Get PKI Role
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/example/roles/example';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/certificateAuthorities/example/roles/exampleReturns a PKI role’s metadata by ID.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the role belongs to.
The CA the role is attached to.
The unique identifier of the role to retrieve.
Responses
Section titled “ Responses ”OK
QibdoPkiRole resource — a per-CA, workspace-scoped role that constrains
which certificates a caller may request from IssueQibdoCertificate. A
role is the certificate-issuance contract: every issuance is checked
against four dimensions before the engine is touched:
- allowed_domains: requested common_name + SANs must match
- max_ttl: requested ttl must not exceed
- allowed_key_types: requested key algorithm must be in the set
- allowed_extended_key_usages: requested EKUs must be in the set
Roles are projected to the vault via POST /v1/
object
The unique identifier of the PKI role (UUID).
The workspace this role belongs to (UUID, weak reference to taxonomy.workspaces).
The certificate authority this role is attached to (UUID).
(CA-unique) human-readable role name. Mirrored as the role name on the vault side. 3–64 chars, lowercase letters/digits/hyphen, neither leading nor trailing hyphen.
Allowed Common Name / SAN domain patterns. Accepts bare DNS labels and
a single leading-wildcard form (*.example.com). At most 64 entries,
each at most 253 chars.
Maximum total lifetime any certificate issued under this role may hold.
Allowed crypto algorithms / key sizes. Names must match the
CryptoAlgorithm enum (e.g., RSA_2048, EC_P256, ED25519).
At most 16 entries.
Allowed Extended Key Usages.
Timestamp when the row was created (server-managed).
Timestamp when the row was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Example
{ "allowed_extended_key_usages": [ "EXTENDED_KEY_USAGE_UNSPECIFIED" ]}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}