Class PkiRole.Request
java.lang.Object
io.helidon.integrations.common.rest.ApiJsonBuilder<T>
io.helidon.integrations.common.rest.ApiJsonRequest<T>
io.helidon.integrations.vault.VaultRequest<PkiRole.Request>
io.helidon.integrations.vault.secrets.pki.PkiRole.Request
- All Implemented Interfaces:
ApiRequest<PkiRole.Request>
- Enclosing class:
- PkiRole
Request object. Can be configured with additional headers, query parameters etc.
-
Method Summary
Modifier and TypeMethodDescriptionaddAllowedDomain
(String domain) Specifies the domains of the role.addAllowedOtherSan
(String subjectAlternativeName) Defines allowed custom OID/UTF8-string SANs.addAllowedUriSan
(String subjectAlternativeName) Defines allowed URI Subject Alternative Names.addCountry
(String country) Adds the C (Country) value in the subject field of issued certificates.addExtKeyUsage
(String extKeyUsage) Specifies the allowed extended key usage constraint on issued certificates.addExtKeyUsageOid
(String extKeyUsageOid) Add an extended usage OID.addLocality
(String locality) Adds the L (Locality) value in the subject field of issued certificates.Adds an O (Organization) value in the subject field of issued certificates.addOrgUnit
(String orgUnit) Adds an OU (OrganizationalUnit) value in the subject field of issued certificates.addPolicyIdentifier
(String policyIdentifierOid) Add a policy identifier OID.addPostalCode
(String postalCode) Adds a Postal Code values in the subject field of issued certificates.addProvince
(String province) Adds the ST (Province) values in the subject field of issued certificates.addStreetAddress
(String streetAddress) Adds a Street Address values in the subject field of issued certificates.allowAnyName
(boolean allowAnyName) Specifies if clients can request any CN.allowBareDomains
(boolean allowBareDomains) Specifies if clients can request certificates matching the value of the actual domains themselves; e.g.allowedDomainTemplates
(boolean allowDomainTemplates) When set, allowed_domains may contain templates, as with ACL Path Templating.allowGlobDomains
(boolean allowGlobDomains) Allows names specified in allowed_domains to contain glob patterns (e.g.allowIpSans
(boolean allowIpSans) Specifies if clients can request IP Subject Alternative Names.allowLocalhost
(boolean allowLocalhost) Specifies if clients can request certificates for localhost as one of the requested common names.allowSubDomains
(boolean allowSubDomains) Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options.basicConstraintsValidForNonCa
(boolean basicConstraintsValidForNonCa) Mark Basic Constraints valid when issuing non-CA certificates.static PkiRole.Request
builder()
Fluent API builder for configuring a request.clientFlag
(boolean clientFlag) Specifies if certificates are flagged for client use.codeSigningFlag
(boolean codeSigningFlag) Specifies if certificates are flagged for code signing use.emailProtectionFlag
(boolean emailProtectionFlag) Specifies if certificates are flagged for email protection use.enforceHostnames
(boolean enforceHostnames) Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.generateLease
(boolean generateLease) Specifies if certificates issued/signed against this role will have Vault leases attached to them.keyBits
(int keyBits) Specifies the number of bits to use for the generated keys.Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs.Configure list of usages.Specifies the maximum Time To Live.noStore
(boolean noStore) If set, certificates issued/signed against this role will not be stored in the storage backend.notBeforeDuration
(Duration notBeforeDuration) Specifies the duration by which to backdate the NotBefore property.requireCn
(boolean requireCn) If set to false, makes the common name field optional while generating a certificate.Configure role name.serialNumber
(String serialNumber) Specifies the Serial Number, if any.serverFlag
(boolean serverFlag) Specifies if certificates are flagged for server use.Specifies the Time To Live value.useCsrCommonName
(boolean useCsrCommonName) When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data.useCsrSans
(boolean useCsrSans) When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data.Methods inherited from class io.helidon.integrations.vault.VaultRequest
add, addCommaDelimitedArray, addToCommaDelimitedArray, durationToTtl, preBuild
Methods inherited from class io.helidon.integrations.common.rest.ApiJsonRequest
addHeader, addQueryParam, headers, queryParams, requestId, requestId, requestMediaType, requestMediaType, responseMediaType, responseMediaType
Methods inherited from class io.helidon.integrations.common.rest.ApiJsonBuilder
add, add, add, add, add, add, addBase64, addToArray, addToArray, addToArray, addToArray, addToArray, addToArray, addToObject, addToObject, addToObject, addToObject, addToObject, emptyArray, me, postBuild, toJson
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface io.helidon.integrations.common.rest.ApiRequest
toJson
-
Method Details
-
builder
Fluent API builder for configuring a request. The request builder is passed as is, without a build method. The equivalent of a build method isApiJsonBuilder.toJson(jakarta.json.JsonBuilderFactory)
used by theRestApi
.- Returns:
- new request builder
-
ttl
Specifies the Time To Live value. If not set, uses the system default value or the value ofmaxTtl(java.time.Duration)
, whichever is shorter.- Parameters:
ttl
- duration to use- Returns:
- updated request
-
maxTtl
Specifies the maximum Time To Live. If not set, defaults to the system maximum lease TTL.- Parameters:
maxTtl
- duration to use- Returns:
- updated request
-
allowLocalhost
Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.- Parameters:
allowLocalhost
- whether to allow localhost- Returns:
- updated request
-
allowedDomainTemplates
When set, allowed_domains may contain templates, as with ACL Path Templating.- Parameters:
allowDomainTemplates
- whether to allow templates in domains- Returns:
- updated request
-
allowBareDomains
Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.- Parameters:
allowBareDomains
- whether to allow bare domains- Returns:
- updated request
-
allowSubDomains
Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.- Parameters:
allowSubDomains
- whether to allow subdomains- Returns:
- updated request
-
allowGlobDomains
Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.- Parameters:
allowGlobDomains
- whether to allow glob domains- Returns:
- updated request
-
allowAnyName
Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.- Parameters:
allowAnyName
- whether to allow any name- Returns:
- updated request
-
enforceHostnames
Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.- Parameters:
enforceHostnames
- whether to enforce hostnames- Returns:
- updated request
-
allowIpSans
Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.- Parameters:
allowIpSans
- whether to allow IP subject alternative names- Returns:
- updated request
-
serverFlag
Specifies if certificates are flagged for server use. Defaults totrue
.- Parameters:
serverFlag
- whether the certificates are flagged for server use- Returns:
- updated request
-
clientFlag
Specifies if certificates are flagged for client use. Defaults totrue
.- Parameters:
clientFlag
- whether the certificates are flagged for server use- Returns:
- updated request
-
codeSigningFlag
Specifies if certificates are flagged for code signing use. Defaults tofalse
.- Parameters:
codeSigningFlag
- whether the certificates are flagged for code signing use- Returns:
- updated request
-
emailProtectionFlag
Specifies if certificates are flagged for email protection use. Defaults tofalse
.- Parameters:
emailProtectionFlag
- whether the certificates are flagged for email protection use- Returns:
- updated request
-
keyType
Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).Defaults to "rsa".
