Use case: External CA, signed certificate #898
Comments
|
Hi @strarsis ,
The PKI backend is a secret backend designed for generation -- e.g. acting as a CA. It does not store certificates other than those that it has generated, and that is partially convenience and partially so it can build CRLs. Vault generally is designed for inter-organizational use with a common authn/authz paradigm. It is well suited for organizations that need TLS internally and either have no issue with or specifically want to control their own root certificate, and that want automated ways to issue tens or thousands or hundreds of thousands of certificates for their own purposes. Let's Encrypt is also a CA, but it's designed for very different use-cases (the public Internet) with very different authn/authz paradigms. As to your use-cases:
Vault doesn't offer this kind of key generation right now, although it may in the future. The
This could be stored in the
I don't think Vault will ever support this. Vault is designed to manage secrets; CSRs are not secrets, and accepting CSRs to then send to external CAs imposes a number of possible outcomes and error conditions that would need to be handled.
This can already be handled in the
For an externally-generated certificate stored in Vault, this is not possible. For a certificate generated within Vault, the expiration is returned along with the certificate, and can be used in alerting.
A server with appropriate permissions could retrieve any stored value in Vault, including a stored certificate.
This will not be supported, for the same reason that sending CSRs to external CAs will not be supported. |
|
Additional discussion here: https://groups.google.com/forum/#!forum/vault-tool |
Some thoughts are LE and possible use of vault in that process,
Pardon the partial confusion in the text.
The setup is a reverse HTTP proxy/LB with HTTP2/HTTPS support + SSL/TLS termination,
hence requiring signed certificate to work properly.
I try to figure out how vault can be used/fit in to improve security and maintainability.
With the existing vault PKI secret backend it seems that vault not only stores but also generates/transforms secrets, like signing certificates with the stored CA private key.
Now with certificates signed by external CAs:
The private key is generated on demand on the server and should ideally never leave the system.
Only its CSR leaves the system for signing the private key by an external CA (e.g. Let's Encrypt).
*Though for auditing it may be acceptable/useful re-using the same private key for new certificates.
Also the CSR can be stored for easier revocation/auditing.
One reason where it could make sense storing the signed ready to be used certificate in vault
would be the rate limit (Let's Encrypt) or cost (non-free CA solutions) of signing new private keys where they hadn't actually expired yet.
However, when the private key or signed certificate leaves the server anyway (to vault),
one could argue that vault could also handle the CSR to a third party CA, and revoking stored certs?
Would this unnecessarily expose vault to more public networks?
Additionally, those signed certificates will have a limited life period, vault could watch + act about it, like automatically renewing or sending a warning to audit that TLS/SSL cannot work anymore (and its associated services) because the certificate is now invalid.
There are non-ACME supporting CAs that require UI login/interaction and CAs like Let's Encrypt that require proof by currently serving a validation file by HTTP from the domain(s) the certificate should be used for.
Possible uses for vault:
What shouldn't be actually the responsibility of vault?
The text was updated successfully, but these errors were encountered: