PUT PKI/HashiCorp/Role/{guid}

Updates Trust Protection Platform information about a HashiCorp role.

Requirements

  • Permissions:  The caller must have Manage Policy permission to the Role policy object.
  • Token scope:  Certificate:Manage

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

For additional information, about HashiCorp roles, see https://www.vaultproject.io/api-docs/secret/pki/#createupdate-role [vaultproject.io].

Input parameters

Name

Description

{guid}

In the request URL, specify the GUID that uniquely identifies a HashiCorp role. To get the GUID, call POST Config/FindObjectsOfClass with these parameters:

  • Class:Policy.
  • ObjectDN: The parent folder to search.
  • Recursive1.
  • Pattern: The role name as the pattern. For example, Pattern:*role.
City (Optional) The allowed City or Locality (L) that this role can use for CSRs.
Country (Optional) The allowed Country (C) that this role can use for CSRs.
EnhancedKeyUsage

(Optional) An array of role capability:

  • client_flag: This role can generate CSRs for client certificates.
  • code_signing_flag: This role can generate CSRs for code signing certificates.
  • email_protection_flag: This role can generate CSRs for email protection certificates.
  • server_flag: This role can generate CSRs for server certificates.

KeyAlgorithm

(Optional) Required when the HashiCorp Vault CA is responsible for generating the key pair and CSR. Use in conjunction with KeyBitSize.

  • rsa: Default. RSA key.
  • ec: ECC (Elliptic Curve Cryptography) key.

KeyBitSize

  • (Optional) Required when the HashiCorp Vault CA is responsible for generating the key pair and CSR. Use in conjunction with KeyAlgorithm:
    • For rsa, specify 2048 or 4096 bits.
    • For ec, specify 256, 384, or 521. Use the value that corresponds to National Institute of Standards and Technology (NIST): P256, P384, and P521.
    Organization (Optional) The allowed Organization (O) that this role can use for CSRs.
    OrganizationalUnits (Optional) An array of allowed department or divisions within the organization (OU) that this role can use for CSRs.
    State (Optional) The allowed State (ST) that this role can use to generate CSRs.
    WhitelistedDomains (Optional) This role only allows the Common Name (CN) and Domain Name Server (DNS) SANs in CSRs to end with one of the domains from the array.

    Returns

    Response description

    Name

    Description

    HTTP 400 on Error

    Returns an Error message for bad parameters, data, or syntax.

    • Invalid permissions. You do not have permission to manage policy object.
    • Invalid permissions. You do not have Write permission to the object.

    HTTP 200 on Success

    For valid requests, this method returns a HTTP 200 message and the following message body:

    • Error: Null.
    • Guid: A GUID that uniquely identifies the updated role.

    Example: Change the key algorithm and key bit strength for the HashiCorp role.

    Request for Example

    PUT https://test.venafi.example/vedsdk/PKI/HashiCorp/Role/{1ec53de0-8773-45a5-862f-f5ea56df8be2} 
    Authorization:Bearer 4MyGeneratedBearerTknz==
    {
        "KeyAlgorithm":"EC",
        "KeyBitSize":"p256"
    }
    
                                                        

    Response for Example

    HTTP/1.1 200 OK
    {
         "Error": null,
         "Guid": "{1ec53de0-8773-45a5-862f-f5ea56df8be2}"
    }