Well, not quite PKI Made Easy, but definitely a bit more fun!
I’ve done all this work on OSX, but I believe the Linux setup should be very similar.
Vault 0.3 was the version used.
Containerize all the things
Last week I was tinkering with Docker and wanted to get Hashicorp Vault running on a container, this was mainly a plan to trick myself into learning more about Vault.
The Docker stuff went pretty well and you have available a public container to prove it, check it out at:
hashicorp-vault on a container
Regarding the plan, it worked flawlessly and I’ve got really interested in the application.
So, what’s Vault?
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Vault presents a unified API to access multiple backends: HSMs, AWS IAM, SQL databases, raw key/value, and more. (source)
I’m not going into depth about how the application works and all the features it provides, firstly because I just started playing with it and secondly the documentation does a very good job on that.
Instead I’ll talk about what I’ve learned regarding the PKI backend configuration and usage.
These are the points I’ll cover:
- Install Vault
- Configure Vault
- Generate a Root Certification Authority (CA) and Intermediate CA
- Create a PKI backend
- Configure the PKI backend
- Issue a couple of server certificates
- Issue a Certificate Revocation List (CRL) on Vault
- Revoke a certificate
- Vault using TLS
Create the following
Create and run the following setup script on the same path as the vault.conf file:
You now should have a running instance of Vault using the
Vault is protected by M-of-N so you’ll need to run the unseal command 3 times using a different key each time to open it.
The M of N feature provides a means by which organizations employing cryptographic modules for sensitive operations can enforce multi-person control over access to the cryptographic module. (source)
Export the Root Token
This will authenticate your vault client against the Vault server.
Check the current mount points
Mount the PKI backend
Get your hands on a CA certificate
You’ll need a CA for the next steps. Don’t have one?
Here you go (thank me later):
You should never use a Root CA to issue client/server certificates, if it’s compromised you’re screwed! Instead, generate an intermediate CA and if that one it’s compromised just revoke it and issue a new one, keeping the Root CA offline.
With your certificates generated, now build a certificate bundle with the Intermediate CA certificate and Intermediate CA key.
Configure the PKI backend
localhost.certs into a separated key and certificate files:
sheep.certs into a separated key and certificate files:
Test the CRL
This shouldn’t return any revoked certificates yet.
Revoking a certicate
To revoke a certificate you first need its Serial Number.
Test the CRL
You should see the revoked Serial Number.
Vault with TLS
This bit took me quite a while to figure out.
The documentation doesn’t mention how to do it. The Vault server doesn’t send the Intermediate CA certificate with the leaf certificate to the vault client, this way you can’t just trust the Root CA, you’ll need to trust the Intermediate one…
I even tried providing a ca_bundle with the Root CA certificate in it, but no luck. Then there was was the issue of finding out how to provide a truststore to the vault client…
Uncomment the lines
tls_*_file and comment out
If it doesn’t give you a TLS error, you’re golden! You can check the certificate the server is using and the chain if he sends it, with:
That’s it, that’s all
This blog post only scratches the surface of what Vault is capable of. I’m currently looking into High Availability and there’s still many other backends to try out, but I hope I’ve piqued your curiosity.
Big thanks to Hashicorp for releasing such amazing open source products.