otdfctl policy kas-registry create
create - Create a Key Access Server registration
Synopsis
otdfctl policy kas-registry create [flags]
Description
Public keys can be stored as either remote
or cached
under the following JSON structure.
Remote
The value passed to the --public-key-remote
flag puts the hosted location where the public key
can be retrieved for the registered KAS under the remote
key, such as https://kas.io/public_key
Cached
{
cached: {
// One or more known public keys for the KAS
keys: [
{
// x509 ASN.1 content in PEM envelope, usually
pem: '<your PEM certificate>',
// key identifier
kid: '<your key id>',
// key algorithm (see table below)
alg: 1,
},
],
},
}
The JSON value passed to the --public-keys
flag stores the set of public keys for the KAS.
-
The
"pem"
value should contain the entire certificate-----BEGIN CERTIFICATE-----\nMIIB...5Q=\n-----END CERTIFICATE-----\n
. -
The
"kid"
value is a named key identifier, which is useful for key rotations. -
The
"alg"
specifies the key algorithm:
Key Algorithm | alg Value |
---|---|
rsa:2048 | 1 |
ec:secp256r1 | 5 |
Local
Deprecated.
For more information about registration of Key Access Servers, see the manual for kas-registry
.
Options
-u
,--uri <uri>
- URI of the Key Access Server (required:
true
)
-c
,--public-keys <public-keys>
- One or more public keys saved for the KAS (required:
false
)
-r
,--public-key-remote <public-key-remote>
- Remote URI where the public key can be retrieved for the KAS (required:
false
)
-l
,--label <label>
- Optional metadata 'labels' in the format: key=value (required:
false
)
Aliases
c
, add
, new