HashiCorp Vault PKI roles

PKI roles authorize HashiCorp users who can request user certificates. Role information appears in both the HashiCorp Vault PKI application and the HashiCorp Vault PKI secrets engine.

Via the Web SDK, the HashiCorp Vault PKI driver:

Helps with the creation of roles in the PKI secrets engine.
Ensures that roles comply with the enterprise security policy for certificates.
Performs role operations during daily or on demand CA certificate validation. A greater level of awareness than a standard certificate validation is required. If an error occurs with one of the role operations, the certificate goes into an error state.

You can use Web SDK methods to manage HashiCorp roles. For example, POST PKI/HashiCorp/Role creates a role. The role, is represented by a standard Policy folder object. The role policy constrains the properties of the end-entity certificates that can be issued by the Vault PKI secrets engine.

After creation in Trust Protection Foundation, the role is ready to provision to the Vault. For more information, see Creating and managing the HashiCorp PKI Vault.

WARNING! Do not manually create role policy folders for HashiCorp Vault PKI. Instead use, POST PKI/HashiCorp/Role. This method allows for creation and assignment of special attributes that the driver cannot create through WebAdmin or Aperture.