public class RoleOptions
extends java.lang.Object
A container for options sent to and returned by role-related endpoints on the PKI backend. This class is meant for use with a builder pattern style. Example usage:
final RoleOptions options = new RoleOptions() .allowedDomains(new ArrayList<String>(){{ add("myvault.com"); }}) .allowSubdomains(true) .maxTtl("9h");
Constructor and Description |
---|
RoleOptions() |
Modifier and Type | Method and Description |
---|---|
RoleOptions |
allowAnyName(java.lang.Boolean allowAnyName) |
RoleOptions |
allowBareDomains(java.lang.Boolean allowBareDomains) |
RoleOptions |
allowedDomains(java.util.List<java.lang.String> allowedDomains) |
RoleOptions |
allowIpSans(java.lang.Boolean allowIpSans) |
RoleOptions |
allowLocalhost(java.lang.Boolean allowLocalhost) |
RoleOptions |
allowSubdomains(java.lang.Boolean allowSubdomains) |
RoleOptions |
clientFlag(java.lang.Boolean clientFlag) |
RoleOptions |
codeSigningFlag(java.lang.Boolean codeSigningFlag) |
RoleOptions |
emailProtectionFlag(java.lang.Boolean emailProtectionFlag) |
RoleOptions |
enforceHostnames(java.lang.Boolean enforceHostnames) |
java.lang.Boolean |
getAllowAnyName() |
java.lang.Boolean |
getAllowBareDomains() |
java.util.List<java.lang.String> |
getAllowedDomains() |
java.lang.Boolean |
getAllowIpSans() |
java.lang.Boolean |
getAllowLocalhost() |
java.lang.Boolean |
getAllowSubdomains() |
java.lang.Boolean |
getClientFlag() |
java.lang.Boolean |
getCodeSigningFlag() |
java.lang.Boolean |
getEmailProtectionFlag() |
java.lang.Boolean |
getEnforceHostnames() |
java.lang.Long |
getKeyBits() |
java.lang.String |
getKeyType() |
java.lang.String |
getMaxTtl() |
java.lang.Boolean |
getServerFlag() |
java.lang.String |
getTtl() |
java.lang.Boolean |
getUseCsrCommonName() |
RoleOptions |
keyBits(java.lang.Long keyBits) |
RoleOptions |
keyType(java.lang.String keyType) |
RoleOptions |
maxTtl(java.lang.String maxTtl) |
RoleOptions |
serverFlag(java.lang.Boolean serverFlag) |
RoleOptions |
ttl(java.lang.String ttl) |
RoleOptions |
useCsrCommonName(java.lang.Boolean useCsrCommonName) |
public RoleOptions ttl(java.lang.String ttl)
ttl
- (optional) The Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.public RoleOptions maxTtl(java.lang.String maxTtl)
maxTtl
- (optional) The maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.public RoleOptions allowLocalhost(java.lang.Boolean allowLocalhost)
allowLocalhost
- (optional) If set, clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely. Defaults to true.public RoleOptions allowedDomains(java.util.List<java.lang.String> allowedDomains)
allowedDomains
- (optional) Designates the domains of the role, provided as a comma-separated list. This is used with the allow_bare_domains and allow_subdomains options. There is no default.public RoleOptions allowBareDomains(java.lang.Boolean allowBareDomains)
allowBareDomains
- (optional) If set, clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk. Defaults to false.public RoleOptions allowSubdomains(java.lang.Boolean allowSubdomains)
allowSubdomains
- (optional) If set, clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option. Defaults to false. *public RoleOptions allowAnyName(java.lang.Boolean allowAnyName)
allowAnyName
- (optional) If set, clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it. Defaults to false.public RoleOptions enforceHostnames(java.lang.Boolean enforceHostnames)
enforceHostnames
- (optional) If set, only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses. Defaults to true.public RoleOptions allowIpSans(java.lang.Boolean allowIpSans)
allowIpSans
- (optional) If set, clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses. Defaults to true.public RoleOptions serverFlag(java.lang.Boolean serverFlag)
serverFlag
- (optional) If set, certificates are flagged for server use. Defaults to true.public RoleOptions clientFlag(java.lang.Boolean clientFlag)
clientFlag
- (optional) If set, certificates are flagged for client use. Defaults to true.public RoleOptions codeSigningFlag(java.lang.Boolean codeSigningFlag)
codeSigningFlag
- (optional) If set, certificates are flagged for code signing use. Defaults to false.public RoleOptions emailProtectionFlag(java.lang.Boolean emailProtectionFlag)
emailProtectionFlag
- (optional) If set, certificates are flagged for email protection use. Defaults to false.public RoleOptions keyType(java.lang.String keyType)
keyType
- (optional) The type of key to generate for generated private keys. Currently, rsa and ec are supported. Defaults to rsa.public RoleOptions keyBits(java.lang.Long keyBits)
keyBits
- (optional) The number of bits to use for the generated keys. Defaults to 2048; this will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.public RoleOptions useCsrCommonName(java.lang.Boolean useCsrCommonName)
useCsrCommonName
- (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.public java.lang.String getTtl()
public java.lang.String getMaxTtl()
public java.lang.Boolean getAllowLocalhost()
public java.util.List<java.lang.String> getAllowedDomains()
public java.lang.Boolean getAllowBareDomains()
public java.lang.Boolean getAllowSubdomains()
public java.lang.Boolean getAllowAnyName()
public java.lang.Boolean getEnforceHostnames()
public java.lang.Boolean getAllowIpSans()
public java.lang.Boolean getServerFlag()
public java.lang.Boolean getClientFlag()
public java.lang.Boolean getCodeSigningFlag()
public java.lang.Boolean getEmailProtectionFlag()
public java.lang.String getKeyType()
public java.lang.Long getKeyBits()
public java.lang.Boolean getUseCsrCommonName()