GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → crisidev → vault-ca

crisidev / vault-ca

Licence: GPL-3.0 license
Set of scripts to create your own CA using hashicorp Vault

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

sslvaultcertificate-authority

Projects that are alternatives of or similar to vault-ca

openssl-ca
Shell scripts to manage a private Certificate Authority using OpenSSL
Stars: ✭ 38 (+137.5%)
Mutual labels:  ssl, certificate-authority
tls-ca-manage
Multi-level Certificate Authority Management tool, front-end tool to OpenSSL, written in bash shell.
Stars: ✭ 19 (+18.75%)
Mutual labels:  ssl, certificate-authority
docker-nginx-certbot
Automatically create and renew website certificates for free using the Let's Encrypt certificate authority.
Stars: ✭ 367 (+2193.75%)
Mutual labels:  ssl, certificate-authority
pki
Certificate Authority management suite
Stars: ✭ 23 (+43.75%)
Mutual labels:  ssl, certificate-authority
Pki
The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
Stars: ✭ 97 (+506.25%)
Mutual labels:  ssl, certificate-authority
Ssl Certificate Chain Resolver
SSL certificate chain resolver
Stars: ✭ 277 (+1631.25%)
Mutual labels:  ssl, certificate-authority
diyca
Do-It-Yourself Certificate Authority
Stars: ✭ 18 (+12.5%)
Mutual labels:  ssl, certificate-authority
Mutual Tls Ssl
🔐 Tutorial of setting up Security for your API with one way authentication with TLS/SSL and mutual mutual authentication for a java based web server and a client with both Spring Boot. Different clients are provided such as Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k, Kohttp and ktor. Also other server examples are available such as jersey with grizzly. Also gRPC examples are included
Stars: ✭ 163 (+918.75%)
Mutual labels:  ssl, certificate-authority
Trust stores observatory
Continuously monitor and record the content of the major platforms' root certificate stores.
Stars: ✭ 87 (+443.75%)
Mutual labels:  ssl, certificate-authority
Pric
Simple zero-config tool to create Private Certificate Authority & issue locally-trusted development server certificates with any domain names you'd like. SSL certificates for development purposes.
Stars: ✭ 87 (+443.75%)
Mutual labels:  ssl, certificate-authority
Certstrap
Tools to bootstrap CAs, certificate requests, and signed certificates.
Stars: ✭ 1,689 (+10456.25%)
Mutual labels:  ssl, certificate-authority
TestAuthority
Simple certificate authority for development written in C#. Allows issue of SSL certificates, including wildcard certificates
Stars: ✭ 32 (+100%)
Mutual labels:  ssl, certificate-authority
vault-ctrl-tool
Simple tool for managing authentication, secrets, and leases for services.
Stars: ✭ 23 (+43.75%)
Mutual labels:  vault
secrets cli
CLI for storing and reading your secrets via vault
Stars: ✭ 24 (+50%)
Mutual labels:  vault
obsidian-journey-plugin
Discover the story between your notes in Obsidian
Stars: ✭ 93 (+481.25%)
Mutual labels:  vault
sslcontext-kickstart
🔐 A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Av…
Stars: ✭ 295 (+1743.75%)
Mutual labels:  ssl
homelab-vault-config
Config and scripts I use to manage my homelab Hashicorp Vault setup.
Stars: ✭ 28 (+75%)
Mutual labels:  vault
vault-terraform-demo
Deploy HashiCorp Vault with Terraform in GKE.
Stars: ✭ 47 (+193.75%)
Mutual labels:  vault
nebulous
The Kubefirst Open Source Platform
Stars: ✭ 122 (+662.5%)
Mutual labels:  vault
premeStock
Monitors for restocks
Stars: ✭ 53 (+231.25%)
Mutual labels:  ssl
View All Similar Projects ➔

Vault CA

Build Status codecov Code Climate Issue Count Documentation Status

Set of tools to create your own CA and manage certificates using hashicorp Vault.

Install

apt-get install libffi-dev libssl-dev
pip install vault-ca

Documentation

https://vault-ca.readthedocs.io/en/latest/index.html

How to

Initialize the Vault

Vault need to be initialized without SSL certificates and than switched. Once initialized and configured, fetch-ssl-cert can be used to retrieve Vault's own certificate/key pair and TLS can be switched on.

