Package io.quarkus.vault

Class VaultPKISecretEngine

  • @ApplicationScoped
public class VaultPKISecretEngine
extends Object
    A service that interacts with Hashicorp's Vault PKI secret engine to issue certificates & manage certificate authorities.
    See Also:
    PKI

    • Method Detail

      • getCertificateAuthority

        public CertificateData.PEM getCertificateAuthority()
        Retrieves the engine's CA certificate (PEM encoded).
        Returns:
        Certificate authority certificate.

      • getCertificateAuthority

        public CertificateData getCertificateAuthority​(DataFormat format)
        Retrieves the engine's CA certificate.
        Parameters:
        format - Format of the returned certificate data.
        Returns:
        Certificate authority certificate.

      • configCertificateAuthority

        public void configCertificateAuthority​(String pemBundle)
        Configures the engine's CA.
        Parameters:
        pemBundle - PEM encoded bundle including the CA, with optional chain, and private key.

      • configURLs

        public void configURLs​(ConfigURLsOptions options)
        Configures engine's URLs for issuing certificates, CRL distribution points, and OCSP servers.
        Parameters:
        options - URL options.

      • readURLsConfig

        public ConfigURLsOptions readURLsConfig()
        Read engine's configured URLs for issuing certificates, CRL distribution points, and OCSP servers.
        Returns:
        URL options.

      • configCRL

        public void configCRL​(ConfigCRLOptions options)
        Configures engine's CRL.
        Parameters:
        options - CRL options.

      • readCRLConfig

        public ConfigCRLOptions readCRLConfig()
        Read engine's CRL configuration.
        Returns:
        URL options.

      • getCertificateAuthorityChain

        public CAChainData.PEM getCertificateAuthorityChain()
        Retrieves the engine's CA chain (PEM encoded).
        Returns:
        Certificate authority chain.

      • getCertificateRevocationList

        public CRLData.PEM getCertificateRevocationList()
        Retrieves the engine's CRL (PEM encoded).
        Returns:
        Certificate revocation list.

      • getCertificateRevocationList

        public CRLData getCertificateRevocationList​(DataFormat format)
        Retrieves the engine's CRL.
        Parameters:
        format - Format of the returned crl data.
        Returns:
        Certificate revocation list.

      • rotateCertificateRevocationList

        public boolean rotateCertificateRevocationList()
        Forces a rotation of the associated CRL.

      • getCertificates

        public List<String> getCertificates()
        List all issued certificate serial numbers.
        Returns:
        List of certificate serialize numbers.

      • getCertificate

        public CertificateData.PEM getCertificate​(String serial)
        Retrieve a specific certificate (PEM encoded).
        Parameters:
        serial - Serial number of certificate.
        Returns:
        Certificate or null if no certificate exists.

      • generateCertificate

        public GeneratedCertificate generateCertificate​(String role,
                                                GenerateCertificateOptions options)
        Generates a public/private key pair and certificate issued from the engine's CA using the provided options.
        Parameters:
        role - Name of role used to create certificate.
        options - Certificate generation options.
        Returns:
        Generated certificate and private key.

      • signRequest

        public SignedCertificate signRequest​(String role,
                                     String pemSigningRequest,
                                     GenerateCertificateOptions options)
        Generates a certificate issued from the engine's CA using the provided Certificate Signing Request and options.
        Parameters:
        role - Name of role used to create certificate.
        pemSigningRequest - Certificate Signing Request (PEM encoded).
        options - Certificate generation options.
        Returns:
        Generated certificate.

      • revokeCertificate

        public OffsetDateTime revokeCertificate​(String serialNumber)
        Revokes a certificate.
        Parameters:
        serialNumber - Serial number of certificate.
        Returns:
        Time of certificates revocation.

      • updateRole

        public void updateRole​(String role,
                       RoleOptions options)
        Updates, or creates, a role.
        Parameters:
        role - Name of role.
        options - Options for role.

      • getRole

        public RoleOptions getRole​(String role)
        Retrieve current options for a role.
        Parameters:
        role - Name of role.
        Returns:
        Options for the role or null if role does not exist.

      • getRoles

        public List<String> getRoles()
        Lists existing role names.
        Returns:
        List of role names.

      • deleteRole

        public void deleteRole​(String role)
        Deletes a role.
        Parameters:
        role - Name of role.

      • generateRoot

        public GeneratedRootCertificate generateRoot​(GenerateRootOptions options)
        Generates a self-signed root as the engine's CA.
        Parameters:
        options - Generation options.
        Returns:
        Generated root certificate.

      • deleteRoot

        public void deleteRoot()
        Deletes the engine's current CA.

      • signIntermediateCA

        public SignedCertificate signIntermediateCA​(String pemSigningRequest,
                                            SignIntermediateCAOptions options)
        Generates an intermediate CA certificate issued from the engine's CA using the provided Certificate Signing Request and options.
        Parameters:
        pemSigningRequest - Certificate Signing Request (PEM encoded).
        options - Signing options.
        Returns:
        Generated certificate.

      • generateIntermediateCSR

        public GeneratedIntermediateCSRResult generateIntermediateCSR​(GenerateIntermediateCSROptions options)
        Generates a Certificate Signing Request and private key for the engine's CA. Use this to generate a CSR and for the engine's CA that can be used by another CA to issue an intermediate CA certificate. After generating the intermediate CA setSignedIntermediateCA(String) must be used to set the engine's CA certificate. This will overwrite any previously existing CA private key for the engine.
        Parameters:
        options - Options for CSR generation.
        Returns:
        Generated CSR and, if key export is enabled, private key.
        See Also:
        setSignedIntermediateCA(String)

      • tidy

        public void tidy​(TidyOptions options)
        Tidy up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.
        Parameters:
        options - Tidy options.