PUT PKI/HashiCorp/CA/{guid}

Updates the configuration for a HashiCorp Vault PKI secrets engine that is managed by Trust Protection Platform. Updates can include renewal settings for the intermediate CA certificate.

Requirements

  • Permissions:  The caller must have the Write permission to the device, HashiCorp Vault PKI application, and certificate objects.
  • Token scope:  Certificate:Manage

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

{guid}

In the request URL, specify the GUID of the HashiCorp application object. In Trust Protection Platform, the GUID represents the HashiCorp Vault PKI secrets engine in the Vault. To get the GUID, call GET PKI/HashiCorp/CA.

Certificate

(Optional) The attributes of the intermediate CA certificate for provisioning to the HashiCorp PKI secrets engine

  • CommonName: The Common Name (CN) attribute of Subject Distinguished Name (DN).
  • Organization: (Optional) The Organization (O) field for the certificate Subject DN.
  • OrganizationalUnits: (Optional) An array of department or divisions within the organization (OU) that are responsible for maintaining the certificate.
  • City: (Optional) The City or Locality (L) field for the certificate Subject DN.
  • State: (Optional) The State (ST) field for the certificate Subject DN.
  • Country: (Optional) The Country (C) field for the certificate Subject DN.
  • SubjectAltNames: (Optional)
    • Name: The SAN friendly name that corresponds to TypeName. For example, if a TypeName is IP, in the Name specify a valid IP address.
    • TypeName: One of the following HashiCorp SAN descriptions. DNS, RFC822, UPN, URI, IP.

CreatePKIRole

(Optional) Works in conjunction with Roles. The setting to control role creation at the PkiPath of the HashiCorp vault:

  • true: If one or more Roles is missing in the PkiPath, create them.
  • false: Default. Require roles are already defined by the secrets engine. If any roles are missing, provisioning fails at Stage 800.

CreateCertificateAuthority

(Optional) The setting to control Sub CA creation:

  • true: Default. Create the HashiCorp sub CA certificate.
  • false: Require the secrets engine to have an existing CA certificate before generating a new one. If the certificate is missing, an error occurs.
CRLAddress

(Optional) The URL of the endpoint that provides a Certificate Revoke List (CRL) for the intermediate CA.

FolderDN (Optional) The distinguished name of the Policy folder.
Installation

(Optional) Information about the vault:

  • CredentialDn: The device credential is required when the device policy does not assign a Password credential in the FolderDN.
  • Host: The HashiCorp IP address or name.

KeyAlgorithm

(Optional) Required when the HashiCorp Vault CA is responsible for generating the key pair and CSR. Use in conjunction with KeyBitSize.

  • RSA: Default. RSA key.
  • EC: ECC (Elliptic Curve Cryptography) key.

KeyBitSize

  • (Optional) Required when the HashiCorp Vault CA is responsible for generating the key pair and CSR. Use in conjunction with KeyAlgorithm:
    • For RSA, specify 2048 or 4096 bits.
    • For EC, specify 256, 384, or 521. Use the value that corresponds to National Institute of Standards and Technology (NIST): P256, P384, and P521.

    OCSPAddress

    (Optional) The URL of the Online Certificate Status Protocol ( OCSP) service that provides the revocation status of certificates by the intermediate CA.

    PkiPath

    The path name of the HashiCorp Vault where the PKI secrets engine is mounted. This value appears in Trust Protection Platform as the Application object name.

    Roles

    An array of role GUIDs. To get the GUIDs, call POST Config/FindObjectsOfClass with these parameters:

    • Class:Policy.
    • ObjectDN: The parent folder to search.
    • Recursive1.
    • Pattern: The role name as the pattern. For example, Pattern:*role.

    Returns

    Response description

    Name

    Description

    HTTP 400

    For invalid requests, this method returns an error message for bad parameters, data, or syntax.

    • Can't find credential object.
    • Invalid permissions. You do not have permission to update object.
    • PKI configuration is not valid.
    • Type of Credential should be Password.

    HTTP 200

    For valid requests, Certificates/Request returns a HTTP 200 message and the CreatePkiResponse object.

    Example: Assign a different HashiCorp role

    Request for Example 1

    PUT https://tpp.venafi.example/vedsdk/PKI/HashiCorp/CA/{355d7a99-3efe-496b-bec1-72f52dad9744}
    Authorization:Bearer 4MyGeneratedBearerTknz==
    {
       "PkiPath":"pki-issuer",
       "Roles":[
          "{9bdb1c2b-f472-4e15-bb88-8b3afad9990c}"
       ]
    }
        

    Response Example 1

    HTTP/1.1 200 OK
    {
       "CertificateDN":null,
       "CertificateGuid":null,
       "Error":null,
       "Guid":"{a83477f6-ced1-449c-a557-31bb60331148}"
    }