engine's CA using the provided Certificate Signing Request and options.

Specified by:

signIntermediateCA in interface VaultPKISecretEngine

Parameters:

pemSigningRequest - Certificate Signing Request (PEM encoded).

options - Signing options.

Returns:

Generated certificate.

generateIntermediateCSR

public GeneratedIntermediateCSRResult generateIntermediateCSR(GenerateIntermediateCSROptions options)

Description copied from interface: VaultPKISecretEngine

Generates a Certificate Signing Request and private key for the engine's CA. Use this to generate a CSR and for the engine's CA that can be used by another CA to issue an intermediate CA certificate. After generating the intermediate CA VaultPKISecretEngine.setSignedIntermediateCA(String) must be used to set the engine's CA certificate. This will overwrite any previously existing CA private key for the engine.

Specified by:

generateIntermediateCSR in interface VaultPKISecretEngine

Parameters:

options - Options for CSR generation.

Returns:

Generated CSR and, if key export is enabled, private key.

See Also:

VaultPKISecretEngine.setSignedIntermediateCA(String)

setSignedIntermediateCA

public void setSignedIntermediateCA(String pemCert)

Description copied from interface: VaultPKISecretEngine

Sets the engine's intermediate CA certificate, signed by another CA. After generating a CSR (via VaultPKISecretEngine.generateIntermediateCSR(GenerateIntermediateCSROptions)), this method must be used to set the engine's CA.

Specified by:

setSignedIntermediateCA in interface VaultPKISecretEngine

Parameters:

pemCert - Signed certificate (PEM encoded).

See Also:

VaultPKISecretEngine.generateIntermediateCSR(GenerateIntermediateCSROptions)

tidy

public void tidy(TidyOptions options)

Description copied from interface: VaultPKISecretEngine

Tidy up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.

Specified by:

tidy in interface VaultPKISecretEngine

Parameters:

options - Tidy options.