Module io.helidon.integrations.vault.secrets.pki
Package io.helidon.integrations.vault.secrets.pki

Class PkiRole.Request

java.lang.Object
io.helidon.integrations.common.rest.ApiJsonBuilder<PkiRole.Request>
io.helidon.integrations.common.rest.ApiJsonRequest<PkiRole.Request>
io.helidon.integrations.vault.VaultRequest<PkiRole.Request>
io.helidon.integrations.vault.secrets.pki.PkiRole.Request
All Implemented Interfaces:
ApiRequest<PkiRole.Request>
Enclosing class:
PkiRole
public static final class PkiRole.Request extends VaultRequest<PkiRole.Request>
Request object. Can be configured with additional headers, query parameters etc.

  • Method Details

    • builder

      public static PkiRole.Request builder()
      Fluent API builder for configuring a request. The request builder is passed as is, without a build method. The equivalent of a build method is ApiJsonBuilder.toJson(jakarta.json.JsonBuilderFactory) used by the RestApi.
      Returns:
      new request builder

    • ttl

      public PkiRole.Request ttl(Duration ttl)
      Specifies the Time To Live value. If not set, uses the system default value or the value of maxTtl(java.time.Duration), whichever is shorter.
      Parameters:
      ttl - duration to use
      Returns:
      updated request

    • maxTtl

      public PkiRole.Request maxTtl(Duration maxTtl)
      Specifies the maximum Time To Live. If not set, defaults to the system maximum lease TTL.
      Parameters:
      maxTtl - duration to use
      Returns:
      updated request

    • allowLocalhost

      public PkiRole.Request allowLocalhost(boolean allowLocalhost)
      Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.
      Parameters:
      allowLocalhost - whether to allow localhost
      Returns:
      updated request

    • allowedDomainTemplates

      public PkiRole.Request allowedDomainTemplates(boolean allowDomainTemplates)
      When set, allowed_domains may contain templates, as with ACL Path Templating.
      Parameters:
      allowDomainTemplates - whether to allow templates in domains
      Returns:
      updated request

    • allowBareDomains

      public PkiRole.Request allowBareDomains(boolean allowBareDomains)
      Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
      Parameters:
      allowBareDomains - whether to allow bare domains
      Returns:
      updated request

    • allowSubDomains

      public PkiRole.Request allowSubDomains(boolean allowSubDomains)
      Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
      Parameters:
      allowSubDomains - whether to allow subdomains
      Returns:
      updated request

    • allowGlobDomains

      public PkiRole.Request allowGlobDomains(boolean allowGlobDomains)
      Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.
      Parameters:
      allowGlobDomains - whether to allow glob domains
      Returns:
      updated request

    • allowAnyName

      public PkiRole.Request allowAnyName(boolean allowAnyName)
      Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
      Parameters:
      allowAnyName - whether to allow any name
      Returns:
      updated request

    • enforceHostnames

      public PkiRole.Request enforceHostnames(boolean enforceHostnames)
      Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.
      Parameters:
      enforceHostnames - whether to enforce hostnames
      Returns:
      updated request

    • allowIpSans

      public PkiRole.Request allowIpSans(boolean allowIpSans)
      Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.
      Parameters:
      allowIpSans - whether to allow IP subject alternative names
      Returns:
      updated request

    • serverFlag

      public PkiRole.Request serverFlag(boolean serverFlag)
      Specifies if certificates are flagged for server use. Defaults to true.
      Parameters:
      serverFlag - whether the certificates are flagged for server use
      Returns:
      updated request

    • clientFlag

      public PkiRole.Request clientFlag(boolean clientFlag)
      Specifies if certificates are flagged for client use. Defaults to true.
      Parameters:
      clientFlag - whether the certificates are flagged for server use
      Returns:
      updated request

    • codeSigningFlag

      public PkiRole.Request codeSigningFlag(boolean codeSigningFlag)
      Specifies if certificates are flagged for code signing use. Defaults to false.
      Parameters:
      codeSigningFlag - whether the certificates are flagged for code signing use
      Returns:
      updated request

    • emailProtectionFlag

      public PkiRole.Request emailProtectionFlag(boolean emailProtectionFlag)
      Specifies if certificates are flagged for email protection use. Defaults to false.
      Parameters:
      emailProtectionFlag - whether the certificates are flagged for email protection use
      Returns:
      updated request

    • keyType

      public PkiRole.Request keyType(String keyType)
      Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).

      Defaults to "rsa".

      Parameters:
      keyType - key type
      Returns:
      updated request
      See Also:

    • keyBits

      public PkiRole.Request keyBits(int keyBits)
      Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys, e.g., 224, 256, 384 or 521.

      Defaults to 2048.

      Parameters:
      keyBits - number of bits to use
      Returns:
      updated request

    • keyUsage

      public PkiRole.Request keyUsage(List<String> keyUsage)
      Configure list of usages. Specifies the allowed key usage constraint on issued certificates. Valid values can be found at Key Usage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

      Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"].

      Parameters:
      keyUsage - list of usages
      Returns:
      updated request

    • useCsrCommonName

      public PkiRole.Request useCsrCommonName(boolean useCsrCommonName)
      When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans(boolean) for that.

