public static final class CertificateValidationContext.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder> implements CertificateValidationContextOrBuilder
[#next-free-field: 11]Protobuf type
envoy.api.v2.auth.CertificateValidationContext| Modifier and Type | Method and Description |
|---|---|
CertificateValidationContext.Builder |
addAllMatchSubjectAltNames(Iterable<? extends StringMatcher> values)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
addAllVerifyCertificateHash(Iterable<String> values)
An optional list of hex-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addAllVerifyCertificateSpki(Iterable<String> values)
An optional list of base64-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addAllVerifySubjectAltName(Iterable<String> values)
Deprecated.
|
CertificateValidationContext.Builder |
addMatchSubjectAltNames(int index,
StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
addMatchSubjectAltNames(int index,
StringMatcher value)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
addMatchSubjectAltNames(StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
addMatchSubjectAltNames(StringMatcher value)
An optional list of Subject Alternative name matchers.
|
StringMatcher.Builder |
addMatchSubjectAltNamesBuilder()
An optional list of Subject Alternative name matchers.
|
StringMatcher.Builder |
addMatchSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
CertificateValidationContext.Builder |
addVerifyCertificateHash(String value)
An optional list of hex-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addVerifyCertificateSpki(String value)
An optional list of base64-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
addVerifySubjectAltName(String value)
Deprecated.
|
CertificateValidationContext.Builder |
addVerifySubjectAltNameBytes(com.google.protobuf.ByteString value)
Deprecated.
|
CertificateValidationContext |
build() |
CertificateValidationContext |
buildPartial() |
CertificateValidationContext.Builder |
clear() |
CertificateValidationContext.Builder |
clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
|
CertificateValidationContext.Builder |
clearCrl()
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
CertificateValidationContext.Builder |
clearField(com.google.protobuf.Descriptors.FieldDescriptor field) |
CertificateValidationContext.Builder |
clearMatchSubjectAltNames()
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof) |
CertificateValidationContext.Builder |
clearRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
CertificateValidationContext.Builder |
clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
CertificateValidationContext.Builder |
clearTrustChainVerification()
Certificate trust chain verification mode.
|
CertificateValidationContext.Builder |
clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
CertificateValidationContext.Builder |
clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
clearVerifySubjectAltName()
Deprecated.
|
CertificateValidationContext.Builder |
clone() |
boolean |
getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
|
DataSource |
getCrl()
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
DataSource.Builder |
getCrlBuilder()
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
DataSourceOrBuilder |
getCrlOrBuilder()
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
CertificateValidationContext |
getDefaultInstanceForType() |
static com.google.protobuf.Descriptors.Descriptor |
getDescriptor() |
com.google.protobuf.Descriptors.Descriptor |
getDescriptorForType() |
StringMatcher |
getMatchSubjectAltNames(int index)
An optional list of Subject Alternative name matchers.
|
StringMatcher.Builder |
getMatchSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers.
|
List<StringMatcher.Builder> |
getMatchSubjectAltNamesBuilderList()
An optional list of Subject Alternative name matchers.
|
int |
getMatchSubjectAltNamesCount()
An optional list of Subject Alternative name matchers.
|
List<StringMatcher> |
getMatchSubjectAltNamesList()
An optional list of Subject Alternative name matchers.
|
StringMatcherOrBuilder |
getMatchSubjectAltNamesOrBuilder(int index)
An optional list of Subject Alternative name matchers.
|
List<? extends StringMatcherOrBuilder> |
getMatchSubjectAltNamesOrBuilderList()
An optional list of Subject Alternative name matchers.
|
com.google.protobuf.BoolValue |
getRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValue.Builder |
getRequireOcspStapleBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValueOrBuilder |
getRequireOcspStapleOrBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
com.google.protobuf.BoolValue |
getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
com.google.protobuf.BoolValue.Builder |
getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
com.google.protobuf.BoolValueOrBuilder |
getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
CertificateValidationContext.TrustChainVerification |
getTrustChainVerification()
Certificate trust chain verification mode.
|
int |
getTrustChainVerificationValue()
Certificate trust chain verification mode.
|
DataSource |
getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
DataSource.Builder |
getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
DataSourceOrBuilder |
getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
String |
getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes.
|
com.google.protobuf.ByteString |
getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes.
|
int |
getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes.
|
com.google.protobuf.ProtocolStringList |
getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes.
|
String |
getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes.
|
com.google.protobuf.ByteString |
getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes.
|
int |
getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes.
|
com.google.protobuf.ProtocolStringList |
getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes.
|
String |
getVerifySubjectAltName(int index)
Deprecated.
|
com.google.protobuf.ByteString |
getVerifySubjectAltNameBytes(int index)
Deprecated.
|
int |
getVerifySubjectAltNameCount()
Deprecated.
