Public Key Infrastructure, normally understood as a TLS CA and mechanisms related to issuing, signing, validating new certificates.
Can be done with vault using PKI engine mount.
Main components include:
A certificate consists of:
For example, with Vault and intermidiate CA configured, Terraform code for requesting a certificate would look like this:
resource "vault_pki_secret_backend_cert" "example-dot-com" {
issuer_ref = vault_pki_secret_backend_issuer.intermediate.issuer_ref
backend = vault_pki_secret_backend_role.intermediate_role.backend
name = vault_pki_secret_backend_role.intermediate_role.name
common_name = "test.example.com"
ttl = 3600
revoke = true
}A certificate is created after a Certificate Signing Request (CSR) is
fulfilled. CSR are submitted as .csr files.
.key - private keys for certs.crt - certificates.req - signing requests.inline - contain full certificate chain and can be
easily distributed.pem - Privacy Enchanced Mail, more
broad file extensions used for storing, among other things,
certificatesOn cli level, you can use easy-rsa or
openssl for more imperative approaches. Steps and
comparison:
easyrsa:
# dir init
easyrsa init-pki
# config
cat << END > vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "State"
set_var EASYRSA_REQ_CITY "City"
set_var EASYRSA_REQ_ORG "Your Organization"
set_var EASYRSA_REQ_EMAIL "admin@example.com"
set_var EASYRSA_REQ_OU "Your Organizational Unit"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
END
# gen CA
easyrsa build-caopenssl:
# gen key
openssl genrsa -aes256 -out CA.key 2048
# gen CA from key
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1024 -out myCA.crteasyrsa:
# gen CSR
easyrsa gen-req server nopass
# sign CSR
easyrsa sign-req server serveropenssl:
# gen key
openssl genrsa -out my-server.key 2048
# gen CSR
openssl req -new -key my-server.key -out my-server.csr
# gen CNF
echo "subjectAltName = DNS:yourdomain.local" > extfile.cnf
# sign CSR
openssl x509 -req -in my-server.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial \
-out my-server.crt -days 365 -extfile extfile.cnfopenssl:
# inspect cert
openssl x509 -in my-server.crt -text -noout
# verify against CA
openssl verify -CAfile myCA.crt my-server.crtnatsDon't forget to specify IP:127.0.0.1 SAN when creating
server certificate.
nats-server --tls --tlscert pki/issued/server.crt --tlskey pki/private/server.key \
--tlsverify --tlscacert pki/ca.crt &
nats server check connection --tlscert=pki/issued/client.crt \
--tlskey=pki/private/client.key --tlsca=pki/ca.crt
nats pub hello world --tlscert=pki/issued/client.crt \
--tlskey=pki/private/client.key --tlsca=pki/ca.crtYou can automate certificate generations with ansible's
community.crypto.x509_certificate.
- name: Generate a Self Signed OpenSSL certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
privatekey_path: /etc/ssl/private/ansible.com.pem
csr_path: /etc/ssl/csr/ansible.com.csr
provider: selfsigned
- name: Generate an OpenSSL certificate signed with your own CA certificate
community.crypto.x509_certificate:
path: /etc/ssl/crt/ansible.com.crt
csr_path: /etc/ssl/csr/ansible.com.csr
ownca_path: /etc/ssl/crt/ansible_CA.crt
ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
provider: ownca