Skip to content

Latest commit

 

History

History
804 lines (610 loc) · 27.2 KB

index.mdx

File metadata and controls

804 lines (610 loc) · 27.2 KB
Raw
layout page_title sidebar_title description
api
GlobalSign Atlas- Secrets Engines - HTTP API
Atlas
This is the API documentation for the Vault GlobalSign Atlas secrets engine.

GlobalSign Atlas Secrets Engine (API)

This is the API documentation for the Vault GlobalSign Atlas secrets engine. For general information about the usage and operation of the GlobalSign Atlas secrets engine, please see the Getting Started Guide.

This documentation assumes the Atlas secrets engine is enabled at the /atlas path in Vault. Since it is possible to enable secrets engines at any location, please update your API calls accordingly.

Overrides

During plugin mounting you can specify the following override options.

Name Type Description
OverrideSignatureAlgorithm String The Signature algorithm to have the atlas CA use for all issued certificates
OverrideSignatureHashAlgorithm String The Signature hash algorithm to have the atlas CA use for all issued certificates
OverrideDisableKeyUsageExtensions Bool Disables sending Key Usage extensions to atlas, useful for when your account has a static value on the atlas backend.

Table of Contents

Configure Atlas Authentication

This endpoint configures the Vaults connection to your GlobalSign Atlas account. It requires mTLS and API credentials provided by your account manager. These credentials will be persisted in your vault cluster so you will only need to provide them once.

Method Path
POST /atlas/config/authn

Parameters

  • api_key (string: <required>) – Your GlobalSign Atlas API Key.
  • api_secret (string: <required>) – Your GlobalSign Atlas API Secret.
  • api_cert (string: <required>) – Your GlobalSign Atlas mTLS Client Certificate, the content being PEM that has been base64 encoded.
  • api_cert_key (string: <required>) – Your GlobalSign Atlas mTLS Client Certificate's Private Key, the content being PEM that has been base64 encoded.

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/atlas/config/authn

Sample Response

You will get a HTTP 201 response with no body.

Read CA Certificate Chain

This endpoint retrieves the CA certificate chain, including the CA in PEM format. This is a bare endpoint that does not return a standard Vault data structure and cannot be read by the Vault CLI; use /atlas/cert for that.

This is an unauthenticated endpoint.

Method Path
GET /atlas/ca_chain

Sample Request

$ curl \
    http://127.0.0.1:8200/v1/atlas/ca_chain

Sample Response

<PEM-encoded certificate chain>

Read CA Certificate

This endpoint retrieves the CA certificate in raw DER-encoded form. This is a bare endpoint that does not return a standard Vault data structure and cannot be read by the Vault CLI; use /atlas/cert for that. If /pem is added to the endpoint, the CA certificate is returned in PEM format.

This is an unauthenticated endpoint.

Method Path
GET /atlas/ca(/pem)

Sample Request

$ curl \
    http://127.0.0.1:8200/v1/atlas/ca/pem

Sample Response

<binary DER-encoded certificate>

Read CA Certificate Chain

This endpoint retrieves the CA certificate chain, including the CA in PEM format. This is a bare endpoint that does not return a standard Vault data structure and cannot be read by the Vault CLI; use /atlas/cert for that.

This is an unauthenticated endpoint.

Method Path
GET /atlas/ca_chain

Sample Request

$ curl \
    http://127.0.0.1:8200/v1/atlas/ca_chain

Sample Response

<PEM-encoded certificate chain>

Read Certificate

This endpoint retrieves one of a selection of certificates. This endpoint returns the certificate in PEM formatting in the certificate key of the JSON object, which is a standard Vault response that is readable by the Vault CLI.

This is an unauthenticated endpoint.

Method Path
GET /atlas/cert/:serial

Parameters

  • serial (string: <required>) – Specifies the serial of the key to read. This is part of the request URL. Valid values for serial are:

    • <serial> for the certificate with the given serial number
    • ca for the CA certificate
    • ca_chain for the CA trust chain or a serial number in either hyphen-separated or colon-separated octal format

Sample Request

$ curl \
    http://127.0.0.1:8200/v1/atlas/cert/ca

Sample Response

{
  "data": {
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIGmDCCBYCgAwIBAgIHBzEB3fTzhTANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE\n..."
  }
}

List Certificates

This endpoint returns a list of the current certificates by serial number only.

