Monitoring (intermediate) cert expiry date

MichaelRenner · November 24, 2020, 11:46am

Moin,

I am currently familiarizing myself with Vault. Certificates are later generated or signed there by several intermediate CAs.

To monitor the expiry date, I am currently calling up the serial numbers of all certificates (/ v1 / pki / certs), reading them out in a loop ( /v1/pki/cert/ff-ff-ff…), converting the X509 to text with the help of openssl and then looking for “NotAfter”.
Is there an easier way?
And: How can I monitor the expiry date of the intermediate certificate?

Grateful for any advice

jlj7 · November 24, 2020, 12:26pm

I’m also curious about this. Because I’m already using Telegraf as part of my telemetry monitoring of Vault and Consul, I’m thinking about going down this route: https://www.influxdata.com/blog/monitoring-tls-certificates-with-telegraf/

MichaelRenner · November 24, 2020, 2:42pm

Moin, thanks for your answer.

I can see: Telegraf monitoring is interesting. With us, it is difficult to monitor the services of (internal) customers. Hence my approach to monitor the expiry date in vault myself - because I can be sure that these, and only these, certificates are productive somewhere and have to be replaced if necessary.

This has been resolved for the server certificates, but not yet for the intermediate certificates

https://learn.hashicorp.com does not help with such questions

jlj7 · November 24, 2020, 3:11pm

Ah, I see. That method should work for all certificates stored in Vault, though, shouldn’t it? Is it maybe a path issue you’re facing? For example, I can’t check my intermediate CA’s certificate on the same path that I use to check all the certificates that it signs: all those certificates are at:

name_pki_int/cert/ff-ff...

While my intermediate CA’s certificate, which was signed by my root CA, is at:

name_pki/cert/ff-ff...

ENDS

MichaelRenner · November 24, 2020, 4:35pm

Bummer, I get an error back.
According to https://learn.hashicorp.com/tutorials/vault/pki-engine?in=vault/secrets-management I generated a Root CA and an Intermediate CA (Step 1-4 and Step 1-5).
Now I should have an example.com CA and it’s intermediate.
It is possible to list it:

[root@vault ~]# curl --header "X-Vault-Token: s.****************" --request LIST --cacert /opt/vault/tls/vault_ca.pem https://vault.org:8200/v1/pki_int/certs | jq  
{
  "request_id": "a49b5e20-84ee-d84f-bd49-ee71e0a783b1",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "55-04-3a-61-dd-9a-96-b5-57-48-44-86-39-84-5a-cf-01-b5-a7-1a",
      "5f-d5-b4-8d-a8-2e-cd-b3-e7-e7-24-b7-7b-5e-61-52-8c-b6-c0-1e"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

But when I try to read is it is something different:
[root@vault ~]# curl --header “X-Vault-Token: s.*******” --request GET --cacert /opt/vault/tls/vault_ca.pem https://vault.org:8200/v1/pki_int/cert/5f-d5-b4-8d-a8-2e-cd-b3-e7-e7-24-b7-7b-5e-61-52-8c-b6-c0-1e | jq .data.certificate | openssl x509 -text -noout

unable to load certificate
139621279737744:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

I am sure to signed the request. I am in a lost.

jlj7 · November 24, 2020, 5:04pm

Actually, I think you’ve almost got it there; to confirm, what’s sent to stdout when you take off that last command? So, the output of your jq command?

Isn’t it something like this?

"-----BEGIN CERTIFICATE-----\nMIID3DCCAsSgAwIBAgIUMSYCe/Wf/kxog7fWqwYKcIgHJ/UwDQYJKoZIhvcNAQEL\nBQAwGzEZMBcGA1UEAwwQdW53aW5fcGtpLWNhLWludDAeFw0yMDExMjAxNTQ1NDBa\nFw0yMTAyMTgxNTQ2MTBaMBwxGjAYBgNVBAMTEXZhdWx0LmRjLTEuY29uc3Vs...r\nmMsApgnCJ7E/JkvUWmnLE6tE/eJG5Ai0YRUiYKE1QOxZcsPWQ2dk/vDYu+GyuN/e\nyWXT7W8j+8/QW8V1pIQ91qwDZx6x/7OMWwe4UoWatMM=\n-----END CERTIFICATE-----"

And so it’ll work if you use the raw (-r) flag, won’t it? As in:

... | jq -r .data.certificate | openssl...

Or maybe I’m missing something.

MichaelRenner · November 25, 2020, 12:38pm

Oh dear, was it really that easy? The -r switch does everything I need. So far I had used a complicated echo -e and sed -e ‘s / ^ "//’ -e ‘s /" $ //’ - but forgot this. With jq -r it’s a lot easier … I’m one step further!