1--- 2layout: "api" 3page_title: "KMIP - Secrets Engines - HTTP API" 4sidebar_title: "KMIP <sup>ENTERPRISE</sup>" 5sidebar_current: "api-http-secret-kmip" 6description: |- 7 This is the API documentation for the Vault KMIP secrets engine. 8--- 9 10# KMIP Secrets Engine (API) 11 12This is the API documentation for the Vault KMIP secrets engine. For general 13information about the usage and operation of 14the KMIP secrets engine, please see [these docs](/docs/secrets/kmip/index.html). 15 16This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path 17in Vault. Since it is possible to mount secrets engines at any path, please 18update your API calls accordingly. 19 20## Write Config 21 22| Method | Path | 23|:-------|:---------------| 24| `POST` | `/kmip/config` | 25 26This endpoint configures shared information for the secrets engine. After writing 27to it the KMIP engine will generate a CA and start listening for KMIP requests. 28If the server was already running and any non-client settings are changed, the 29server will be restarted using the new settings. 30 31### Parameters 32 33- `listen_addrs` (`list: ["127.0.0.1:5696"] || string`) - Address and port the 34 KMIP server should listen on. Can be given as a JSON list or a 35 comma-separated string list. If multiple values are given, all will be 36 listened on. 37 38- `connection_timeout` (`int: 1 || string:"1s"`) - Duration in either an integer 39 number of seconds (10) or an integer time unit (10s) within which connections 40 must become ready. 41 42- `server_hostnames` (`list: ["localhost"] || string`) - Hostnames to include in 43 the server's TLS certificate as SAN DNS names. The first will be used as the 44 common name (CN). 45 46- `server_ips` (`list: [] || string`) - IPs to include in the server's TLS 47 certificate as SAN IP addresses. Localhost (IPv4 and IPv6) will be automatically 48 included. 49 50- `tls_ca_key_type` (`string: "ec"`) - CA key type, `rsa` or `ec`. 51 52- `tls_ca_key_bits` (`int: 521`) - CA key bits, valid values depend on key type. 53 54- `tls_min_version` (`string: "tls12"`) - Minimum TLS version to accept. 55 56- `default_tls_client_key_type` (`string: "ec"`): - Client certificate key type, 57 `rsa` or `ec`. 58 59- `default_tls_client_key_bits` (`int: 521`): - Client certificate key bits, valid 60 values depend on key type. 61 62- `default_tls_client_ttl` (`int: 86400 || string:"24h"`) – Client certificate 63 TTL in either an integer number of seconds (10) or an integer time unit (10s). 64 65### Sample Payload 66 67```json 68{ 69 "listen_addrs": "127.0.0.1:5696,192.168.1.2:9000", 70 "connection_timeout": "1s", 71 "server_hostnames": "myhostname1,myhostname2", 72 "server_ips": "192.168.1.2", 73 "tls_ca_key_type": "ec", 74 "tls_ca_key_bits": 521, 75 "tls_min_version": "tls11", 76 "default_tls_client_key_type": "ec", 77 "default_tls_client_key_bits": 224, 78 "default_tls_client_ttl": 86400, 79} 80``` 81 82### Sample Request 83 84``` 85$ curl \ 86 --header "X-Vault-Token: ..." \ 87 --request POST \ 88 --data @payload.json \ 89 https://127.0.0.1:8200/v1/kmip/config 90``` 91 92## Read Config 93 94| Method | Path | 95|:-------|:---------------| 96| `GET` | `/kmip/config` | 97 98### Sample Request 99 100``` 101$ curl \ 102 --header "X-Vault-Token: ..." \ 103 --request GET \ 104 https://127.0.0.1:8200/v1/kmip/config 105``` 106 107### Sample Response 108 109```json 110{ 111 "data": { 112 "listen_addrs": ["127.0.0.1:5696", "192.168.1.2:9000"], 113 "connection_timeout": "1s", 114 "server_hostnames": ["myhostname1", "myhostname2"], 115 "server_ips": ["192.168.1.2"], 116 "tls_ca_key_type": "ec", 117 "tls_ca_key_bits": 521, 118 "tls_min_version": "tls11", 119 "default_tls_client_key_type": "ec", 120 "default_tls_client_key_bits": 224, 121 "default_tls_client_ttl": 86400, 122 } 123} 124``` 125 126## Read CA 127 128| Method | Path | 129|:-------|:-----------| 130| `GET` | `/kmip/ca` | 131 132Returns the CA certificates in PEM format. Returns an error if config has never 133been written. 134 135### Sample Request 136 137``` 138$ curl \ 139 --header "X-Vault-Token: ..." \ 140 --request GET \ 141 https://127.0.0.1:8200/v1/kmip/ca 142``` 143 144### Sample Response 145 146```json 147{ 148 "data": { 149 "ca_pem": "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUApNsRil/dzQy3XT+yjZQEpcA49kwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAGWJGwPjGGoXivBv\nLJwR+fIG3z6Ei06bhZgTaRW/U3eA5oivxubxOVZPe1BJGWCsIVNjxMZAN4Pswki7\nAHme9bdJAUbQw33tC1iAb0wjzIpoPv1+pdSk6wYZTCKzOYWCbsTb3SOIetpk7sQw\niM17agwIRK9qGvX3Q4PBfEKEpstAjoaJo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUKMwPpRxU2Uzydv21bc8ePfUpGFEw\nHwYDVR0jBBgwFoAUwrPrJc9EsU6kTWJ5hXkJV4PEq9swCgYIKoZIzj0EAwIDgYwA\nMIGIAkIBRCarRMer42Ni/fKQBTi+uFk+2sPyCxCYDWTfMFAusC51dC2F91mUL77R\nkHxauSkh5gcZVAch/dg/L0ewP0AZUBUCQgE1VqoBN9klFky7LHfl62p6PgprH7d1\nYCvYVbWdBNnEdrL2P9aKsuCewdqycZVJLmM36cHnOAEGg1yea8soQL0Ylw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOBgW1GCH+n5gC6m8Ff5jq+5DmO8wCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4MzIzM1oX\nDTI5MDYyMTE4MzMwM1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA7vkbmKJR+SVBTJjAFnma0ynTIi64doZA\n5oOXIAExvOyyI2KBNfqXxgzt/51u9vvixQf3VX/1Jph+0fkIcIYUEmIBFAH7Th1X\n0EOOdmMHfN0YkXDEUUdKIZyQxgA7o3DF+JAVg1cdBV7S8jZyXik7pL+IFnlYdfvN\nUZcArUkMfKo1cZajZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBTCs+slz0SxTqRNYnmFeQlXg8Sr2zAfBgNVHSMEGDAWgBTC\ns+slz0SxTqRNYnmFeQlXg8Sr2zAKBggqhkjOPQQDAgOBiwAwgYcCQgGjKAC371/5\npxgYdLVBmVC6Aa+oOvwGfnich2YLSLbThySED7+fXl1BY43VU703ad6M34fStf6z\nwFZvVZVK188DCQJBJcSZ7YA3PjOre+epJHtAba+1CkAdbSAeGhBDgHdIEP1/FDvx\n+U2QYeVZ7kAVnkzPxa17V0yqjxDtQDTiOw/ZV5c=\n-----END CERTIFICATE-----" 150 }, 151} 152``` 153 154## Write scope 155 156| Method | Path | 157|:-------|:---------------------| 158| `POST` | `/kmip/scope/:scope` | 159 160Creates a new scope with the given name. 161 162### Parameters 163 164- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 165 166### Sample Request 167 168``` 169$ curl \ 170 --header "X-Vault-Token: ..." \ 171 --request POST \ 172 https://127.0.0.1:8200/v1/kmip/scope/myscope 173``` 174 175## List scopes 176 177| Method | Path | 178|:-------|:--------------| 179| `LIST` | `/kmip/scope` | 180 181List existing scopes. 182 183### Sample Request 184 185``` 186$ curl \ 187 --header "X-Vault-Token: ..." \ 188 --request LIST \ 189 https://127.0.0.1:8200/v1/kmip/scope 190``` 191 192### Sample Response 193 194```json 195{ 196 "data": { 197 "keys": [ 198 "myscope" 199 ] 200 }, 201} 202``` 203 204## Delete scope 205 206| Method | Path | 207|:---------|:---------------------| 208| `DELETE` | `/kmip/scope/:scope` | 209 210Delete a scope by name. 211 212### Parameters 213 214- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 215- `force` (`bool: false`) - Force scope deletion. If KMIP managed objects have 216 