Method Path
LIST /atlas/certs

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/atlas/certs

Sample Response

{
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "17:67:16:b0:b9:45:58:c0:3a:29:e3:cb:d6:98:33:7a:a6:3b:66:c1",
      "26:0f:76:93:73:cb:3f:a0:7a:ff:97:85:42:48:3a:aa:e5:96:03:21"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

Generate Certificate

This endpoint generates a new set of credentials (private key and certificate) based on the role named in the endpoint. The issuing CA certificate is returned as well, so that only the root CA need be in a client's trust store.

The private key is not stored. If you do not save the private key, you will need to request a new certificate.

Method Path
POST /atlas/issue/:name

Parameters

  • name (string: <required>) – Specifies the name of the role to create the certificate against. This is part of the request URL.

  • common_name (string: <required>) – Specifies the requested CN for the certificate. If the CN is allowed by role policy, it will be issued.

  • alt_names (string: "") – Specifies requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied.

  • ip_sans (string: "") – Specifies requested IP Subject Alternative Names, in a comma-delimited list. Only valid if the role allows IP SANs (which is the default).

  • uri_sans (string: "") – Specifies the requested URI Subject Alternative Names, in a comma-delimited list.

  • other_sans (string: "") – Specifies custom OID/UTF8-string SANs. These must match values specified on the role in allowed_other_sans (see role creation for allowed_other_sans globbing rules). The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8. This can be a comma-delimited list or a JSON string slice.

  • ttl (string: "") – Specifies requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.

  • format (string: "") – Specifies the format for returned data. Can be pem, der, or pem_bundle; defaults to pem. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the private key and certificate, concatenated; if the issuing CA is not a Vault-derived self-signed root, this will be included as well.

  • private_key_format (string: "") – Specifies the format for marshaling the private key. Defaults to der which will return either base64-encoded DER or PEM-encoded DER, depending on the value of format. The other option is pkcs8 which will return the key marshalled as PEM-encoded PKCS8.

  • exclude_cn_from_sans (bool: false) – If true, the given common_name will not be included in DNS or Email Subject Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some human-readable identifier.

Sample Payload

{
  "common_name": "www.example.com"
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/atlas/issue/my-role

Sample Response

{
  "lease_id": "atas/issue/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
  "renewable": false,
  "lease_duration": 21600,
  "data": {
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
    "ca_chain": [
      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
    ],
    "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAnVHfwoKsUG1GDVyWB1AFroaKl2ImMBO8EnvGLRrmobIkQvh+\n...\nQN351pgTphi6nlCkGPzkDuwvtxSxiCWXQcaxrHAL7MiJpPzkIBq1\n-----END RSA PRIVATE KEY-----\n",
    "private_key_type": "rsa",
    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
  },
  "warnings": "",
  "auth": null
}

Revoke Certificate

This endpoint revokes a certificate using its serial number. This is an alternative option to the standard method of revoking using Vault lease IDs. A revocation will update your Atlas CRL.

Method Path
POST /atlas/revoke

Parameters

  • serial_number (string: <required>) – Specifies the serial number of the certificate to revoke, in hyphen-separated or colon-separated octal.

Sample Payload

{
  "serial_number": "39:dd:2e..."
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/atlas/revoke

Sample Response

{
  "data": {
    "revocation_time": 1433269787
  }
}

Create/Update Role

This endpoint creates or updates the role definition. Note that the allowed_domains, allow_subdomains, allow_glob_domains, and allow_any_name attributes are additive; between them nearly and across multiple roles nearly any issuing policy can be accommodated. server_flag, client_flag, and code_signing_flag are additive as well. If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied.

-> NOTICE: Roles are enforced within the Vault, your Atlas Instance roles that are more permissive than your Atlas Instance may still result in certificate requests being rejected.

Method Path
POST /atlas/roles/:name

Parameters

  • name (string: <required>) – Specifies the name of the role to create. This is part of the request URL.

  • ttl (string: "") – Specifies the Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.

  • max_ttl (string: "") – Specifies the maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.

  • allow_localhost (bool: true) – Specifies if clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely.

  • allowed_domains (list: []) – Specifies the domains of the role. This is used with the allow_bare_domains and allow_subdomains options.

  • allowed_domains_template ()bool: false) – When set, allowed_domains may contain templates, as with ACL Path Templating.

  • allow_bare_domains (bool: false) – Specifies if clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk.

  • allow_subdomains (bool: false) – Specifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option.

  • allow_glob_domains (bool: false) - Allows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com). Clients will be allowed to request certificates with names matching the glob patterns.

