You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-16Lines changed: 25 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -56,11 +56,11 @@ To issue certificates, you need to first define a profile (config) for the mount
56
56
57
57
1. Define a config profile
58
58
59
-
A profile dictates the specifications of the CA a specific Vault mount will use. In the example used here, the mount path is `gcppca` with the CA of `prod-root`
59
+
A profile dictates the specifications of the CA a specific Vault mount will use. In the example used here, the mount path is `gcppca` with the CAPool of `my-pool`
60
60
61
61
```bash
62
62
vault write gcppca/config \
63
-
issuer="prod-root" \
63
+
pool="my-pool" \
64
64
location="us-central1" \
65
65
project="your-project-id"
66
66
```
@@ -81,15 +81,24 @@ Under no circumstance does this plugin retain the private key for any certificat
81
81
82
82
- The sub-path under `<mount>/issue-with-csr/` is intended for user-provided CSR
83
83
84
-
This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path. For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/certificateAuthorities/prod-root/certificates/my_tls_cert_rsa_1`. This is the actual CA Service unique name for the certificate and cannot be reused once created.
84
+
This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path. For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/caPools/my-pool/certificates/my_tls_cert_rsa_1`. This is the actual CA Service unique name for the certificate and cannot be reused once created.
85
85
86
86
Deleting the key in Vault will revoke the certificate in CA Service which also means the same name cannot be reused.
87
87
88
+
The examples below uses a default certificate authority pool with a CA. That is, you should have a set pre-generated
To generate a certificate keypair on vault, first apply a configuration that allows Vault to reference which CA to sign against
91
100
92
-
The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined earlier by specifying `gcppca/config`.
101
+
The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined separately.
93
102
94
103
Apply the config and acquire a `VAULT_TOKEN` based off of those policies.
The output will be Public Certificate and PrivateKey
@@ -196,6 +203,7 @@ Plugin configuration supports various options that are common and mode-specific
196
203
|:------------|-------------|
197
204
|**`validity`**|`string` validity of the issued certificate (default: `P30d`) |
198
205
|**`labels`**|`[]string` list of GCP labels to apply to the certificate (format `k1=v1,k2=v2`) |
206
+
|**`issuing_certificate_authority`**|`string` Optional. The resource ID of the CertificateAuthority that should issue the certificate. By default, the certificate will be issued from any of the active CAs in the CA Pool. |
199
207
200
208
#### Generated (/issue-with-genkey/) Options
201
209
@@ -204,7 +212,7 @@ Plugin configuration supports various options that are common and mode-specific
204
212
|**`key_type`**|`string` what type of key to generate (default: `rsa`; either `rsa` or `ecdsa`; cannot be specified if `csr` is set) |
205
213
|**`key_usage`**|`[]string` what are the `key_usage` settings (default: `[]`) |
206
214
|**`extended_key_usage`**|`[]string` what are the `extended_key_usage` settings (default: `[]`) |
207
-
|**`reusable_config`**|`string`reusable_config to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |
215
+
|**`certificate_template`**|`string`certificate_template to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |
208
216
|**`subject`**|`string` subject field value (must be in canonical format `C=,ST=,L=,O=,CN=`)|
209
217
|**`dns_san`**|`[]string` list of `dns_san` to use |
210
218
|**`email_san`**|`[]string` list of `email_san` to use |
@@ -213,6 +221,8 @@ Plugin configuration supports various options that are common and mode-specific
213
221
|**`is_ca_cert`**|`bool` whether this certificate is for a CA or not. |
214
222
|**`max_chain_length`**|`int` Maximum depth of subordinate CAs allowed under this CA for a CA certificate.|
215
223
224
+
Note, if you use `certificate_template`, specify the fully qualified name:
When a derived VAULT_TOKEN is used with `vault write gcppca/issue-with-genkey/..` operations, you must provide the _exact_ parameters defined in the policy. For example
0 commit comments