Module io.helidon.integrations.vault.secrets.pki
Package io.helidon.integrations.vault.secrets.pki

Class PkiRole.Request

    • Method Detail

      • ttl

        public PkiRole.Request ttl​(Duration ttl)
        Specifies the Time To Live value. If not set, uses the system default value or the value of maxTtl(java.time.Duration), whichever is shorter.
        Parameters:
        ttl - duration to use
        Returns:
        updated request

      • maxTtl

        public PkiRole.Request maxTtl​(Duration maxTtl)
        Specifies the maximum Time To Live. If not set, defaults to the system maximum lease TTL.
        Parameters:
        maxTtl - duration to use
        Returns:
        updated request

      • allowLocalhost

        public PkiRole.Request allowLocalhost​(boolean allowLocalhost)
        Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.
        Parameters:
        allowLocalhost - whether to allow localhost
        Returns:
        updated request

      • allowedDomainTemplates

        public PkiRole.Request allowedDomainTemplates​(boolean allowDomainTemplates)
        When set, allowed_domains may contain templates, as with ACL Path Templating.
        Parameters:
        allowDomainTemplates - whether to allow templates in domains
        Returns:
        updated request

      • allowBareDomains

        public PkiRole.Request allowBareDomains​(boolean allowBareDomains)
        Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.
        Parameters:
        allowBareDomains - whether to allow bare domains
        Returns:
        updated request

      • allowSubDomains

        public PkiRole.Request allowSubDomains​(boolean allowSubDomains)
        Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.
        Parameters:
        allowSubDomains - whether to allow subdomains
        Returns:
        updated request

      • allowGlobDomains

        public PkiRole.Request allowGlobDomains​(boolean allowGlobDomains)
        Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.
        Parameters:
        allowGlobDomains - whether to allow glob domains
        Returns:
        updated request

      • allowAnyName

        public PkiRole.Request allowAnyName​(boolean allowAnyName)
        Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.
        Parameters:
        allowAnyName - whether to allow any name
        Returns:
        updated request

      • enforceHostnames

        public PkiRole.Request enforceHostnames​(boolean enforceHostnames)
        Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.
        Parameters:
        enforceHostnames - whether to enforce hostnames
        Returns:
        updated request

      • allowIpSans

        public PkiRole.Request allowIpSans​(boolean allowIpSans)
        Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.
        Parameters:
        allowIpSans - whether to allow IP subject alternative names
        Returns:
        updated request

      • serverFlag

        public PkiRole.Request serverFlag​(boolean serverFlag)
        Specifies if certificates are flagged for server use. Defaults to true.
        Parameters:
        serverFlag - whether the certificates are flagged for server use
        Returns:
        updated request

      • clientFlag

        public PkiRole.Request clientFlag​(boolean clientFlag)
        Specifies if certificates are flagged for client use. Defaults to true.
        Parameters:
        clientFlag - whether the certificates are flagged for server use
        Returns:
        updated request

      • codeSigningFlag

        public PkiRole.Request codeSigningFlag​(boolean codeSigningFlag)
        Specifies if certificates are flagged for code signing use. Defaults to false.
        Parameters:
        codeSigningFlag - whether the certificates are flagged for code signing use
        Returns:
        updated request

      • emailProtectionFlag

        public PkiRole.Request emailProtectionFlag​(boolean emailProtectionFlag)
        Specifies if certificates are flagged for email protection use. Defaults to false.
        Parameters:
        emailProtectionFlag - whether the certificates are flagged for email protection use
        Returns:
        updated request

      • keyType

        public PkiRole.Request keyType​(String keyType)
        Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).

        Defaults to "rsa".

        Parameters:
        keyType - key type
        Returns:
        updated request
        See Also:
        PkiSecretsRx.KEY_TYPE_RSA, PkiSecretsRx.KEY_TYPE_EC

      • keyBits

        public PkiRole.Request keyBits​(int keyBits)
        Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys, e.g., 224, 256, 384 or 521.

        Defaults to 2048.

        Parameters:
        keyBits - number of bits to use
        Returns:
        updated request

      • keyUsage

        public PkiRole.Request keyUsage​(List<String> keyUsage)
        Configure list of usages. Specifies the allowed key usage constraint on issued certificates. Valid values can be found at Key Usage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

        Defaults to ["DigitalSignature", "KeyAgreement", "KeyEncipherment"].

        Parameters:
        keyUsage - list of usages
        Returns:
        updated request

      • useCsrCommonName

        public PkiRole.Request useCsrCommonName​(boolean useCsrCommonName)
        When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use useCsrSans(boolean) for that.

        Defaults to true.