Inside the the example folder you can find two different Vault server configurations for this purpose

❯❯❯ ~ vault server -config example/vault.hcl.init

❯❯❯ ~ export VAULT_ADDR="http://127.0.0.1:8200"

❯❯❯ ~ vault init
Unseal Key 1: SmMc4xXT2oq6d7uJSnMMnuRKLh7EighJUeH4Kh/28naG
Unseal Key 2: ovsPuWWd8dWVBqb+TPtqqQRjGPBNCor3rp1QLYYnhNZJ
Unseal Key 3: XuASk26YBqQo9+cvi17Me5o7PWsQwVlL2hM8G1bjOyIs
Unseal Key 4: NwhxHrkByuVfP4GURwDc/tZ1qPP6bVsmP2hUIQj+nvBN
Unseal Key 5: 0Kfq2jVlE2Db8Nj5mIXVhQTRONYz/0qZ1zm1BObUO4nx
Initial Root Token: 087efd94-3680-0ff4-25b7-a92177cd3c46

Vault initialized with 5 keys and a key threshold of 3. Please
securely distribute the above keys. When the vault is re-sealed,
restarted, or stopped, you must provide at least 3 of these keys
to unseal it again.

Vault does not store the master key. Without at least 3 keys,
your vault will remain permanently sealed.

❯❯❯ ~ vault unseal SmMc4xXT2oq6d7uJSnMMnuRKLh7EighJUeH4Kh/28naG
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1
Unseal Nonce: 4ba54ac9-d60b-4078-05da-285ef05bf303
❯❯❯ ~ vault unseal ovsPuWWd8dWVBqb+TPtqqQRjGPBNCor3rp1QLYYnhNZJ
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 2
Unseal Nonce: 4ba54ac9-d60b-4078-05da-285ef05bf303
❯❯❯ ~ vault unseal XuASk26YBqQo9+cvi17Me5o7PWsQwVlL2hM8G1bjOyIs
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:

❯❯❯ ~ vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
Version: 0.7.2
Cluster Name: test-cluster
Cluster ID: 8f948916-8a3d-b220-f0b4-7c5bb74dc5a6

High-Availability Enabled: false

Intialize certificate authority

After initializing and unsealing the Vault, you need to create the certificate authority.

One of the script installed by vault_ca, create-vault-ca, will do than for you.

Default parameters:

  • The script creates a certificate authority valid for 5 years.
  • Certificates have a maximum TTL of 5 years and a default one of 30 days.
  • Authorization tokens have a maximum TTL of 5 years and a default one of 1 year.

All the parameters above can be configured through command line arguments. See create-vault-ca --help for details.

NOTE: set --vault-token option using Initial Root Token from above.

