Skip to main content

otdfctl policy kas-registry create

create - Create a Key Access Server registration

Synopsis

otdfctl policy kas-registry create [flags]

Description

Public keys can be stored as either remote or cached under the following JSON structure.

Remote

The value passed to the --public-key-remote flag puts the hosted location where the public key can be retrieved for the registered KAS under the remote key, such as https://kas.io/public_key

Cached

{
  cached: {
    // One or more known public keys for the KAS
    keys: [
      {
        // x509 ASN.1 content in PEM envelope, usually
        pem: '<your PEM certificate>',
        // key identifier
        kid: '<your key id>',
        // key algorithm (see table below)
        alg: 1,
      },
    ],
  },
}

The JSON value passed to the --public-keys flag stores the set of public keys for the KAS.

  1. The "pem" value should contain the entire certificate -----BEGIN CERTIFICATE-----\nMIIB...5Q=\n-----END CERTIFICATE-----\n.

  2. The "kid" value is a named key identifier, which is useful for key rotations.

  3. The "alg" specifies the key algorithm:

Key Algorithmalg Value
rsa:20481
ec:secp256r15

Local

Deprecated.

For more information about registration of Key Access Servers, see the manual for kas-registry.

Options

-u, --uri <uri>
URI of the Key Access Server (required: true)
-c, --public-keys <public-keys>
One or more public keys saved for the KAS (required: false)
-r, --public-key-remote <public-key-remote>
Remote URI where the public key can be retrieved for the KAS (required: false)
-l, --label <label>
Optional metadata 'labels' in the format: key=value (required: false)

Aliases

c, add, new