Vault as a CA for ECS Containers Using Terraform (Part 1)
In this I’ll show some examples on how to leverage HashiCorp Vault as an awesome CA. Note this part is boring and 80% copy/paste from a cuddletech blog.
Prerequisites
Vault running as a server
Vault CLI to match the server
Create the Root cert/key
(This is actually mostly a clone from here but I want to make sure it never disappears)
Note: You should not let the vault server generate the root CA, you should generate it and import it. I just havent figured out how to do that yet. I will update this post when I get around to it. More info on that here
Mount the PKI backend for the root
12345678
$ vault mount -path=cuddletech -description="Cuddletech Root CA" -max-lease-ttl=87600h pki
Successfully mounted 'pki' at 'cuddletech'!
$ vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
cuddletech/ pki system 315360000 Cuddletech Root CA
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging
Cut and paste that CSR into a new file cuddletech_ops.csr. The reason we output the file here is so we can get it out of one backend and into another and then back out.
Now that we have a Root CA signed cert, we’ll need to cut-n-paste this certificate into a file we’ll name cuddletech_ops.crt and then import it into our Intermediate CA backend:
123
$ vault write cuddletech_ops/intermediate/set-signed \
> certificate=@cuddletech_ops.crt
Success! Data written to: cuddletech_ops/intermediate/set-signed
Awesome! Lets verify:
12345678910111213
$ curl -s https://localhost:8200/v1/cuddletech_ops/ca/pem | openssl x509 -text | head -20
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:12:53:41:be:18:98:2c:a1:51:4a:f8:f0:bd:b4:a3:44:7e:74:59
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Cuddletech Root CA
Validity
Not Before: Jul 9 09:23:39 2016 GMT
Not After : Jul 9 09:24:09 2017 GMT
Subject: CN=Cuddletech Ops Intermediate CA
...
The last thing we need to do is set the CA & CRL URL’s for accessing the CA:
1234
$ vault write cuddletech_ops/config/urls \
> issuing_certificates="https://10.0.0.22:8200/v1/cuddletech_ops/ca" \
> crl_distribution_points="https://10.0.0.22:8200/v1/cuddletech_ops/crl"
Success! Data written to: cuddletech_ops/config/urls