mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
9,692 Commits 2,843 Branches 445 Tags
Commit Graph

65 Commits

Author SHA1 Message Date
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
41799529f7 Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4cf1508898 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell
55fc4ba898 Implement CA cert/CSR generation. CA certs can be self-signed or 
generate an intermediate CSR, which can be signed.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4eb9cd4c28 Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
f84c8b8681 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
Jeff Mitchell
3da9f81bdd Merge pull request #555 from hashicorp/toggleable-hostname-enforcement 
Allow enforcement of hostnames to be toggleable for certificates.
 2015-08-21 19:23:09 -07:00
vishalnayak
41678f18ae Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Jeff Mitchell
b8a72cfd47 Allow enforcement of hostnames to be toggleable for certificates. Fixes #451. 2015-08-20 14:33:37 -07:00
Jeff Mitchell
db1b4aadf9 Fix regexes to allow hyphens in role names, as the documentation shows 2015-07-01 20:39:18 -05:00
Jeff Mitchell
23ba605068 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-18 15:22:58 -04:00
Jeff Mitchell
a2b3e1302a A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions 
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-16 13:43:12 -04:00
Jeff Mitchell
20ac7a46f7 Add acceptance tests 
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Jeff Mitchell
530b67bbb9 Initial PKI backend implementation. 
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00