been created within the scope this param must be provided or the deletion will 217 fail. This value should be supplied as a query parameter, or as an argument in 218 the CLI. 219 220### Sample Request 221 222``` 223$ curl \ 224 --header "X-Vault-Token: ..." \ 225 --request DELETE \ 226 https://127.0.0.1:8200/v1/kmip/scope/myscope?force=false 227``` 228 229## Write role 230 231| Method | Path | 232|:-------|:--------------------------------| 233| `POST` | `/kmip/scope/:scope/role/:role` | 234 235Creates or updates a role. 236 237### Parameters 238 239- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 240- `role` (`string: <required>`) - Name of role. This is part of the request URL. 241- `operation_none` (`bool: false`) - Remove all permissions 242 from this role. May not be specified with any other 243 `operation_` params. 244- `operation_all` (`bool: false`) - Grant all permissions 245 to this role. May not be specified with any other 246 `operation_` params. 247- `operation_activate` (`bool: false`) - Grant permission to use the KMIP 248 `Activate` operation. 249- `operation_add_attribute` (`bool: false`) - Grant permission to use the KMIP 250 `Add Attribute` operation. 251- `operation_create` (`bool: false`) - Grant permission to use the KMIP 252 `Create` operation. 253- `operation_destroy` (`bool: false`) - Grant permission to use the KMIP 254 `Destroy` operation. 255- `operation_discover_versions` (`bool: false`) - Grant permission to use the KMIP 256 `Discover Version` operation. 257- `operation_get` (`bool: false`) - Grant permission to use the KMIP 258 `Get` operation. 259- `operation_get_attributes` (`bool: false`) - Grant permission to use the KMIP 260 `Get Attributes` operation. 261- `operation_locate` (`bool: false`) - Grant permission to use the KMIP 262 `Locate` operation. 263- `operation_rekey` (`bool: false`) - Grant permission to use the KMIP 264 `Rekey` operation. 265- `operation_revoke` (`bool: false`) - Grant permission to use the KMIP 266 `Revoke` operation. 267 268 269### Sample Payload 270 271```json 272{ 273 "operation_activate": true, 274 "operation_add_attribute": true, 275 "operation_create": true, 276 "operation_destroy": true, 277 "operation_discover_versions": true, 278 "operation_get": true, 279 "operation_get_attributes": true, 280 "operation_locate": true, 281 "operation_rekey": true, 282 "operation_revoke": true 283} 284``` 285 286### Sample Request 287 288``` 289$ curl \ 290 --header "X-Vault-Token: ..." \ 291 --request POST \ 292 --data @payload.json \ 293 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole 294``` 295 296## Read role 297 298| Method | Path | 299|:-------|:--------------------------------| 300| `GET` | `/kmip/scope/:scope/role/:role` | 301 302Read a role. 303 304### Parameters 305 306- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 307- `role` (`string: <required>`) - Name of role. This is part of the request URL. 308 309### Sample Request 310 311``` 312$ curl \ 313 --header "X-Vault-Token: ..." \ 314 --request GET \ 315 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole 316``` 317 318### Sample Response 319 320```json 321{ 322 "data": { 323 "operation_activate": true, 324 "operation_add_attribute": true, 325 "operation_create": true, 326 "operation_destroy": true, 327 "operation_discover_versions": true, 328 "operation_get": true, 329 "operation_get_attributes": true, 330 "operation_locate": true, 331 "operation_rekey": true, 332 "operation_revoke": true 333 }, 334} 335``` 336 337## List roles 338 339| Method | Path | 340|:-------|:--------------------------| 341| `LIST` | `/kmip/scope/:scope/role` | 342 343List roles with a scope. 