- Parameters:
keyType
- key type- Returns:
- updated request
- See Also:
-
keyBits
Specifies the number of bits to use for the generated keys. This will need to be changed forec
keys, e.g.,224
,256
,384
or521
.Defaults to
2048
.- Parameters:
keyBits
- number of bits to use- Returns:
- updated request
-
keyUsage
Configure list of usages. Specifies the allowed key usage constraint on issued certificates. Valid values can be found at Key Usage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.Defaults to
["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
.- Parameters:
keyUsage
- list of usages- Returns:
- updated request
-
useCsrCommonName
When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; useuseCsrSans(boolean)
for that.Defaults to
true
.- Parameters:
useCsrCommonName
- whether to use the CSR common name- Returns:
- updated request
-
useCsrSans
When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; useuseCsrCommonName(boolean)
for that.Defaults to
true
.- Parameters:
useCsrSans
- whether to use the CSR subject alternative names- Returns:
- updated request
-
serialNumber
Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names using OID 2.5.4.5.- Parameters:
serialNumber
- serial number to use- Returns:
- updated request
-
generateLease
Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revokelease_id
when certificates are associated with leases. It can also be done using the pki/revoke endpoint. However, when lease generation is disabled, invoking pki/revoke would be the only way to add the certificates to the CRL.Defaults to
false
.- Parameters:
generateLease
- whether Vault leases are attached to generated certificates- Returns:
- updated request
-
noStore
If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false forgenerateLease(boolean)
.Defaults to
false
.- Parameters:
noStore
- if set totrue
, certificates are not stored in Vault- Returns:
- updated request
-
requireCn
If set to false, makes the common name field optional while generating a certificate.Defaults to
true
.- Parameters:
requireCn
- set tofalse
to make common name optional- Returns:
- updated request
-
basicConstraintsValidForNonCa
Mark Basic Constraints valid when issuing non-CA certificates.- Parameters:
basicConstraintsValidForNonCa
- defaults tofalse
- Returns:
- updated builder
-
notBeforeDuration
Specifies the duration by which to backdate the NotBefore property.- Parameters:
notBeforeDuration
- duration- Returns:
- updated builder
-
addAllowedDomain
Specifies the domains of the role. This is used with theallowBareDomains(boolean)
andallowSubDomains(boolean)
options.- Parameters:
domain
- domain- Returns:
- updated request
-
addAllowedUriSan
Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).- Parameters:
subjectAlternativeName
- san- Returns:
- updated request
-
addAllowedOtherSan
Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL:<oid>;<type>:<value>
, but the only valid type is UTF8 or UTF-8. The value part of an element may be a*
to allow any value with that OID. Alternatively, specifying a single*
will allow any other_sans input.- Parameters:
subjectAlternativeName
- san- Returns:
- updated request
-
addExtKeyUsage
Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at Ext Key usage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive.- Parameters:
extKeyUsage
- key usage- Returns:
- updated request
-
addExtKeyUsageOid
Add an extended usage OID.- Parameters:
extKeyUsageOid
- OID of an ext key usage- Returns:
- updated request
-
addOrgUnit
Adds an OU (OrganizationalUnit) value in the subject field of issued certificates.- Parameters:
orgUnit
- organization unit to add- Returns:
- updated request
-
addOrg
Adds an O (Organization) value in the subject field of issued certificates.- Parameters:
org
- organization unit to add- Returns:
- updated request
-
addCountry
Adds the C (Country) value in the subject field of issued certificates.- Parameters:
country
- country to add- Returns:
- updated request
-
addLocality
Adds the L (Locality) value in the subject field of issued certificates.- Parameters:
locality
- locality to add- Returns:
- updated request
-
addProvince
Adds the ST (Province) values in the subject field of issued certificates.- Parameters:
province
- province to add- Returns:
- updated request
-
addStreetAddress
Adds a Street Address values in the subject field of issued certificates.- Parameters:
streetAddress
- street address to add- Returns:
- updated request
-
addPostalCode
Adds a Postal Code values in the subject field of issued certificates.- Parameters:
postalCode
- postalCode address to add- Returns:
- updated request
-
addPolicyIdentifier
Add a policy identifier OID.- Parameters:
policyIdentifierOid
- policy identifier OID- Returns:
- updated request
-
roleName
Configure role name.- Parameters:
roleName
- name of the role- Returns:
- updated request
-