GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → T-Systems-MMS → vault-ocsp

T-Systems-MMS / vault-ocsp

Licence: other
OCSP responder for Hashicorp Vault PKI

Programming Languages

go
31211 projects - #10 most used programming language

Labels

vaultpkiocsp

Projects that are alternatives of or similar to vault-ocsp

apple-ocsp-noiser
Privacy-Preserving Noise Machine for Apple Developer ID OCSP
Stars: ✭ 31 (-26.19%)
Mutual labels:  pki, ocsp
certgrinder
Certgrinder is a client/server system for getting LetsEncrypt certificates for your infrastructure. ACME challenges are handled by the Certgrinder server, making it possible to get certificates in highly isolated environments, since only an SSH connection to the Certgrinder server is needed.
Stars: ✭ 24 (-42.86%)
Mutual labels:  pki, ocsp
Vault Openvpn
Small wrapper utility to manage OpenVPN configuration combined with a Vault PKI
Stars: ✭ 112 (+166.67%)
Mutual labels:  vault, pki
certctl
A command line tool able to request certificate generation from Vault to write certificate files to the local filesystem.
Stars: ✭ 13 (-69.05%)
Mutual labels:  vault, pki
kubernetes-vault-example
Placeholder for training material related to TA usage of Vault for securing Kubernetes apps.
Stars: ✭ 16 (-61.9%)
Mutual labels:  vault
pico
A Git-driven task runner built to facilitate GitOps and Infrastructure-as-Code while securely passing secrets to tasks.
Stars: ✭ 51 (+21.43%)
Mutual labels:  vault
smtpdane
SMTP DANE testing tool
Stars: ✭ 15 (-64.29%)
Mutual labels:  ocsp
vault-creds
Sidecar container for requesting dynamic Vault database secrets
Stars: ✭ 85 (+102.38%)
Mutual labels:  vault
vault4s
Vault Client Library For Scala
Stars: ✭ 15 (-64.29%)
Mutual labels:  vault
k8s-vault-webhook
A k8s vault webhook is a Kubernetes webhook that can inject secrets into Kubernetes resources by connecting to multiple secret managers
Stars: ✭ 107 (+154.76%)
Mutual labels:  vault
ocaml-x509
X509 (RFC5280) handling in OCaml
Stars: ✭ 40 (-4.76%)
Mutual labels:  pki
tls-ca-manage
Multi-level Certificate Authority Management tool, front-end tool to OpenSSL, written in bash shell.
Stars: ✭ 19 (-54.76%)
Mutual labels:  ocsp
vault-token-helper-osx-keychain
An example @hashicorp Vault token helper for Mac OS X Keychain.
Stars: ✭ 64 (+52.38%)
Mutual labels:  vault
argocd-vault-plugin
An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets
Stars: ✭ 404 (+861.9%)
Mutual labels:  vault
virgil-sdk-net
Virgil Core SDK allows developers to get up and running with Virgil Cards Service API quickly and add end-to-end security to their new or existing digital solutions to become HIPAA and GDPR compliant and more.
Stars: ✭ 16 (-61.9%)
Mutual labels:  pki
docker vault
Docker + Consul + Vault
Stars: ✭ 34 (-19.05%)
Mutual labels:  vault
breakglass
A command line tool to provide login credentials from Hashicorp Vault
Stars: ✭ 33 (-21.43%)
Mutual labels:  vault
s3backup
No more custom backup scripts please ...
Stars: ✭ 20 (-52.38%)
Mutual labels:  vault
vim-hcl
Syntax highlighting for HashiCorp Configuration Language (HCL)
Stars: ✭ 83 (+97.62%)
Mutual labels:  vault
super-duper-vault-train
🚄▼▼▼▼▼▼
Stars: ✭ 19 (-54.76%)
Mutual labels:  vault
View All Similar Projects ➔

Vault OCSP

Vault OCSP provides OCSP support for Hashicorp Vault PKI backends it uses Vault to retrieve a CA certificate at startup and the cert/{serial} API to fetch the revocation status of certificates. Responses for revoked certificates are cached in memory.

Vault OCSP is based on Hashicorp's Vault API and OCSP code from Cloudflare's PKI and TLS toolkit.

License

Vault OCSP is licensed under the Mozilla Public License 2.0.

The file vendor/github.com/cloudflare/cfssl/ocsp/responder.go is copied from Cloudflare's cfssl repository and is licensed under cfssl's BSD 2-clause "Simplified" License

Building Vault OCSP

git clone https://github.com/T-Systems-MMS/vault-ocsp.git
cd vault-ocsp
go get
go build -o vault-ocsp

Running Vault OCSP

Vault OCSP is helpful:

./vault-ocsp -help
Usage of ./vault-ocsp:
  -pkimount string
        vault PKI mount to use (default "pki")
  -responderCert string
        OCSP responder signing certificate file
  -responderKey string
        OCSP responder signing private key file
  -serverAddr string
        Server IP and Port to use (default ":8080")

Vault OCSP supports the same environment variables as the Vault command line interface. You will probably need to set VAULT_ADDR, VAULT_CACERT and VAULT_TOKEN to use it.

The command line arguments -responderCert and -responderKey are mandatory and should point to a PEM encoded X.509 certificate file and a corresponding PEM and PKCS#1 encoded RSA private key file.

The key can be generated using openssl rsa and the certificate should be signed by a CA that is trusted by the OCSP clients that will query the Vault OCSP instance.

Make Vault OCSP known to Vault

You can use the /pki/config/urls API to define Vault OCSP as OCSP responder. You should use an OCSP URL that will be reachable from your OCSP clients. If you want to make the OCSP responder available via https itself you will need a reverse proxy like nginx or Apache httpd in front of Vault OCSP.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].