PKI infrastructure using Hashicorp Vault

So today we will quickly go through setting up vault as our PKI backend. Capabilities of vault are much more to what is shown here as we are just touching several out of many more options from Hashicorp Vault.

Idea here will be to create root CA and then intermediate CA to provide our users/servers with certificates based on our needs. Since I already have been playing a bit with vault I prepared myself quick script. But before we go there we have a list of pre requisites need for all of this to work:

Vault server
exported VAULT_ADDR and VAULT_TOKEN
vault cli
httpie (https://github.com/jkbrzt/httpie)
jq (https://stedolan.github.io/jq/)

Building quickly vault server when you have a docker engine is easy as running

docker run -d --name vault -P --cap-add IPC_LOCK rafpe/docker-vault:latest server -dev-listen-address=0.0.0.0:8200 -dev

1	docker run -d --name vault -P --cap-add IPC_LOCK rafpe/docker-vault:latest server -dev-listen-address=0.0.0.0:8200 -dev

which will bring up our container. From there we need to grab token ID which we will use later for calls to our servers.

Export the values

export VAULT_ADDR="http://my-server-address:my-port"
export VAULT_TOKEN="my-token"

1 2	export VAULT_ADDR="http://my-server-address:my-port" export VAULT_TOKEN="my-token"

Once done you can grab my init script below

Be sure to modify URL for your vault server and off you go 🙂

To create certificate you need to create a role and then make a request for issuing one

vault write rafpe_intermediate/roles/rafpe-engineer lease_max="336h" lease="336h" key_type="rsa" key_bits="2048" allow_any_name=true

vault write rafpe_intermediate/issue/rafpe-engineer common_name="ninja.rafpe.engineer:rafpe" ttl=720h format=pem

vault write rafpe_intermediate/roles/rafpe-engineer lease_max="336h" lease="336h" key_type="rsa" key_bits="2048" allow_any_name=true

vault write rafpe_intermediate/issue/rafpe-engineer common_name="ninja.rafpe.engineer:rafpe" ttl=720h format=pem

This will get you started. And in one of next posts we will use this infra for our HAproxy

PKI infrastructure using Hashicorp Vault

Like this:

Related

rafpe

Posts by rafpe

openSSL pb7 certificate : unable to load certificate

Vi – remove all comments

Mysql – calculate InnoDB buffer pool

Serverless Okta JWT as AWS API Gateway Authorizer

Golang app to authenticate with AWS Cognito Pool

Comments by rafpe

.Net core JWT authentication using AWS Cognito User Pool

Gitlab – custom pre-receive hook

.Net core JWT authentication using AWS Cognito User Pool

.Net core JWT authentication using AWS Cognito User Pool

.Net core JWT authentication using AWS Cognito User Pool

Leave a Reply Cancel reply

PKI infrastructure using Hashicorp Vault

Share this:

Like this:

Related

PCEngines – APU Board and nct5104d gpio driver

Letsencrypt – simple renew in bash

rafpe

Posts by rafpe

openSSL pb7 certificate : unable to load certificate

Vi – remove all comments

Mysql – calculate InnoDB buffer pool

Serverless Okta JWT as AWS API Gateway Authorizer

Golang app to authenticate with AWS Cognito Pool

Comments by rafpe

.Net core JWT authentication using AWS Cognito User Pool

Gitlab – custom pre-receive hook

.Net core JWT authentication using AWS Cognito User Pool

.Net core JWT authentication using AWS Cognito User Pool

.Net core JWT authentication using AWS Cognito User Pool

Leave a Reply Cancel reply