  • allow_any_name (bool: false) – Specifies if clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it.

  • enforce_hostnames (bool: true) – Specifies if only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses.

  • allow_ip_sans (bool: true) – Specifies if clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses.

  • allowed_uri_sans (string: "") - Defines allowed URI Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid URIs. This can be a comma-delimited list or a JSON string slice. Values can contain glob patterns (e.g. spiffe://hostname/*).

  • allowed_other_sans (string: "") – Defines allowed custom OID/UTF8-string SANs. This can be a comma-delimited list or a JSON string slice, where each element has the same format as OpenSSL: <oid>;<type>:<value>, but the only valid type is UTF8 or UTF-8. The value part of an element may be a * to allow any value with that OID. Alternatively, specifying a single * will allow any other_sans input.

  • server_flag (bool: true) – Specifies if certificates are flagged for server use.

  • client_flag (bool: true) – Specifies if certificates are flagged for client use.

  • code_signing_flag (bool: false) – Specifies if certificates are flagged for code signing use.

  • email_protection_flag (bool: false) – Specifies if certificates are flagged for email protection use.

  • key_type (string: "rsa") – Specifies the type of key to generate for generated private keys and the type of key expected for submitted CSRs. Currently, rsa and ec are supported, or when signing CSRs any can be specified to allow keys of either type and with any bit size (subject to > 1024 bits for RSA keys).

  • key_bits (int: 2048) – Specifies the number of bits to use for the generated keys. This will need to be changed for ec keys, e.g., 224, 256, 384 or 521.

  • key_usage (list: ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]) – Specifies the allowed key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage - simply drop the KeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

  • ext_key_usage (list: []) – Specifies the allowed extended key usage constraint on issued certificates. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage - simply drop the ExtKeyUsage part of the value. Values are not case-sensitive. To specify no key usage constraints, set this to an empty list.

  • ext_key_usage_oids (string: "") - A comma-separated string or list of extended key usage oids.

  • use_csr_common_name (bool: true) – When used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR; use use_csr_sans for that.

  • use_csr_sans (bool: true) – When used with the CSR signing endpoint, the subject alternate names in the CSR will be used instead of taken from the JSON data. This does not include the common name in the CSR; use use_csr_common_name for that.

  • ou (string: "") – Specifies the OU (OrganizationalUnit) values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • organization (string: "") – Specifies the O (Organization) values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • country (string: "") – Specifies the C (Country) values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • locality (string: "") – Specifies the L (Locality) values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • province (string: "") – Specifies the ST (Province) values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • street_address (string: "") – Specifies the Street Address values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • postal_code (string: "") – Specifies the Postal Code values in the subject field of issued certificates. This is a comma-separated string or JSON array.

  • serial_number (string: "") – Specifies the Serial Number, if any. Otherwise Vault will generate a random serial for you. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5.

  • generate_lease (bool: false) – Specifies if certificates issued/signed against this role will have Vault leases attached to them. Certificates can be added to the CRL by vault revoke <lease_id> when certificates are associated with leases. It can also be done using the atas/revoke endpoint. However, when lease generation is disabled, invoking atas/revoke would be the only way to add the certificates to the CRL.

  • no_store (bool: false) – If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of false for generate_lease.

  • require_cn (bool: true) - If set to false, makes the common_name field optional while generating a certificate.

  • policy_identifiers (list: []) – A comma-separated string or list of policy OIDs.

  • basic_constraints_valid_for_non_ca (bool: false) - Mark Basic Constraints valid when issuing non-CA certificates.

  • not_before_duration (duration: "30s") – Specifies the duration by which to backdate the NotBefore property.

Sample Payload

{
  "allowed_domains": ["example.com"],
  "allow_subdomains": true
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/atlas/roles/my-role

Read Role

This endpoint queries the role definition.

Method Path
GET /atlas/roles/:name

Parameters

  • name (string: <required>) – Specifies the name of the role to read. This is part of the request URL.

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/atlas/roles/my-role

Sample Response

{
  "data": {
    "allow_any_name": false,
    "allow_ip_sans": true,
    "allow_localhost": true,
    "allow_subdomains": false,
    "allowed_domains": ["example.com", "foobar.com"],
    "allowed_uri_sans": ["example.com", "spiffe://*"],
    "allowed_other_sans": [
      "1.3.6.1.4.1.311.20.2.3;utf8:devops@example.com",
      "1.3.6.1.4.1.311.20.2.4;UTF-8:*"
    ],
    "client_flag": true,
    "code_signing_flag": false,
    "key_bits": 2048,
    "key_type": "rsa",
    "ttl": "6h",
    "max_ttl": "12h",
    "server_flag": true
  }
}

List Roles

This endpoint returns a list of available roles. Only the role names are returned, not any values.