344 345### Parameters 346 347- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 348 349### Sample Request 350 351``` 352$ curl \ 353 --header "X-Vault-Token: ..." \ 354 --request LIST \ 355 https://127.0.0.1:8200/v1/kmip/scope/myscope/role 356``` 357 358### Sample Response 359 360```json 361{ 362 "data": { 363 "keys": [ 364 "myrole" 365 ] 366 }, 367} 368``` 369 370## Delete role 371 372| Method | Path | 373|:---------|:--------------------------------| 374| `DELETE` | `/kmip/scope/:scope/role/:role` | 375 376Delete a role by name. 377 378### Parameters 379 380- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 381- `role` (`string: <required>`) - Name of role. This is part of the request URL. 382 383### Sample Request 384 385``` 386$ curl \ 387 --header "X-Vault-Token: ..." \ 388 --request DELETE \ 389 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole 390``` 391 392 393## Generate credential 394 395| Method | Path | 396|:-------|:----------------------------------------------------| 397| `POST` | `/kmip/scope/:scope/role/:role/credential/generate` | 398 399Create a new client certificate tied to the given role and scope. 400 401### Parameters 402 403- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 404- `role` (`string: <required>`) - Name of role. This is part of the request URL. 405- `format` (`string: "pem"`) - Format to return the certificate, private key, 406 and CA chain in. One of `pem`, `pem_bundle`, or `der`. 407 408### Sample Request 409 410``` 411$ curl \ 412 --header "X-Vault-Token: ..." \ 413 --request POST \ 414 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/generate 415``` 416 417### Sample Response 418 419```json 420{ 421 "data": { 422 "ca_chain": [ 423 "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUKOGtsdXdMjjGni52EsaMQ7ozhCEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEATHNhNvU0GMtzl6A\nPbNaCoF0jV3z09RCfLKEqMl/MXv/AlPcfiqCQeOWBwWHv76epPWkCCo+IlNq8ldQ\neVe52p6mABMvRjE6BZ/eLea27zImI6waK7nZ2hqx0npb8ivdbwmrgp0NQnv0sJ+o\nPeLa2vh9wDK1NJebmOv0yRAbCw2CH7Rbo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQU2naFRym+xfFvZm2TNRBXNf3MJSsw\nHwYDVR0jBBgwFoAUFrA/R807R0BnIt395KzaXdP4n00wCgYIKoZIzj0EAwIDgYwA\nMIGIAkIAkb8EdHCXgPpQsKYedMz4X2j5CFSVdZTWsPVw1XuSXIsIsc6018V4z9Kp\nkPacsHZTBR636y2toqRPDG4y9MLqFFkCQgCV1jEkiNhhKc+ZWuDjerdqNvLnCbe+\n7t4fiG9zQgWwh6IxL11cNyGVz9gS9af32DtuYf0xwFLOwLgn1RadC9Pd7Q==\n-----END CERTIFICATE-----", 424 "-----BEGIN CERTIFICATE-----\nMIICKTCCAYugAwIBAgIUOcs4pXlp+UgGiUKfKlcxIE/woPEwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE4NTgyMVoX\nDTI5MDYyMTE4NTg1MVowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcst7uNwu77WtLDkbz4ILYDiQ3BgS++qU\nOoNKcKyvNe8YX6PtrdQWPTaxT4MZNHZvTv+BAQTQqGLKrstpkjXPh+sBn7V4trkT\nMCtxUjIGneURUXS4IC/KJEA60P7ep7MrGnJfG/N4m+Q/a6BuxKhdEavXtepniCMz\npHw4DCpW/9m2t16jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQWsD9HzTtHQGci3f3krNpd0/ifTTAfBgNVHSMEGDAWgBQW\nsD9HzTtHQGci3f3krNpd0/ifTTAKBggqhkjOPQQDAgOBiwAwgYcCQR7iNoA4nBV3\ndSn8nfafklFvHZxoKR1j3nn+56z4JHD6TNr//GNqQiqnM3P//Tce+E4KzEax4xRg\nhaLURgPLNBjOAkIAqW+1/+v9D0vXOU1WPc+/oFvhSjYnr5qqcTL7by5fsmMXzAIe\nLODXiODxdppXXnMZPCPZh6MGgUwEGYeCnaXopWc=\n-----END