|
com.google.protobuf.ProtocolStringList |
getVerifySubjectAltNameList()
Deprecated.
|
boolean |
hasCrl()
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
boolean |
hasRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
boolean |
hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
boolean |
hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable |
internalGetFieldAccessorTable() |
boolean |
isInitialized() |
CertificateValidationContext.Builder |
mergeCrl(DataSource value)
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
CertificateValidationContext.Builder |
mergeFrom(CertificateValidationContext other) |
CertificateValidationContext.Builder |
mergeFrom(com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
CertificateValidationContext.Builder |
mergeFrom(com.google.protobuf.Message other) |
CertificateValidationContext.Builder |
mergeRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
CertificateValidationContext.Builder |
mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
CertificateValidationContext.Builder |
mergeTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
CertificateValidationContext.Builder |
mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
CertificateValidationContext.Builder |
removeMatchSubjectAltNames(int index)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.
|
CertificateValidationContext.Builder |
setCrl(DataSource.Builder builderForValue)
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
CertificateValidationContext.Builder |
setCrl(DataSource value)
An optional `certificate revocation list
<https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
(in PEM format).
|
CertificateValidationContext.Builder |
setField(com.google.protobuf.Descriptors.FieldDescriptor field,
Object value) |
CertificateValidationContext.Builder |
setMatchSubjectAltNames(int index,
StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
setMatchSubjectAltNames(int index,
StringMatcher value)
An optional list of Subject Alternative name matchers.
|
CertificateValidationContext.Builder |
setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field,
int index,
Object value) |
CertificateValidationContext.Builder |
setRequireOcspStaple(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
CertificateValidationContext.Builder |
setRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
|
CertificateValidationContext.Builder |
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
CertificateValidationContext.Builder |
setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
|
CertificateValidationContext.Builder |
setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)
Certificate trust chain verification mode.
|
CertificateValidationContext.Builder |
setTrustChainVerificationValue(int value)
Certificate trust chain verification mode.
|
CertificateValidationContext.Builder |
setTrustedCa(DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
CertificateValidationContext.Builder |
setTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying
a presented peer certificate (e.g. server certificate for clusters or client certificate
for listeners).
|
CertificateValidationContext.Builder |
setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields) |
CertificateValidationContext.Builder |
setVerifyCertificateHash(int index,
String value)
An optional list of hex-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
setVerifyCertificateSpki(int index,
String value)
An optional list of base64-encoded SHA-256 hashes.
|
CertificateValidationContext.Builder |
setVerifySubjectAltName(int index,
String value)
Deprecated.
|
getAllFields, getField, getFieldBuilder, getOneofFieldDescriptor, getParentForChildren, getRepeatedField, getRepeatedFieldBuilder, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMutableMapField, isClean, markClean, newBuilderForField, onBuilt, onChanged, setUnknownFieldsProto3findInitializationErrors, getInitializationErrorString, internalMergeFrom, mergeDelimitedFrom, mergeDelimitedFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, mergeFrom, newUninitializedMessageException, toStringaddAll, addAll, mergeFrom, newUninitializedMessageExceptionequals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitpublic static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder clear()
clear in interface com.google.protobuf.Message.Builderclear in interface com.google.protobuf.MessageLite.Builderclear in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
getDescriptorForType in interface com.google.protobuf.Message.BuildergetDescriptorForType in interface com.google.protobuf.MessageOrBuildergetDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext getDefaultInstanceForType()
getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuildergetDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilderpublic CertificateValidationContext build()
build in interface com.google.protobuf.Message.Builderbuild in interface com.google.protobuf.MessageLite.Builderpublic CertificateValidationContext buildPartial()
buildPartial in interface com.google.protobuf.Message.BuilderbuildPartial in interface com.google.protobuf.MessageLite.Builderpublic CertificateValidationContext.Builder clone()
clone in interface com.google.protobuf.Message.Builderclone in interface com.google.protobuf.MessageLite.Builderclone in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
setField in interface com.google.protobuf.Message.BuildersetField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
clearField in interface com.google.protobuf.Message.BuilderclearField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
clearOneof in interface com.google.protobuf.Message.BuilderclearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
setRepeatedField in interface com.google.protobuf.Message.BuildersetRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
addRepeatedField in interface com.google.protobuf.Message.BuilderaddRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.Message other)
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder mergeFrom(CertificateValidationContext other)
public final boolean isInitialized()
isInitialized in interface com.google.protobuf.MessageLiteOrBuilderisInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public CertificateValidationContext.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
mergeFrom in interface com.google.protobuf.Message.BuildermergeFrom in interface com.google.protobuf.MessageLite.BuildermergeFrom in class com.google.protobuf.AbstractMessage.Builder<CertificateValidationContext.Builder>IOExceptionpublic boolean hasTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;hasTrustedCa in interface CertificateValidationContextOrBuilderpublic DataSource getTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;getTrustedCa in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public CertificateValidationContext.Builder setTrustedCa(DataSource.Builder builderForValue)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public CertificateValidationContext.Builder mergeTrustedCa(DataSource value)
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public CertificateValidationContext.Builder clearTrustedCa()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public DataSource.Builder getTrustedCaBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;public DataSourceOrBuilder getTrustedCaOrBuilder()
TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (:ref:`require_client_certificate <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`, :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`, :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or :ref:`match_subject_alt_names <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also specified. It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common system CA locations.
