I am currently familiarizing myself with Vault. Certificates are later generated or signed there by several intermediate CAs.
To monitor the expiry date, I am currently calling up the serial numbers of all certificates (/ v1 / pki / certs), reading them out in a loop ( /v1/pki/cert/ff-ff-ff…), converting the X509 to text with the help of openssl and then looking for “NotAfter”.
Is there an easier way?
And: How can I monitor the expiry date of the intermediate certificate?
I can see: Telegraf monitoring is interesting. With us, it is difficult to monitor the services of (internal) customers. Hence my approach to monitor the expiry date in vault myself - because I can be sure that these, and only these, certificates are productive somewhere and have to be replaced if necessary.
This has been resolved for the server certificates, but not yet for the intermediate certificates
echo -e $(curl --request GET --insecure https://vault.local/v1/pki/cert/ff-ff-ff-ff..... | jq .data.certificate | sed -e 's/^"//' -e 's/"$//') | openssl x509 -text -noout | grep "Not After" | sed s/"Not After : "// | date -d - +%s 2> /dev/null
Ah, I see. That method should work for all certificates stored in Vault, though, shouldn’t it? Is it maybe a path issue you’re facing? For example, I can’t check my intermediate CA’s certificate on the same path that I use to check all the certificates that it signs: all those certificates are at:
name_pki_int/cert/ff-ff...
While my intermediate CA’s certificate, which was signed by my root CA, is at:
Actually, I think you’ve almost got it there; to confirm, what’s sent to stdout when you take off that last command? So, the output of your jq command?
Oh dear, was it really that easy? The -r switch does everything I need. So far I had used a complicated echo -e and sed -e ‘s / ^ "//’ -e ‘s /" $ //’ - but forgot this. With jq -r it’s a lot easier … I’m one step further!