      Defaults to true.

      Parameters:
      useCsrCommonName - whether to use the CSR common name
      Returns:
      updated request

    • useCsrSans

      public PkiRole.Request useCsrSans(boolean useCsrSans)
      When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName(boolean) for that.

      Defaults to true.

      Parameters:
      useCsrSans - whether to use the CSR subject alternative names
      Returns:
      updated request

    • serialNumber

      public PkiRole.Request serialNumber(String serialNumber)
      Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names using OID 2.5.4.5.
      Parameters:
      serialNumber - serial number to use
      Returns:
      updated request

    • generateLease

      public PkiRole.Request generateLease(boolean generateLease)
      Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke lease_id when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.

      Defaults to false.

      Parameters:
      generateLease - whether Vault leases are attached to generated certificates
      Returns:
      updated request

    • noStore

      public PkiRole.Request noStore(boolean noStore)
      If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease(boolean).

      Defaults to false.

      Parameters:
      noStore - if set to true, certificates are not stored in Vault
      Returns:
      updated request

    • requireCn

      public PkiRole.Request requireCn(boolean requireCn)
      If set to false, makes the common name field optional while generating a certificate.

      Defaults to true.

      Parameters:
      requireCn - set to false to make common name optional
      Returns:
      updated request

    • basicConstraintsValidForNonCa

      public PkiRole.Request basicConstraintsValidForNonCa(boolean basicConstraintsValidForNonCa)
      Mark Basic Constraints valid when issuing non-CA certificates.
      Parameters:
      basicConstraintsValidForNonCa - defaults to false
      Returns:
      updated builder

    • notBeforeDuration

      public PkiRole.Request notBeforeDuration(Duration notBeforeDuration)
      Specifies the duration by which to backdate the NotBefore property.
      Parameters:
      notBeforeDuration - duration
      Returns:
      updated builder

    • addAllowedDomain

      public PkiRole.Request addAllowedDomain(String domain)
      Specifies the domains of the role. This is used with the allowBareDomains(boolean) and allowSubDomains(boolean) options.
      Parameters:
      domain - domain
      Returns:
      updated request

    • addAllowedUriSan

      public PkiRole.Request addAllowedUriSan(String subjectAlternativeName)
      Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).
      Parameters:
      subjectAlternativeName - san
      Returns:
      updated request

    • addAllowedOtherSan

      public PkiRole.Request addAllowedOtherSan(String subjectAlternativeName)
      Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL: <oid>;<type>:<value>, but the only valid type is UTF8 or UTF-8. The value part of an element may be a * to allow any value with that OID. Alternatively, specifying a single * will allow any other_sans input.
      Parameters:
      subjectAlternativeName - san
      Returns:
      updated request

    • addExtKeyUsage

      public PkiRole.Request addExtKeyUsage(String extKeyUsage)
      Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at Ext Key usage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive.
      Parameters:
      extKeyUsage - key usage
      Returns:
      updated request

    • addExtKeyUsageOid

      public PkiRole.Request addExtKeyUsageOid(String extKeyUsageOid)
      Add an extended usage OID.
      Parameters:
      extKeyUsageOid - OID of an ext key usage
      Returns:
      updated request

    • addOrgUnit

      public PkiRole.Request addOrgUnit(String orgUnit)
      Adds an OU (OrganizationalUnit) value in the subject field of issued certificates.
      Parameters:
      orgUnit - organization unit to add
      Returns:
      updated request

    • addOrg

      public PkiRole.Request addOrg(String org)
      Adds an O (Organization) value in the subject field of issued certificates.
      Parameters:
      org - organization unit to add
      Returns:
      updated request

    • addCountry

      public PkiRole.Request addCountry(String country)
      Adds the C (Country) value in the subject field of issued certificates.
      Parameters:
      country - country to add
      Returns:
      updated request

    • addLocality

      public PkiRole.Request addLocality(String locality)
      Adds the L (Locality) value in the subject field of issued certificates.
      Parameters:
      locality - locality to add
      Returns:
      updated request

    • addProvince

      public PkiRole.Request addProvince(String province)
      Adds the ST (Province) values in the subject field of issued certificates.
      Parameters:
      province - province to add
      Returns:
      updated request

    • addStreetAddress

      public PkiRole.Request addStreetAddress(String streetAddress)
      Adds a Street Address values in the subject field of issued certificates.
      Parameters:
      streetAddress - street address to add
      Returns:
      updated request

    • addPostalCode

      public PkiRole.Request addPostalCode(String postalCode)
      Adds a Postal Code values in the subject field of issued certificates.
      Parameters:
      postalCode - postalCode address to add
      Returns:
      updated request

    • addPolicyIdentifier

      public PkiRole.Request addPolicyIdentifier(String policyIdentifierOid)
      Add a policy identifier OID.
      Parameters:
      policyIdentifierOid - policy identifier OID
      Returns:
      updated request

    • roleName

      public PkiRole.Request roleName(String roleName)
      Configure role name.
      Parameters:
      roleName - name of the role
      Returns:
      updated request