Professional Documents
Culture Documents
Hashicorp Vault
Hashicorp Vault
Instalar o Vault
$ sudo apt update && sudo apt install gpg
config.hcl
ui = true
disable_mlock = true
storage "raft" {
path = "./vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
$ VAULT_ADDR=http://127.0.0.1:8200
$ VAULT_TOKEN=<token>
Requesitos
Hashicorp Vault 1
$ git clone https://github.com/square/certstrap $ cd
Certstrap
certstrap $ go build
Terraform $ sudo apt-get install terraform
💡 Para utilizar o certstrap é necessário entrar dentro da pasta do certstrap e fazer ./certstrap
./certstrap init \
--organization "Test" \
--organizational-unit "Test Org" \
--country "US" \
--province "MD" \
--locality "Bethesda" \
--common-name "Testing Root" \
--path-length 2
Output:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Created out/Testing_Root.key (encrypted by passphrase)
Created out/Testing_Root.crt
Created out/Testing_Root.crl
Inspect the offline Root CA certificate with openssl to ensure it has the expected subject
Output:
subject= /C=US/ST=DC/L=Bethesda/O=Test/OU=Test Org/CN=Testing Root
issuer= /C=US/ST=DC/L=Bethesda/O=Test/OU=Test Org/CN=Testing Root
locals {
default_3y_in_sec = 94608000
default_1y_in_sec = 31536000
default_1hr_in_sec = 3600
}
EOF
Hashicorp Vault 2
Create test_org_ica1.tf file which enables and configures PKI secrets engine.
1. The test_org_ica1.tf file contains the code necessary to enable a new PKI endpoint for the ICA1 in Vault and to generate a
Certificate Signing Request (CSR). The CSR will be signed by the offline Root CA next.
2. First, initialize terraform; this downloads the necessary providers and initializes the backend.
$ terraform init
$ terraform apply
When prompted, enter yes to accept the plan and proceed with Vault configuration.
vault_mount.test_org_v1_ica1_v1: Creating...
vault_mount.test_org_v1_ica1_v1: Creation complete after 0s [id=test-org/v1/ica1/v1]
vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica1_v1: Creating...
vault_pki_secret_backend_intermediate_cert_request.test_org_v1_ica1_v1: Creation complete after 0s [id=test-org/v1/ica1/v1/intermediate/g
Hashicorp Vault 3
Create a new csr folder.
$ mkdir csr
Get the ICA1 CSR from the Terraform state file and store it under a new csr folder.
./certstrap sign \
--expires "3 year" \
--csr csr/Test_Org_v1_ICA1_v1.csr \
--cert out/Intermediate_CA1_v1.crt \
--intermediate \
--CA "Testing Root" \
"Intermediate CA1 v1" \
--path-length 2
Output:
Enter passphrase for CA key (empty for no passphrase):
Building intermediate
Created out/Intermediate_CA1_v1.crt from out/Intermediate_CA1_v1.csr signed by out/Testing_Root.key
Create the cacerts folder to store the CA chain files that will be set on the PKI endpoints in Vault.
$ mkdir cacerts
Append offline Root CA at the end of ICA1 cert to create a CA chain under cacerts folder. You will use this to set the signed ICA1 in
Vault.
Update the Terraform code to set the signed cert for ICA1 in Vault.
certificate = file("\${path.module}/cacerts/test_org_v1_ica1_v1.crt")
}
EOF
Hashicorp Vault 4
$ terraform apply
curl -s $VAULT_ADDR/v1/test-org/v1/ica1/v1/ca/pem | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
curl -s $VAULT_ADDR/v1/test-org/v1/ica1/v1/ca_chain | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
Hashicorp Vault 5
Apply Terraform changes for ICA2.
$ terraform apply
Verify that the Terraform output displays the new ICA2 set
Verify the ICA2 cert in Vault.
$ curl -s $VAULT_ADDR/v1/test-org/v1/ica2/v1/ca/pem | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
$ curl -s $VAULT_ADDR/v1/test-org/v1/ica2/v1/ca_chain | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -noout
$ curl -s $VAULT_ADDR/v1/test-org/v1/ica2/v1/ca/pem | openssl x509 -in /dev/stdin -noout -text | grep "X509v3 extensions" -A 13
EOF
$ terraform apply
Output example:
Hashicorp Vault 6
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:79:7f:87:92:26:81:37:1c:64:de:40:14:44:19:5d:b3:e6:64:16
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MD, L=Bethesda, O=test, OU=test org, CN=Intermediate CA2 v1.1
Validity
Not Before: Sep 25 23:26:16 2021 GMT
Not After : Sep 26 00:26:45 2021 GMT
Subject: C=US, ST=MD, L=Bethesda, CN=1.test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:9b:7c:91:55:da:70:5e:72:5e:3c:aa:20:9f:
2d:c7:3c:ed:4f:5e:a7:cf:50:3b:0b:e4:4f:df:69:
34:1a:40:0d:bf:1a:6c:53:1f:f2:0d:3a:4a:83:3f:
47:16:8e:88:4c:a9:bc:be:20:22:04:c0:9b:76:52:
b1:96:a8:8e:0f:4e:36:b8:aa:4f:da:3b:1b:3b:64:
34:c6:c8:e5:c2:2a:da:a1:e4:3c:0d:13:f3:e5:8c:
a4:b1:d5:37:11:d0:99:70:b0:37:5a:f1:4a:e9:5a:
e3:09:ba:db:d9:ee:59:a3:94:ee:b4:97:85:3b:a4:
0a:0d:31:c9:91:09:7e:66:de:01:10:fd:1e:dd:89:
b9:65:e9:9d:c6:aa:c6:11:b8:c4:eb:06:e6:c3:ac:
6c:b4:1b:65:e9:29:bb:c7:26:84:fb:52:0e:07:bd:
da:c2:37:5d:d2:21:4c:a9:7f:51:c4:61:03:bc:06:
a8:9e:18:0c:2b:8b:7b:9a:0d:30:d0:7e:2e:14:72:
6b:0b:55:c3:68:51:6c:3b:9d:87:46:0a:3d:7b:77:
a9:48:06:96:ed:af:2d:25:f4:28:eb:5b:13:ac:61:
22:8a:c8:a7:99:eb:d1:1c:41:3d:4b:e6:2e:16:f3:
56:7e:b6:38:ac:07:b1:66:4c:5f:f2:65:2c:36:1b:
91:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Key Identifier:
1B:A5:58:99:2E:0E:42:48:B3:8F:C4:D4:6D:E5:91:C2:5B:48:13:57
X509v3 Authority Key Identifier:
keyid:7A:AF:49:89:C6:BC:F1:5D:F4:A9:3A:79:66:CD:CA:E4:36:7E:78:64
Fim
Hashicorp Vault 7
description = "PKI engine hosting intermediate CA2 v1 for cyberlab local"
default_lease_ttl_seconds = local.default_10hr_in_sec
max_lease_ttl_seconds = local.default_1y_in_sec
}
Hashicorp Vault 8