.envoy.api.v2.core.DataSource trusted_ca = 1;getTrustedCaOrBuilder in interface CertificateValidationContextOrBuilderpublic com.google.protobuf.ProtocolStringList getVerifyCertificateSpkiList()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiList in interface CertificateValidationContextOrBuilderpublic int getVerifyCertificateSpkiCount()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiCount in interface CertificateValidationContextOrBuilderpublic String getVerifyCertificateSpki(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpki in interface CertificateValidationContextOrBuilderpublic com.google.protobuf.ByteString getVerifyCertificateSpkiBytes(int index)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }getVerifyCertificateSpkiBytes in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setVerifyCertificateSpki(int index, String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addVerifyCertificateSpki(String value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addAllVerifyCertificateSpki(Iterable<String> values)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public CertificateValidationContext.Builder clearVerifyCertificateSpki()
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addVerifyCertificateSpkiBytes(com.google.protobuf.ByteString value)
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
can be generated with the following command:
.. code-block:: bash
$ openssl x509 -in path/to/client.crt -noout -pubkey
| openssl pkey -pubin -outform DER
| openssl dgst -sha256 -binary
| openssl enc -base64
NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both:
:ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
:ref:`verify_certificate_spki
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
a hash matching value from either of the lists will result in the certificate being accepted.
.. attention::
This option is preferred over :ref:`verify_certificate_hash
<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
because SPKI is tied to a private key, so it doesn't change when the certificate
is renewed using the same private key.
repeated string verify_certificate_spki = 3 [(.validate.rules) = { ... }public com.google.protobuf.ProtocolStringList getVerifyCertificateHashList()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashList in interface CertificateValidationContextOrBuilderpublic int getVerifyCertificateHashCount()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashCount in interface CertificateValidationContextOrBuilderpublic String getVerifyCertificateHash(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHash in interface CertificateValidationContextOrBuilderpublic com.google.protobuf.ByteString getVerifyCertificateHashBytes(int index)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }getVerifyCertificateHashBytes in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setVerifyCertificateHash(int index, String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addVerifyCertificateHash(String value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addAllVerifyCertificateHash(Iterable<String> values)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public CertificateValidationContext.Builder clearVerifyCertificateHash()
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }public CertificateValidationContext.Builder addVerifyCertificateHashBytes(com.google.protobuf.ByteString value)
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. A hex-encoded SHA-256 of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate can be generated with the following command: .. code-block:: bash $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A Both of those formats are acceptable. When both: :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified, a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2 [(.validate.rules) = { ... }@Deprecated public com.google.protobuf.ProtocolStringList getVerifySubjectAltNameList()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];getVerifySubjectAltNameList in interface CertificateValidationContextOrBuilder@Deprecated public int getVerifySubjectAltNameCount()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];getVerifySubjectAltNameCount in interface CertificateValidationContextOrBuilder@Deprecated public String getVerifySubjectAltName(int index)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];getVerifySubjectAltName in interface CertificateValidationContextOrBuilder@Deprecated public com.google.protobuf.ByteString getVerifySubjectAltNameBytes(int index)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];getVerifySubjectAltNameBytes in interface CertificateValidationContextOrBuilder@Deprecated public CertificateValidationContext.Builder setVerifySubjectAltName(int index, String value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];@Deprecated public CertificateValidationContext.Builder addVerifySubjectAltName(String value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];@Deprecated public CertificateValidationContext.Builder addAllVerifySubjectAltName(Iterable<String> values)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];@Deprecated public CertificateValidationContext.Builder clearVerifySubjectAltName()
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];@Deprecated public CertificateValidationContext.Builder addVerifySubjectAltNameBytes(com.google.protobuf.ByteString value)
An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values. .. attention:: Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];public List<StringMatcher> getMatchSubjectAltNamesList()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;getMatchSubjectAltNamesList in interface CertificateValidationContextOrBuilderpublic int getMatchSubjectAltNamesCount()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;getMatchSubjectAltNamesCount in interface CertificateValidationContextOrBuilderpublic StringMatcher getMatchSubjectAltNames(int index)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;getMatchSubjectAltNames in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher value)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder setMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher value)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher value)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder addMatchSubjectAltNames(StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder addMatchSubjectAltNames(int index, StringMatcher.Builder builderForValue)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder addAllMatchSubjectAltNames(Iterable<? extends StringMatcher> values)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder clearMatchSubjectAltNames()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public CertificateValidationContext.Builder removeMatchSubjectAltNames(int index)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public StringMatcher.Builder getMatchSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public StringMatcherOrBuilder getMatchSubjectAltNamesOrBuilder(int index)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;getMatchSubjectAltNamesOrBuilder in interface CertificateValidationContextOrBuilderpublic List<? extends StringMatcherOrBuilder> getMatchSubjectAltNamesOrBuilderList()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;getMatchSubjectAltNamesOrBuilderList in interface CertificateValidationContextOrBuilderpublic StringMatcher.Builder addMatchSubjectAltNamesBuilder()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public StringMatcher.Builder addMatchSubjectAltNamesBuilder(int index)
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public List<StringMatcher.Builder> getMatchSubjectAltNamesBuilderList()
An optional list of Subject Alternative name matchers. Envoy will verify that the
Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
it should be configured as shown below.
