Ttl (string: "") – Specifies requested Time To Live. Only valid if the role allows IP SANs (which is the Ip_sans (string: "") – Specifies requested IP Subject Alternative Names, Role policy, the entire request will be denied. These can be host names or email addresses they willīe parsed into their respective fields. If the CN is allowed by role policy, it will be issued.Īlt_names (string: "") – Specifies requested Subject Alternative Names, inĪ comma-delimited list. This is part of the request URL.Ĭertificate. Name (string: ) – Specifies the name of the role to create theĬertificate against.
If you do not save the private key, you will The issuing CA certificate is returnedĪs well, so that only the root CA need be in a client's trust store. This endpoint generates a new set of credentials (private key and certificate)īased on the role named in the endpoint. One, specify alternative names in the alt_names map using OID 2.5.4.5.
#IVONA READER V1.1.3 KEY SERIAL#
Otherwise Vault will generate a random serial for you. Serial_number (string: "") – Specifies the Serial Number, if any.
#IVONA READER V1.1.3 KEY CODE#
Postal_code (string: "") – Specifies the Postal Code values in the Street_address (string: "") – Specifies the Street Address values in the Province (string: "") – Specifies the ST (Province) values in the subject Locality (string: "") – Specifies the L (Locality) values in the subject Organization (string: "") – Specifies the O (Organization) values in theĬountry (string: "") – Specifies the C (Country) values in the subjectįield of the resulting CSR. Ou (string: "") – Specifies the OU (OrganizationalUnit) values in the Useful if the CN is not a hostname or email address, but is instead some Not be included in DNS or Email Subject Alternate Names (as appropriate). This must beĬhanged to a valid value if the key_type is ec, e.g., 224, 256, 384 or 521.Įxclude_cn_from_sans (bool: false) – If true, the given common_name will Key_bits (int: 2048) – Specifies the number of bits to use. Key_type (string: "rsa") – Specifies the desired key type must be rsa, ed25519 Pkcs8 which will return the key marshalled as PEM-encoded PKCS8. PEM-encoded DER, depending on the value of format.
Defaults to der which will return either base64-encoded DER or Private_key_format (string: "der") – Specifies the format for marshaling the If pem_bundle, the csr field will contain the private key This can be a comma-delimited list or aįormat (string: "pem") – Specifies the format for returned data. The format is the same as OpenSSL: : where the Must match values specified on the role in allowed_other_sans (see roleĬreation for allowed_other_sans globbing rules). Other_sans (string: "") – Specifies custom OID/UTF8-string SANs. Uri_sans (string: "") – Specifies the requested URI Subject Alternative Ip_sans (string: "") – Specifies the requested IP Subject Alternative They will be parsed into their respective fields. These can be host names or email addresses Internal the private key will not be returned and cannot be retrievedĬommon_name (string: ) – Specifies the requested CN for theĪlt_names (string: "") – Specifies the requested Subject Alternative If exported, the private key will be returned in the response if Type (string: ) – Specifies the type of the intermediate toĬreate. This is mostly meant as a helper function, and not all possible parameters thatĬan be set in a CSR are supported. This will overwrite any previously existing CA private key. If using VaultĪs a root, and for many other CAs, the various parameters on the finalĬertificate are set at signing time and may or may not honor the parameters set This endpoint generates a new private key and a CSR for signing. If /pem is added to theĮndpoint, the CA certificate is returned in PEM format. This is aīare endpoint that does not return a standard Vault data structure and cannotīe read by the Vault CLI use /pki/cert for that. This endpoint retrieves the CA certificate in raw DER-encoded form. Since it is possible to enable secrets engines at any location, please This documentation assumes the PKI secrets engine is enabled at the /pki path Information about the usage and operation of the PKI secrets engine, please see This is the API documentation for the Vault PKI secrets engine. Type '/' to Search » PKI Secrets Engine (API)