Module io.helidon.integrations.vault.secrets.pki

Package io.helidon.integrations.vault.secrets.pki

Interface PkiSecretsRx

All Superinterfaces:

SecretsRx

public interface PkiSecretsRx
extends SecretsRx

API operation for Vault PKI Secrets Engine.

Field Summary

Fields

Modifier and Type	Field	Description
static Engine<PkiSecretsRx>	ENGINE	PKI secrets engine.
static String	KEY_TYPE_EC	EC (Elliptic curve) algorithm for keys.
static String	KEY_TYPE_RSA	RSA algorithm for keys.

Method Summary

Modifier and Type	Method	Description
default Single<X509Certificate>	caCertificate()	Certification authority certificate.
Single<CaCertificateGet.Response>	caCertificate(CaCertificateGet.Request request)	Certification authority certificate.
default Single<byte[]>	caCertificate(PkiFormat format)	Certification authority certificate in raw bytes.
Single<VaultOptionalResponse<CertificateGet.Response>>	certificate(CertificateGet.Request request)	Get a certificate.
default Single<Optional<X509Certificate>>	certificate(String serialNumber)	Certificate with the defined serial id.
default Single<Optional<byte[]>>	certificate(String serialNumber, PkiFormat format)	Certificate in raw bytes, currently only PkiFormat.PEM is supported.
Single<PkiRole.Response>	createOrUpdateRole(PkiRole.Request request)	This endpoint creates or updates the role definition.
default Single<X509CRL>	crl()	Certificate revocation list.
Single<CrlGet.Response>	crl(CrlGet.Request request)	Certificate revocation list.
default Single<byte[]>	crl(PkiFormat format)	Certificate revocation list in raw bytes.
Single<GenerateSelfSignedRoot.Response>	generateSelfSignedRoot(GenerateSelfSignedRoot.Request request)	Generate a self signed root certificate.
default Single<GenerateSelfSignedRoot.Response>	generateSelfSignedRoot(String commonName)	Generate a self signed root certificate.
Single<IssueCertificate.Response>	issueCertificate(IssueCertificate.Request request)	Issue a new certificate returning raw data.
Single<VaultOptionalResponse<ListSecrets.Response>>	list(ListSecrets.Request request)	List certificate serial numbers.
Single<RevokeCertificate.Response>	revokeCertificate(RevokeCertificate.Request request)	Revoke a certificate.
default Single<Instant>	revokeCertificate(String serialNumber)	Revoke a certificate by its serial number.
Single<SignCsr.Response>	signCertificateRequest(SignCsr.Request request)	This endpoint signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint.

Methods inherited from interface io.helidon.integrations.vault.SecretsRx

list, list

Field Detail

ENGINE

static final Engine<PkiSecretsRx> ENGINE

PKI secrets engine.

Documentation: https://www.vaultproject.io/api-docs/secret/pki

KEY_TYPE_RSA

static final String KEY_TYPE_RSA

RSA algorithm for keys.

See Also:

Constant Field Values

KEY_TYPE_EC

static final String KEY_TYPE_EC

EC (Elliptic curve) algorithm for keys.

See Also:

Constant Field Values

Method Detail

list

Single<VaultOptionalResponse<ListSecrets.Response>> list(ListSecrets.Request request)

List certificate serial numbers.

Specified by:

list in interface SecretsRx

Parameters:

request - request, path is ignored

Returns:

serial numbers of certificates

caCertificate

default Single<X509Certificate> caCertificate()

Certification authority certificate.

Returns:

certificate of the CA

caCertificate

default Single<byte[]> caCertificate(PkiFormat format)

Certification authority certificate in raw bytes.

Parameters:

format - format to use, either DER or PEM format are supported

Returns:

CA certificate bytes

caCertificate

Single<CaCertificateGet.Response> caCertificate(CaCertificateGet.Request request)

Certification authority certificate.

Parameters:

request - request with optional PkiFormat configured

Returns:

CA certificate bytes

certificate

default Single<Optional<X509Certificate>> certificate(String serialNumber)

Certificate with the defined serial id.

Parameters:

serialNumber - serial number of the certificate

Returns:

certificate, if not found, an exception is returned

certificate

default Single<Optional<byte[]>> certificate(String serialNumber,
                                             PkiFormat format)

Certificate in raw bytes, currently only PkiFormat.PEM is supported.

Parameters:

serialNumber - serial number of the certificate

format - format - must be PkiFormat.PEM

Returns:

certificate bytes in PEM format

certificate

Single<VaultOptionalResponse<CertificateGet.Response>> certificate(CertificateGet.Request request)

Get a certificate.

Parameters:

request - request with at least the serial number configured

Returns:

get certificate response

crl

default Single<X509CRL> crl()

Certificate revocation list.

Returns:

revoke list

crl

default Single<byte[]> crl(PkiFormat format)

Certificate revocation list in raw bytes.

Parameters:

format - to choose between PEM and DER encoding of the list

Returns:

CRL bytes

crl

Single<CrlGet.Response> crl(CrlGet.Request request)

Certificate revocation list.

Parameters:

request - CRL request

Returns:

CRL response

issueCertificate

Single<IssueCertificate.Response> issueCertificate(IssueCertificate.Request request)

Issue a new certificate returning raw data.

The format of data returned depends on the PkiFormat chosen:

• PkiFormat.PEM - pem bytes (e.g. -----BEGIN CERTIFICATE-----...)
• PkiFormat.PEM_BUNDLE - same as above, with certificate bundling the private key
• PkiFormat.DER - binary encoding

Parameters:

request - configuration of the new certificate

Returns:

certificate response with bytes of returned certificates

signCertificateRequest

Single<SignCsr.Response> signCertificateRequest(SignCsr.Request request)

This endpoint signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint.

Parameters:

request - sign CSR request

Returns:

a new certificate

revokeCertificate

default Single<Instant> revokeCertificate(String serialNumber)

Revoke a certificate by its serial number.

Parameters:

serialNumber - serial number of the certificate to revoke

Returns:

revocation instant

revokeCertificate

Single<RevokeCertificate.Response> revokeCertificate(RevokeCertificate.Request request)

Revoke a certificate.

Parameters:

request - revocation request with at least the serial number

Returns:

revoke certificate response

generateSelfSignedRoot

default Single<GenerateSelfSignedRoot.Response> generateSelfSignedRoot(String commonName)

Generate a self signed root certificate. This operations makes sense for testing. For production environments, this would most likely be initialized with an explicit key and certificate.

Parameters:

commonName - the common name (cn) of the certificate

Returns:

when request finishes

generateSelfSignedRoot

Single<GenerateSelfSignedRoot.Response> generateSelfSignedRoot(GenerateSelfSignedRoot.Request request)

Generate a self signed root certificate. This operations makes sense for testing. For production environments, this would most likely be initialized with an explicit key and certificate.

Parameters:

request - request with at least the common name

Returns:

generate self signed root response

createOrUpdateRole

Single<PkiRole.Response> createOrUpdateRole(PkiRole.Request request)

This endpoint creates or updates the role definition. Note that the PkiRole.Request.addAllowedDomain(String), PkiRole.Request.allowSubDomains(boolean), PkiRole.Request.allowGlobDomains(boolean), and PkiRole.Request.allowAnyName(boolean) are additive; between these options, and across multiple roles, nearly any issuing policy can be accommodated. PkiRole.Request.serverFlag(boolean), PkiRole.Request.clientFlag(boolean), and PkiRole.Request.codeSigningFlag(boolean) are additive as well. If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.

Parameters:

request - request modifying the role

Returns:

when request finishes