❯❯❯ ~ create-vault-ca --domain=test.org --component=test --vault-addr="http://127.0.0.1:8200" --vault-token=087efd94-3680-0ff4-25b7-a92177cd3c46
Are you sure this script have not been already run on this vault? It can break / override configs [y|N] y
Successfully mounted 'pki' at 'pki/test.org'!
Successfully tuned mount 'pki/test.org'!
Key          	Value
---          	-----
certificate  	-----BEGIN CERTIFICATE-----
MIIC9jCCAd6gAwIBAgIUKybrEs7kUvRSgepQuImxonoznCwwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAxMIdGVzdC5vcmcwHhcNMTcwNTE0MTcyNDMwWhcNMjIwNTEz
MTcyNTAwWjATMREwDwYDVQQDEwh0ZXN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALeVV8zUKwhYJz0eVg+6rWfCPz+GdxxIXeiChULAU+zHWvDf
Jxye9JrcTdc/XUI0ZSw33F2JEjLkDasdchfL4ESRbUTdnJj1kYW6KEF9X3rhL/AM
hdX+EqUQ9yvXRlvcSyGObVD7ayRUcG2IDpCLRuFW5bkw+MxvSjyzIf6+W3bs5DVz
mFKqRv5Y3ycsuzc8CiDjxj/1LZWvBfqUFf8jePO0bzL3kw7uViZA4fJ23wPLqTyq
IRX52ODZFC3SeyF600lerCLGY4Bgol8YtZwjsx+MxpPnszlkitxT2wjAghfPTV0W
8BebQi4D+CN4A4C6joyGZrdagzsUF3LoeGoDFh8CAwEAAaNCMEAwDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHovOm1ZHkAsmCGKn+u3
QmlCrriZMA0GCSqGSIb3DQEBCwUAA4IBAQBgDE//Tktbe16VSSrqP8MNYGtMG+jZ
PV2Ao7FCrgSPwjBQHPXR1fh+g4MMG4S9iI8QtXIz49/ZYXfXPU6LPq8W/zrIlf/g
7PODdOo/w7LA7CBHG6ceQtRXHuaMJvJ8EybTQ4vc7LK2FMdEZbBQQkQfnCunR8bz
oACVTooX2DkSPHCM24XSBsmMsHxImEYrjzsr0RyU+R9Tq+rdhjoEyUzQxklIecTq
8D1yfIrgIfYfT1qf6n2bEb+xIfk47v8yXlIUS3KLDadUtqybHIzsbSKEwiQse7rF
AOoUPGoZMSJAr52y0SW2QE8mJoGyX0HeqeX2ocrKw3WvwXF1oHpOB6Au
-----END CERTIFICATE-----
expiration   	1652462700
issuing_ca   	-----BEGIN CERTIFICATE-----
MIIC9jCCAd6gAwIBAgIUKybrEs7kUvRSgepQuImxonoznCwwDQYJKoZIhvcNAQEL
BQAwEzERMA8GA1UEAxMIdGVzdC5vcmcwHhcNMTcwNTE0MTcyNDMwWhcNMjIwNTEz
MTcyNTAwWjATMREwDwYDVQQDEwh0ZXN0Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALeVV8zUKwhYJz0eVg+6rWfCPz+GdxxIXeiChULAU+zHWvDf
Jxye9JrcTdc/XUI0ZSw33F2JEjLkDasdchfL4ESRbUTdnJj1kYW6KEF9X3rhL/AM
hdX+EqUQ9yvXRlvcSyGObVD7ayRUcG2IDpCLRuFW5bkw+MxvSjyzIf6+W3bs5DVz
mFKqRv5Y3ycsuzc8CiDjxj/1LZWvBfqUFf8jePO0bzL3kw7uViZA4fJ23wPLqTyq
IRX52ODZFC3SeyF600lerCLGY4Bgol8YtZwjsx+MxpPnszlkitxT2wjAghfPTV0W
8BebQi4D+CN4A4C6joyGZrdagzsUF3LoeGoDFh8CAwEAAaNCMEAwDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHovOm1ZHkAsmCGKn+u3
QmlCrriZMA0GCSqGSIb3DQEBCwUAA4IBAQBgDE//Tktbe16VSSrqP8MNYGtMG+jZ
PV2Ao7FCrgSPwjBQHPXR1fh+g4MMG4S9iI8QtXIz49/ZYXfXPU6LPq8W/zrIlf/g
7PODdOo/w7LA7CBHG6ceQtRXHuaMJvJ8EybTQ4vc7LK2FMdEZbBQQkQfnCunR8bz
oACVTooX2DkSPHCM24XSBsmMsHxImEYrjzsr0RyU+R9Tq+rdhjoEyUzQxklIecTq
8D1yfIrgIfYfT1qf6n2bEb+xIfk47v8yXlIUS3KLDadUtqybHIzsbSKEwiQse7rF
AOoUPGoZMSJAr52y0SW2QE8mJoGyX0HeqeX2ocrKw3WvwXF1oHpOB6Au
-----END CERTIFICATE-----
serial_number	2b:26:eb:12:ce:e4:52:f4:52:81:ea:50:b8:89:b1:a2:7a:33:9c:2c

Success! Data written to: pki/test.org/roles/cert
Policy 'pki/test.org/cert' written.
Success! Data written to: auth/token/roles/services
Success! Data written to: auth/token/roles/users

Generating services token (REMEMBER TO SAVE IT)
Key            	Value
---            	-----
token          	9a6b0ee1-c159-3710-dc3f-7641a5ef9222
token_accessor 	3730bbec-d8ae-eac0-cc26-c4fb6efa3e0a
token_duration 	8760h0m0s
token_renewable	true
token_policies 	[default pki/test.org/cert]

Have you saved the services token above? [y|N] y

Generating users token (REMEMBER TO SAVE IT)
Key            	Value
---            	-----
token          	3f2ebc35-1793-dc9e-f8da-f6dd6d081ca2
token_accessor 	7fcf4113-4918-54a1-d24c-8533b3b10e53
token_duration 	8760h0m0s
token_renewable	true
token_policies 	[default pki/test.org/cert]

Have you saved the users token above? [y|N] y

To boostrap the CA use "fetch-ssl-cert -c test -n <common_name> -t <services_token> -b -o <output_dir>"
To create / renew a certificate use "fetch-ssl-cert -c test -n <common_name> -t <services_token> -o <output_dir>"

From now on, you can use one of the two tokens created during the CA setup:

  • services: used by automated services to fetch certificate/key pairs.
  • users: used by humans to fetch certificate/key pairs.