CERTIFICATE-----" 425 ], 426 "certificate": "-----BEGIN CERTIFICATE-----\nMIICOzCCAZygAwIBAgIUeOkn0HAdoh31nGkVKdafpCNuhFEwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTAwMDlaFw0xOTA2MjUxOTAwMzlaMCAxDjAMBgNVBAsTBWlsVjYzMQ4w\nDAYDVQQDEwUyRnlWTjCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAA0rIy0h2DL3\nzmTXVj2v22Kz0N1EUUATlRgBj1XBsBA1Pdd7CSZoefmh/u6Z8TjtRX9Z1aj9Bb/d\nJxS3zB4mguULAF4k7bLH1gKXMVC6NYjjk3mfxH5jG4QY8S8n6uyqzNgI5KRJ2Hyj\nm8549Nvq3rvs8yOVXPSOGzkJ5KdUmSvXicMQo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFEuzruLILCil5Fp32ZjE4AhD\nU268MB8GA1UdIwQYMBaAFNp2hUcpvsXxb2ZtkzUQVzX9zCUrMAoGCCqGSM49BAMC\nA4GMADCBiAJCAeeuaIsgO9ro7opzZ9y9hSHkKB5WA5Qc7ePoSiKHNNbVvIJMkjRQ\nC9YtUMQNnQ8wE6D/9xvR+9OBIi7t16iHGPGbAkIA6WIG6HHRNUXnHPIiW8iy/04O\nfVqZgJHJEeyGQbwdaehs+Z5xOz6TA4Z3uZOAMnPcb+KDwchnQ8CJnmT/KnnT5D8=\n-----END CERTIFICATE-----", 427 "private_key": "-----BEGIN EC PRIVATE KEY-----\nMIHcAgEBBEIBB4xDj9SUtb6Z466lVQIf3ucy21q5S2Fp9bzTQ0Ch5Vg2+DhUZUa1\nDjKvDdICY6hLPBFAwcOUFdDXr4kH/i8wuRWgBwYFK4EEACOhgYkDgYYABAANKyMt\nIdgy985k11Y9r9tis9DdRFFAE5UYAY9VwbAQNT3XewkmaHn5of7umfE47UV/WdWo\n/QW/3ScUt8weJoLlCwBeJO2yx9YClzFQujWI45N5n8R+YxuEGPEvJ+rsqszYCOSk\nSdh8o5vOePTb6t677PMjlVz0jhs5CeSnVJkr14nDEA==\n-----END EC PRIVATE KEY-----", 428 "serial_number": "728181095563584845125173905844944137943705466376" 429 }, 430} 431``` 432 433## Lookup credential 434 435| Method | Path | 436|:-------|:--------------------------------------------------| 437| `GET` | `/kmip/scope/:scope/role/:role/credential/lookup` | 438 439Read a certificate by serial number. The private key cannot be obtained except 440at generation time. 441 442### Parameters 443 444- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 445- `role` (`string: <required>`) - Name of role. This is part of the request URL. 446- `serial_number` (`string: <required>`) - Serial number of certificate to revoke. 447- `format` (`string: "pem"`) - Format to return the certificate, private key, 448 and CA chain in. One of `pem`, `pem_bundle`, or `der`. 449 450### Sample Request 451 452``` 453$ curl \ 454 --header "X-Vault-Token: ..." \ 455 --request GET \ 456 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/lookup?serial_number=728181095563584845125173905844944137943705466376 457``` 458 459### Sample Response 460 461```json 462{ 463 "data": { 464 "ca_chain": [ 465 "-----BEGIN CERTIFICATE-----\nMIICNzCCAZigAwIBAgIUGptwpwpVvxlx3sBniJ7TRGD9gCkwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu\ndGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEADO48mMu5V2PTbcg\nq0JPB5ReWwnUHhfFh/+XLP8ZM112JpOFutlcUYYZ23jAlvrlYZ+m1E0ASr0592ZM\n9CwIXy3zAJChPrV3tiofhINR5PPqCF42FcfNj4l7VN/XeYMN6dslX+O4dPn/DsbH\nZi7kWr5KSOR939ULFaRMYe3l2MxaYZ2do2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD\nVR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUPP7VJOGk3qR0qKqx3TLN1R8JDiQw\nHwYDVR0jBBgwFoAUBHr+hhaorPU2jIF35DTBDhL7uWowCgYIKoZIzj0EAwIDgYwA\nMIGIAkIA7G82rqLYb6bKrQZzhpNwvVIFOSocEJrUbP0E0D8dEeOmKs43C70P5e0s\nTrrpNAMEsK6vXWtM+QcrZZp+yyM6k3QCQgG8cxFIl8tgoMKWe0+cDeOoHtczopRy\nSk+Tt7DNNP9sfYK11g7w8xzbtW4ZuZKKoYRbxN+eQHn5c+8akMSt4h71Dg==\n-----END CERTIFICATE-----", 466 "-----BEGIN