Method Path
LIST /atlas/roles

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/atlas/roles

Sample Response

{
  "auth": null,
  "data": {
    "keys": ["dev", "prod"]
  },
  "lease_duration": 2764800,
  "lease_id": "",
  "renewable": false
}

Delete Role

This endpoint deletes the role definition. Deleting a role does not revoke certificates previously issued under this role.

Method Path
DELETE /atlas/roles/:name

Parameters

  • name (string: <required>) – Specifies the name of the role to delete. This is part of the request URL.

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/atlas/roles/my-role

Sign Certificate

This endpoint signs a new certificate based upon the provided CSR and the supplied parameters, subject to the restrictions contained in the role named in the endpoint. The issuing CA certificate is returned as well, so that only the Atlas root CA need be in a client's trust store.

Method Path
POST /atlas/sign/:name

Parameters

  • csr (string: <required>) – Specifies the PEM-encoded CSR.

  • common_name (string: <required>) – Specifies the requested CN for the certificate. If the CN is allowed by role policy, it will be issued.

  • alt_names (string: "") – Specifies the requested Subject Alternative Names, in a comma-delimited list. These can be host names or email addresses; they will be parsed into their respective fields. If any requested names do not match role policy, the entire request will be denied.

  • other_sans (string: "") – Specifies custom OID/UTF8-string SANs. These must match values specified on the role in allowed_other_sans (see role creation for allowed_other_sans globbing rules). The format is the same as OpenSSL: <oid>;<type>:<value> where the only current valid type is UTF8. This can be a comma-delimited list or a JSON string slice.

  • ip_sans (string: "") – Specifies the requested IP Subject Alternative Names, in a comma-delimited list. Only valid if the role allows IP SANs (which is the default).

  • uri_sans (string: "") – Specifies the requested URI Subject Alternative Names, in a comma-delimited list. If any requested URIs do not match role policy, the entire request will be denied.

  • ttl (string: "") – Specifies the requested Time To Live. Cannot be greater than the role's max_ttl value. If not provided, the role's ttl value will be used. Note that the role values default to system values if not explicitly set.

  • format (string: "pem") – Specifies the format for returned data. Can be pem, der, or pem_bundle. If der, the output is base64 encoded. If pem_bundle, the certificate field will contain the certificate and, if the issuing CA is not a Vault-derived self-signed root, it will be concatenated with the certificate.

  • exclude_cn_from_sans (bool: false) – If set, the given common_name will not be included in DNS or Email Subject Alternate Names (as appropriate). Useful if the CN is not a hostname or email address, but is instead some human-readable identifier.

Sample Payload

{
  "csr": "...",
  "common_name": "example.com"
}

Sample Response

{
  "lease_id": "atas/sign/test/7ad6cfa5-f04f-c62a-d477-f33210475d05",
  "renewable": false,
  "lease_duration": 21600,
  "data": {
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDzDCCAragAwIBAgIUOd0ukLcjH43TfTHFG9qE0FtlMVgwCwYJKoZIhvcNAQEL\n...\numkqeYeO30g1uYvDuWLXVA==\n-----END CERTIFICATE-----\n",
    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n",
    "ca_chain": [
      "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgIJAKM+z4MSfw2mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV\n...\nG/7g4koczXLoUM3OQXd5Aq2cs4SS1vODrYmgbioFsQ3eDHd1fg==\n-----END CERTIFICATE-----\n"
    ],
    "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
  },
  "auth": null
}

Tidy

This endpoint allows tidying up the storage backend and by removing certificates that have expired and are past a certain buffer period beyond their expiration time.

Method Path
POST /atlas/tidy

Parameters

  • tidy_cert_store (bool: false) Specifies whether to tidy up the certificate store.

  • tidy_revoked_certs (bool: false) Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed.

  • safety_buffer (string: "") Specifies A duration (given as an integer number of seconds or a string; defaults to 72h) used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep certificates from being removed from the CRL that, due to clock skew, might still be considered valid on other hosts. For a certificate to be expunged, the time must be after the expiration time of the certificate (according to the local clock) plus the duration of safety_buffer.

Sample Payload

{
  "safety_buffer": "24h"
}

Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/atlas/tidy