Secure Vault with TLS

Once the CA is setup, Vault itself need to get its own certificate/key pair and the CA need to be downloaded and bootstrapped into the system.

I am assuming you are on Debian and you have update-ca-certificates available.

NOTE: from now on the token used is services from above.

❯❯❯ fetch-ssl-cert -c test -n vault.test.org -d test.org -i 127.0.0.1 -t 9a6b0ee1-c159-3710-dc3f-7641a5ef9222 -b -A http://127.0.0.1:8200 -D
2017-05-14 18:52:58,443 __init__.py:44 DEBUG:vault address is `http://127.0.0.1:8200`
2017-05-14 18:52:58,443 __init__.py:174 DEBUG:request url is `http://127.0.0.1:8200/v1/pki/test.org/issue/cert`
2017-05-14 18:52:58,443 __init__.py:131 DEBUG:requesting new cert / key part for CA domain: `test.org`, component: `test`, common_name: `vault.test.org`, ip_sans: `127.0.0.1`, alt_names: `None`, ttl: `8760h`
2017-05-14 18:52:58,450 connectionpool.py:207 DEBUG:Starting new HTTP connection (1): 127.0.0.1
2017-05-14 18:52:58,590 connectionpool.py:395 DEBUG:http://127.0.0.1:8200 "PUT /v1/pki/test.org/issue/cert HTTP/1.1" 200 None
2017-05-14 18:52:58,591 __init__.py:59 DEBUG:directory `/usr/local/share/ca-certificates/test.org` already exists, skipping creation
2017-05-14 18:52:58,591 __init__.py:106 DEBUG:writing certificate for vault.test.org on /usr/local/share/ca-certificates/test.org/test-vault.test.org.pem
2017-05-14 18:52:58,591 __init__.py:109 DEBUG:writing private key for vault.test.org on /usr/local/share/ca-certificates/test.org/test-vault.test.org.key
2017-05-14 18:52:58,591 __init__.py:114 DEBUG:writing CA on /usr/local/share/ca-certificates/test.org/test.crt

Now that the certificate/key pair and the CA are saved on the disk, we need to update the system certificate authorities

❯❯❯ update-ca-certificates --fresh
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

Stop vault and restart it using the other configuration from example directory and repeat the unseal process.

❯❯❯ vault server -config example/vault.hcl.ssl

Now vault is fully secure and usable.

NOTE: remember to register a local DNS for vault.test.org or use the command line option to specify the Vault address.

Fetch certificate/key pair

Let's fetch a certificate/key pair for a test domain.

fetch-ssl-cert -c test -n test.test.org -d test.org -t 9a6b0ee1-c159-3710-dc3f-7641a5ef9222 -A https://127.0.0.1:8200 -D
2017-05-14 18:52:58,443 __init__.py:44 DEBUG:vault address is `https://127.0.0.1:8200`
2017-05-14 18:52:58,443 __init__.py:174 DEBUG:request url is `https://127.0.0.1:8200/v1/pki/test.org/issue/cert`
2017-05-14 18:52:58,443 __init__.py:131 DEBUG:requesting new cert / key part for CA domain: `test.org`, component: `test`, common_name: `test.test.org`, ip_sans: `None`, alt_names: `None`, ttl: `8760h`
2017-05-14 18:52:58,450 connectionpool.py:207 DEBUG:Starting new HTTPS connection (1): 127.0.0.1
2017-05-14 18:52:58,590 connectionpool.py:395 DEBUG:https://127.0.0.1:8200 "PUT /v1/pki/test.org/issue/cert HTTP/1.1" 200 None
2017-05-14 18:52:58,591 __init__.py:59 DEBUG:directory `/usr/local/share/ca-certificates/test.org` already exists, skipping creation
2017-05-14 18:52:58,591 __init__.py:106 DEBUG:writing certificate for test.test.org on /usr/local/share/ca-certificates/test.org/test-test.test.org.pem
2017-05-14 18:52:58,591 __init__.py:109 DEBUG:writing private key for vault.test.org on /usr/local/share/ca-certificates/test.org/test-test.test.org.key
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].