Documentation Module: backend/pki

Provides implementation for the Vault PKI Secret backend APIs

Extends

Vaulted

Methods

<inner> createCertRole( [mountName])

Creates or updates the role definition

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			role name
`options.body.ttl`	string	<optional>		Time To Live value provided as a string duration with time suffix
`options.body.max_ttl`	string	<optional>		maximum Time To Live provided as a string duration with time suffix
`options.body.allow_localhost`	string	<optional>	true	indicates clients can request certificates for localhost
`options.body.allowed_domains`	string	<optional>		Designates the domains of the role
`options.body.allow_bare_domains`	string	<optional>	false	Designates clients can request certificates matching the value of the actual domains themselves
`options.body.allow_subdomains`	string	<optional>	false	Designates clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options.
`options.body.allow_any_name`	string	<optional>	false	Designates clients can request any CN
`options.body.enforce_hostnames`	string	<optional>	true	Designates only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses
`options.body.allow_ip_sans`	string	<optional>	true	Designates clients can request IP Subject Alternative Names
`options.body.server_flag`	string	<optional>	true	Designates certificates are flagged for server use
`options.body.client_flag`	string	<optional>	true	Designates certificates are flagged for client use
`options.body.code_signing_flag`	string	<optional>	false	Designates certificates are flagged for code signing use
`options.body.email_protection_flag`	string	<optional>	false	Designates certificates are flagged for email protection use
`options.body.key_type`	string	<optional>	rsa	type of key to generate for generated private keys
`options.body.key_bits`	string	<optional>	2048	number of bits to use for the generated keys
`options.body.use_csr_common_name`	string	<optional>	false	Designates when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> deleteCertRole( [mountName])

Deletes the role definition

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			role name
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> genIntermediatesExported( [mountName])

Generates a new private key and a CSR for signing (with private key)

Parameters:

Name	Type	Argument	Default	Description
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.format`	string	<optional>	pem	Format for returned data
`options.body.key_type`	string	<optional>	rsa	Desired key type
`options.body.key_bits`	string	<optional>	2048	The number of bits to use
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> genIntermediatesInternal( [mountName])

Generates a new private key and a CSR for signing (without private key)

Parameters:

Name	Type	Argument	Default	Description
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.format`	string	<optional>	pem	Format for returned data
`options.body.key_type`	string	<optional>	rsa	Desired key type
`options.body.key_bits`	string	<optional>	2048	The number of bits to use
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> genRootExported( [mountName])

Generates a new self-signed CA certificate and private key

Parameters:

Name	Type	Argument	Default	Description
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.body.key_type`	string	<optional>	rsa	Desired key type
`options.body.key_bits`	string	<optional>	2048	The number of bits to use
`options.body.max_path_length`	string	<optional>	-1	the maximum path length to encode in the generated certificate
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> genRootInternal( [mountName])

Generates a new self-signed CA certificate

Parameters:

Name	Type	Argument	Default	Description
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.body.key_type`	string	<optional>	rsa	Desired key type
`options.body.key_bits`	string	<optional>	2048	The number of bits to use
`options.body.max_path_length`	string	<optional>	-1	the maximum path length to encode in the generated certificate
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCaDer( [mountName])

Retrieves the CA certificate in raw DER-encoded form

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCaPem( [mountName])

Retrieves the CA certificate in PEM format

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCertCa( [mountName])

Retrieves CA certificate in PEM formatting in the certificate key of the JSON object

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCertCrl( [mountName])

Retrieves the current CRL certificate in PEM formatting in the certificate key of the JSON object

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCertRole( [mountName])

Queries the role definition

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			role name
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCertSerial( [mountName])

Retrieves certificate by serial number in PEM formatting in the certificate key of the JSON object

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			certificate serial number
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getConfigCrl( [mountName])

Allows getting the duration for which the generated CRL should be marked valid

Parameters:

Name	Type	Argument	Default	Description
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getConfigUrls( [mountName])

Fetch the URLs to be encoded in generated certificates

Parameters:

Name	Type	Argument	Default	Description
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCrlDer( [mountName])

Retrieves the current CRL in raw DER-encoded form

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCrlPem( [mountName])

Retrieves the current CRL in PEM format

Parameters:

Name	Type	Argument	Default	Description
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> getCrlRotate( [mountName])

This endpoint forces a rotation of the CRL

Parameters:

Name	Type	Argument	Default	Description
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> issueCertCredentials( [mountName])

Generates a new set of credentials (private key and certificate) based on the role named in the endpoint

Parameters:

Name	Type	Argument	Default	Description
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> revokeCertCredentials( [mountName])

Revokes a certificate using its serial number

Parameters:

Name	Type	Argument	Default	Description
`options.body.serial_number`	string			serial number of the certificate to revoke
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> setConfigCa( [mountName])

Allows submitting the CA information for the backend via a PEM file containing the CA certificate and its private key, concatenated

Parameters:

Name	Type	Argument	Default	Description
`options.body.pem_bundle`	string			The key and certificate concatenated in PEM format
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> setConfigCrl( [mountName])

Allows setting the duration for which the generated CRL should be marked valid

Parameters:

Name	Type	Argument	Default	Description
`options.body.expiry`	string			The time until expiration
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> setConfigUrls( [mountName])

Allows setting the issuing certificate endpoints

Parameters:

Name	Type	Argument	Default	Description
`options.body.issuing_certificates`	string	<optional>		URL values for the Issuing Certificate field
`options.body.crl_distribution_points`	string	<optional>		URL values for the CRL Distribution Points field
`options.body.ocsp_servers`	string	<optional>		URL values for the OCSP Servers field
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> setSignedIntermediates( [mountName])

Allows submitting the signed CA certificate corresponding to a private key

Parameters:

Name	Type	Argument	Default	Description
`options.body.certificate`	string			The certificate in PEM format
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> signCertificate( [mountName])

Signs a new certificate based upon the provided CSR and the supplied parameters

Parameters:

Name	Type	Argument	Default	Description
`options.id`	string			role name
`options.body.csr`	string			The PEM-encoded CSR
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> signCertificateVerbatim( [mountName])

Signs a new certificate based upon the provided CSR. Values are taken verbatim from the CSR

Parameters:

Name	Type	Argument	Default	Description
`options.body.csr`	string			The PEM-encoded CSR
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise

<inner> signIntermediateWithRoot( [mountName])

Uses the configured CA certificate to issue a certificate with appropriate values for acting as an intermediate CA

Parameters:

Name	Type	Argument	Default	Description
`options.body.csr`	string			The PEM-encoded CSR
`options.body.common_name`	string			The requested CN for the certificate
`options.body.alt_names`	string	<optional>		Requested Subject Alternative Names, in a comma-delimited list
`options.body.ip_sans`	string	<optional>		Requested IP Subject Alternative Names, in a comma-delimited list
`options.body.ttl`	string	<optional>		Requested Time To Live
`options.body.format`	string	<optional>	pem	Format for returned data
`options.body.max_path_length`	string	<optional>	-1	the maximum path length to encode in the generated certificate
`options.body.use_csr_values`	string	<optional>		1) Subject information, including names and alternate names, will be preserved from the CSR rather than using the values provided in the other parameters to this path; 2) Any key usages (for instance, non-repudiation) requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; 3) Extensions requested in the CSR will be copied into the issued certificate
`options.token`	string	<optional>		the authentication token
`mountName`	string	<optional>	pki	path name the pki secret backend is mounted on

Returns:

Type: Promise