PKI Secrets Engine for IoT certificates

roy · May 15, 2020, 6:47pm

I am able to start single pod deployment on Kubernetes and after PKI Secrets Engine initialization I was able to generate certificates & revoke it.

But I didn’t get how can I

appreciate any help on this

nhw76 · May 16, 2020, 2:57pm

Your CRL will contain your List of Revoked Certificates, I suppose?

If you have a certificate saved as a file, you can use openssl to get the serial number.

e.g. openssl x509 -serial -noout < my-cert.pem

roy · June 11, 2020, 8:48pm

What’s command I need to use to get list of revoked certificate ?

nhw76 · June 11, 2020, 9:00pm

roy · June 23, 2020, 7:29pm

Following returns binary DER-encoded CRL
curl http://127.0.0.1:8200/v1/pki/crl/pemcurl

How do I get serial no from binary DER-encoded CRL ?

http api gives me

/ # curl
–header “X-Vault-Token: s.rfvtgb6XV0nzn57uVRTsip3H2G”
http://127.0.0.1:8200/v1/pki/crl/rotate

{“errors”:[“permission denied”]}

Topic		Replies	Views
HCSEC-2021-09 - Vault’s PKI Engine CRL May Exclude Revoked But Unexpired Certificates After Tidy Security security-vault	0	8469	April 21, 2021
Revoke certificate via cli Vault	1	2037	April 22, 2022
Submit a CSR and ask Vault PKI to use that CSR To generate a Certificate Vault	1	1300	August 10, 2022
PKI tidy didn't remove revoked certificates Vault	8	2942	April 21, 2022
Moving pki engine to another vault cluster Vault	5	1634	October 18, 2021