CERTIFICATE-----\nMIICKDCCAYugAwIBAgIUWv6jrjNbsvdX43l4s10HaJkSxOMwCgYIKoZIzj0EAwIw\nHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYyNDE5MDY0N1oX\nDTI5MDYyMTE5MDcxN1owHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb\nMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAP6C8d9ZUalKBM1NdALtEMlv+dwFnK88F\n8bp7i6hV55vER45FtKKciQwWoA91FjfWTrDYPHb1X4OPZvcjQGnIJ1AAj+BSzEWr\neJXNo46RxLLl+cndiVDqlbJlhE9qVn9ueLHhPIPNSFZneY9cTj5+EOPyKiBCo4xB\ndTtVr29lLu/JwM2jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/\nAgEKMB0GA1UdDgQWBBQEev6GFqis9TaMgXfkNMEOEvu5ajAfBgNVHSMEGDAWgBQE\nev6GFqis9TaMgXfkNMEOEvu5ajAKBggqhkjOPQQDAgOBigAwgYYCQUlJqNoWCz4H\npjMNphxD4A8lfWtIrajGUhSxE9+JWRzoPpEJSwVobvryU2SO5u0sfqxtcmX/sBjY\n12N5QVFfqpB3AkErsjg8eMkh+OMalmWxRYtTuZt+i4DPm1CKEVIkUT8ZBXYTIl9V\nG3TG8lmby/8e+YUwJEKVvOy6tVI8ExEoVslwKw==\n-----END CERTIFICATE-----" 467 ], 468 "certificate": "-----BEGIN CERTIFICATE-----\nMIICOjCCAZygAwIBAgIUf4zFBobFJMkSIvM7CfceSVfYNggwCgYIKoZIzj0EAwIw\nKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x\nOTA2MjQxOTA3MTBaFw0xOTA2MjUxOTA3NDBaMCAxDjAMBgNVBAsTBW5BcUswMQ4w\nDAYDVQQDEwU0Qjd2STCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAdxHrbr/EXUz\nzWCd9HMUDus6r/3QF1Y3u9dPD2UwM76J3aICmykkm7xoYpoyg4chBEDxBWh2YkGT\na4WFMoXBa+k1AZhdvlj8tjOUlYZrTCLB9FBPCGz3JB4f5cmbG5JVsQ8qnBPiyV3e\nU21cWM6mWlhZKHWIdBU2pj+eXW78K5LMu2sWo2cwZTAOBgNVHQ8BAf8EBAMCA6gw\nEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFAT0QZOpZCTMCz7F8+BvF2xs\nZSfkMB8GA1UdIwQYMBaAFDz+1SThpN6kdKiqsd0yzdUfCQ4kMAoGCCqGSM49BAMC\nA4GLADCBhwJBPxBV4DgPi5zihRnxu7zTNeqe/xlvrEt1uTff8QtW3JsigbBDHV+A\nxBe7vc8mL8VQPG7BFKvvxuQvOAeeQ+AR8ZoCQgDtbaWgLtfbzKvwlY48e6dLeBpK\nDu1DaZq+79EON2lhWQ+ULHblJc5cK0F6Ff5OC89aDnV1TWQDHeR91mZdYiWZZQ==\n-----END CERTIFICATE-----", 469 "serial_number": "728181095563584845125173905844944137943705466376" 470 }, 471} 472``` 473 474## List credential serial numbers 475 476| Method | Path | 477|:-------|:-------------------------------------------| 478| `LIST` | `/kmip/scope/:scope/role/:role/credential` | 479 480List the serial numbers of all certificates within a role. 481 482### Parameters 483 484- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 485- `role` (`string: <required>`) - Name of role. This is part of the request URL. 486 487### Sample Request 488 489``` 490$ curl \ 491 --header "X-Vault-Token: ..." \ 492 --request LIST \ 493 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential 494``` 495 496### Sample Response 497 498```json 499{ 500 "data": { 501 "keys": [ 502 "728181095563584845125173905844944137943705466376" 503 ] 504 }, 505} 506``` 507 508## Revoke credential 509 510| Method | Path | 511|:-------|:--------------------------------------------------| 512| `POST` | `/kmip/scope/:scope/role/:role/credential/revoke` | 513 514Delete a certificate, thereby revoking it. 515 516### Parameters 517 518- `scope` (`string: <required>`) - Name of scope. This is part of the request URL. 519- `role` (`string: <required>`) - Name of role. This is part of the request URL. 520- `serial_number` (`string: ""`) - Serial number of certificate to revoke. 521 Exactly one of `serial_number` or `certificate` must be provided. 522- `certificate` (`string: """`) - Certificate to revoke, in PEM format. 523 Exactly one of `serial_number` or `certificate` must be provided. 524 525### Sample Payload 526 527```json 528{ 529 "serial_number": "728181095563584845125173905844944137943705466376" 530} 531``` 532 533### Sample Request 534 535``` 536$ curl \ 537 --header "X-Vault-Token: ..." \ 538 --request POST \ 539 --data @payload.json \ 540 https://127.0.0.1:8200/v1/kmip/scope/myscope/role/myrole/credential/revoke 541``` 542