.. code-block:: yaml
match_subject_alt_names:
exact: "api.example.com"
.. attention::
Subject Alternative Names are easily spoofable and verifying only them is insecure,
therefore this option must be used together with :ref:`trusted_ca
<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated .envoy.type.matcher.StringMatcher match_subject_alt_names = 9;public boolean hasRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;hasRequireOcspStaple in interface CertificateValidationContextOrBuilderpublic com.google.protobuf.BoolValue getRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;getRequireOcspStaple in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public CertificateValidationContext.Builder setRequireOcspStaple(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public CertificateValidationContext.Builder mergeRequireOcspStaple(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public CertificateValidationContext.Builder clearRequireOcspStaple()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public com.google.protobuf.BoolValue.Builder getRequireOcspStapleBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;public com.google.protobuf.BoolValueOrBuilder getRequireOcspStapleOrBuilder()
[#not-implemented-hide:] Must present a signed time-stamped OCSP response.
.google.protobuf.BoolValue require_ocsp_staple = 5;getRequireOcspStapleOrBuilder in interface CertificateValidationContextOrBuilderpublic boolean hasRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;hasRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilderpublic com.google.protobuf.BoolValue getRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;getRequireSignedCertificateTimestamp in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public CertificateValidationContext.Builder setRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue.Builder builderForValue)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public CertificateValidationContext.Builder mergeRequireSignedCertificateTimestamp(com.google.protobuf.BoolValue value)
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public CertificateValidationContext.Builder clearRequireSignedCertificateTimestamp()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public com.google.protobuf.BoolValue.Builder getRequireSignedCertificateTimestampBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;public com.google.protobuf.BoolValueOrBuilder getRequireSignedCertificateTimestampOrBuilder()
[#not-implemented-hide:] Must present signed certificate time-stamp.
.google.protobuf.BoolValue require_signed_certificate_timestamp = 6;getRequireSignedCertificateTimestampOrBuilder in interface CertificateValidationContextOrBuilderpublic boolean hasCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;hasCrl in interface CertificateValidationContextOrBuilderpublic DataSource getCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;getCrl in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public CertificateValidationContext.Builder setCrl(DataSource.Builder builderForValue)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public CertificateValidationContext.Builder mergeCrl(DataSource value)
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public CertificateValidationContext.Builder clearCrl()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public DataSource.Builder getCrlBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;public DataSourceOrBuilder getCrlOrBuilder()
An optional `certificate revocation list <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
.envoy.api.v2.core.DataSource crl = 7;getCrlOrBuilder in interface CertificateValidationContextOrBuilderpublic boolean getAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;getAllowExpiredCertificate in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setAllowExpiredCertificate(boolean value)
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;public CertificateValidationContext.Builder clearAllowExpiredCertificate()
If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;public int getTrustChainVerificationValue()
Certificate trust chain verification mode.
.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }getTrustChainVerificationValue in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setTrustChainVerificationValue(int value)
Certificate trust chain verification mode.
.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }public CertificateValidationContext.TrustChainVerification getTrustChainVerification()
Certificate trust chain verification mode.
.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }getTrustChainVerification in interface CertificateValidationContextOrBuilderpublic CertificateValidationContext.Builder setTrustChainVerification(CertificateValidationContext.TrustChainVerification value)
Certificate trust chain verification mode.
.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }public CertificateValidationContext.Builder clearTrustChainVerification()
Certificate trust chain verification mode.
.envoy.api.v2.auth.CertificateValidationContext.TrustChainVerification trust_chain_verification = 10 [(.validate.rules) = { ... }public final CertificateValidationContext.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
setUnknownFields in interface com.google.protobuf.Message.BuildersetUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>public final CertificateValidationContext.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
mergeUnknownFields in interface com.google.protobuf.Message.BuildermergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<CertificateValidationContext.Builder>Copyright © 2018–2021 The Envoy Project. All rights reserved.