I am new to vault, so need direction.
generate-certificate
I have current code that has vault create a cert, which returns a privateKey, which is stored in memory and used to sign JWTs. If the app goes down, the privateKey is lost, etc. The documentation says that vault doesn’t store privateKeys so don’t lose it. I was wondering if I should just turn around and store the returned privateKey back into vault, but I would need a security review on that one before I did it.
Comparing this to azure key vault(AKV). I can have azure sign a hash for me and use that to build my signed jwt, or pull the privateKeys from AKV and sign myself.
Is there a similar service/plugin that hashi vault provides?
From the docs:
The private key is not stored. If you do not save the private key, you will need to request a new certificate.
Certs should be short lived and cheap - so it is recommended to not store but just ask Vault to make you another one if your app restarts/etc.
Thanks Mike,
One of the issues I have is that this newly created cert/privatekey is used to sign a JWT. I also create a JWKS discovery document that downstream clients call to get the public keys.
The problem here is the following;
- The clients may not have the latest JWKs in their cache to validate an incoming JWT.
- Even if they have it, the client clock skew usually is set to 5 minutes. So, if I sign a JWT as soon as I create a cert, it may fail validation because the client’s clock is a bit ahead of the signers.
I usually prefer to have had my JWKs in my discovery document available to clients for more than 5 minutes before I start signing with it. Usually, days if I am talking about an OIDC IDP.
I would like to be able to create a couple of overlapping certs, and then have Vault do the signing where I tell it what cert should be used.
If vault had a signing plugin I would use it, as I can get a list of all cert serialNumbers and pick the one I want to be used, but that would require someone to have stored the privateKey.