        Parameters:
        useCsrCommonName - whether to use the CSR common name
        Returns:
        updated request

      • useCsrSans

        public PkiRole.Request useCsrSans​(boolean useCsrSans)
        When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use useCsrCommonName(boolean) for that.

        Defaults to true.

        Parameters:
        useCsrSans - whether to use the CSR subject alternative names
        Returns:
        updated request

      • serialNumber

        public PkiRole.Request serialNumber​(String serialNumber)
        Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names using OID 2.5.4.5.
        Parameters:
        serialNumber - serial number to use
        Returns:
        updated request

      • generateLease

        public PkiRole.Request generateLease​(boolean generateLease)
        Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke lease_id when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.

        Defaults to false.

        Parameters:
        generateLease - whether Vault leases are attached to generated certificates
        Returns:
        updated request

      • noStore

        public PkiRole.Request noStore​(boolean noStore)
        If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generateLease(boolean).

        Defaults to false.

        Parameters:
        noStore - if set to true, certificates are not stored in Vault
        Returns:
        updated request

      • requireCn

        public PkiRole.Request requireCn​(boolean requireCn)
        If set to false, makes the common name field optional while generating a certificate.

        Defaults to true.

        Parameters:
        requireCn - set to false to make common name optional
        Returns:
        updated request

      • basicConstraintsValidForNonCa

        public PkiRole.Request basicConstraintsValidForNonCa​(boolean basicConstraintsValidForNonCa)
        Mark Basic Constraints valid when issuing non-CA certificates.
        Parameters:
        basicConstraintsValidForNonCa - defaults to false
        Returns:
        updated builder

      • notBeforeDuration

        public PkiRole.Request notBeforeDuration​(Duration notBeforeDuration)
        Specifies the duration by which to backdate the NotBefore property.
        Parameters:
        notBeforeDuration - duration
        Returns:
        updated builder

      • addAllowedUriSan

        public PkiRole.Request addAllowedUriSan​(String subjectAlternativeName)
        Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).
        Parameters:
        subjectAlternativeName - san
        Returns:
        updated request

      • addAllowedOtherSan

        public PkiRole.Request addAllowedOtherSan​(String subjectAlternativeName)
        Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL: <oid>;<type>:<value>, but the only valid type is UTF8 or UTF-8. The value part of an element may be a * to allow any value with that OID. Alternatively, specifying a single * will allow any other_sans input.
        Parameters:
        subjectAlternativeName - san
        Returns:
        updated request

      • addExtKeyUsage

        public PkiRole.Request addExtKeyUsage​(String extKeyUsage)
        Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at Ext Key usage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive.
        Parameters:
        extKeyUsage - key usage
        Returns:
        updated request

      • addExtKeyUsageOid

        public PkiRole.Request addExtKeyUsageOid​(String extKeyUsageOid)
        Add an extended usage OID.
        Parameters:
        extKeyUsageOid - OID of an ext key usage
        Returns:
        updated request

      • addOrgUnit

        public PkiRole.Request addOrgUnit​(String orgUnit)
        Adds an OU (OrganizationalUnit) value in the subject field of issued certificates.
        Parameters:
        orgUnit - organization unit to add
        Returns:
        updated request

      • addOrg

        public PkiRole.Request addOrg​(String org)
        Adds an O (Organization) value in the subject field of issued certificates.
        Parameters:
        org - organization unit to add
        Returns:
        updated request

      • addCountry

        public PkiRole.Request addCountry​(String country)
        Adds the C (Country) value in the subject field of issued certificates.
        Parameters:
        country - country to add
        Returns:
        updated request

      • addLocality

        public PkiRole.Request addLocality​(String locality)
        Adds the L (Locality) value in the subject field of issued certificates.
        Parameters:
        locality - locality to add
        Returns:
        updated request

      • addProvince

        public PkiRole.Request addProvince​(String province)
        Adds the ST (Province) values in the subject field of issued certificates.
        Parameters:
        province - province to add
        Returns:
        updated request

      • addStreetAddress

        public PkiRole.Request addStreetAddress​(String streetAddress)
        Adds a Street Address values in the subject field of issued certificates.
        Parameters:
        streetAddress - street address to add
        Returns:
        updated request

      • addPostalCode

        public PkiRole.Request addPostalCode​(String postalCode)
        Adds a Postal Code values in the subject field of issued certificates.
        Parameters:
        postalCode - postalCode address to add
        Returns:
        updated request

      • addPolicyIdentifier

        public PkiRole.Request addPolicyIdentifier​(String policyIdentifierOid)
        Add a policy identifier OID.
        Parameters:
        policyIdentifierOid - policy identifier OID
        Returns:
        updated request

      • roleName

        public PkiRole.Request roleName​(String roleName)
        Configure role name.
        Parameters:
        roleName - name of the role
        Returns:
        updated request