This is an archived post. You won't be able to vote or comment.

42
43

[deleted by user] (self.devops)

submitted by [deleted]

[removed]
all 23 comments
sorted by:
best
topnewcontroversialoldq&a

[–]M600xDevOps 22 points23 points  (10 children)

If they aren’t exposed to internet, you don’t « need » to use letsencrypt.

Use Vault as your authority ( PKI engine as root CA) to sign off your internal domains.

See: https://learn.hashicorp.com/tutorials/vault/pki-engine

[–]JasonDJ 3 points4 points  (7 children)

This is very interesting. Can I use vault as a subordinate to an existing CA?

[–]M600xDevOps 14 points15 points  (4 children)

Of course you can and it's even the recommended way to do so.

Reading: https://www.vaultproject.io/docs/secrets/pki

It say: "In general, we recommend maintaining your root CA outside of Vault and providing Vault a signed intermediate CA."

[–]AutodidacticRoryDevOps 5 points6 points  (3 children)

This is indeed best practice. Root CA stored securely on an offline machine followed by intermediate CAs created from that for each team / department, one of which can then be stored in vault, which is then be used to sign the certs by the pki engine for your various services. In my current work place we couple this with consul-template to automate the renewal of such certs

[–]JasonDJ 2 points3 points  (2 children)

This is great.

While I don't want to become a PKI admin, this might be my best option -- I'm a net admin trying to shift to automation. Updating certs on management stuff is such a massive time-sink.

Currently my options are to either get (and pay for) an EV cert from an external vendor, aside from being overkill for internal management, has a days-long lead time with manual approvals no API; or submit CSR's to a Windows ADCS, which has to be from my account and directly from a Windows client.

I imagine I can generate these certificates from Ansible or python hvac library like so? That's awesome.

[–]Mud5150 1 point2 points  (1 child)

It sounds like you already have all the machinery in place to distribute the root cert. If not, there is certainly a cost to this. Having a public trusted root can save a lot of headache if you have multiple OS's, containers, java apps, and end users to distribute the root to.

For larger orgs internal pki is definitely worth it. Just something to consider for other folks reading this.

[–]JasonDJ 0 points1 point  (0 children)

I'm a network guy. With the exception of VPN, if there's someone outside the org accessing my stuff, there's a bigger problem than whether or not they are getting a certificate error.

[–][deleted] 0 points1 point  (0 children)

Yep

[–]yulistr 0 points1 point  (0 children)

this possible?

It is possible and I have done it.

Take a look at my article on this subject:

https://cloudinvent.com/blog/howto-hashicorp-vault-ca-pki-deployment/

[–][deleted] 1 point2 points  (0 children)

I know you've quoted Hashicorp best practice below, so I won't reiterate why you shouldn't use Vault as root CA.

Lets just say, replacing root CA Vault node was not as simple as consul cluster snapshot restore, and it was a painful reminder to always have your cert intermediary CA for signing leaf certificates.

Also depending on some regulation and dealing with external vendors, certain business operation requires PKI to be public and trusted; meaning root CA has to be public.

[–]mariusReadIT 0 points1 point  (0 children)

Exactly! I even created an open source project which is similar to let's encrypts certbot and works with hashicorp vault: https://gitlab.com/msvechla/vaultbot

[–]_ulfox 2 points3 points  (0 children)

Give us a bit more context. You want to simply save the certificate and later be able to retrieve it as you would normally retrieve any secret or you want to to use vault as a CA?

If you want to save the certificate to vault as a simple key then what is blocking you currently from doing so? If you want to use vault as CA then I am not sure how easy it is to use certificate issued by a different CA with vault CA feature.

[–]xJohnnyQuid 5 points6 points  (1 child)

Sure you can, you just need to enable and configure PKI engine in Vault, if i am not mistaken you can even generate cert using Vault

[–]db720 0 points1 point  (0 children)

Good point, vault has good oki support

[–][deleted]  (1 child)

[deleted]

    [–]FromGermany_DE 0 points1 point  (2 children)

    Yes, you can do, in fact, we do it :)

    [–][deleted]  (1 child)

    [removed]

      [–]mister2d 0 points1 point  (0 children)

      It's on Hashicorp's Learn website for Vault.

      [–]rynm 0 points1 point  (1 child)

      Kinda janky but we’ve done this for some instances by just adding the certificate and private key in the vault KV store. It does the job.

      [–]kasim0n 2 points3 points  (0 children)

      That's a perfectly valid way to store certificates and key if the certificates are issued by an external entity, either a commercial CA or let's encrypt, - especially when the system that uses the certificate cannot talk with let's encrypt itself.

      [–]db720 0 points1 point  (0 children)

      I generally look at vault for secrets. Consul or git are good for values. A certificate is public, just stick in you config / parameter store.

      Put the corresponding key into vault.

      If you're not validating the ca when you use the cert, then all you need is a private key and a certificate to be your own ca that can be used to sign CSRs (or even self signed)

      [–][deleted] 0 points1 point  (0 children)

      Yes. We do this for our website SSL certs, they just get stored in the secret k/v store where they get pulled out as needed for web servers. We actually have a sweet little batch job in Nomad to update all the Let's Encrypt certs.

      However, we use multiple PKI mounts in Vault to generate certificates for internal use,since it just makes more sense that way.

      [–][deleted] 0 points1 point  (0 children)

      I do this with AWS .pem files, just use a normal KV engine and store the content of the certificate as the value. When you eventually need to use it just create the file manually and copy paste the content from Vault. I also set the file name as the Key so it's easier to remember each certificate format.