Store ssl certificates in vault

Dear Vault community,

I would like to ask if my use case fits vaults functionality.

Use case 1
I have a an nginx web server and I would like to store my ssl domain certificates in vault. The idea is to take the files from vault through an ansible script and put in the nginx ssl folder. I know vault can act as a cert manager but in this case I need to use the certificates provided.

Use case 2
Same issue storing ssl certificates to be used by nginx but in this case the certificates does not leave vault and nginx uses then from there instead of being files in the filesystem

Would either user case 1 or 2 be possible? which secret engine would be suitable for this?

thank you very much

Number 1 is definitely possible. Just store the cert inside the kv secret store and then pull it out using Ansible as needed.

Number 2 would require some sort of plugin for nginx or other adjustment to read the cert directly out of Vault. I don’t know if such a thing exists or is even possible.

1 Like

There will always be a “secret” in a file. You get to pick the file, that’s it.

The certificate is public. The servers hands it to anybody that connects to it, so put it wherever you want. The important part is the private key that goes with the certificate. Let’s concentrate on the private key.

Say a plug-in existed that allowed to store the private key in Vault with TLS in mind. It would work in one of two ways:

  1. Vault hands of the private key when nginx starts (what the kv store actually does)
  2. nginx asks Vault to do the cryptographic operations required for TLS to work (what a plugin would do)

Both options require nginx to have valid credentials in Vault, like an AppRole secret_id. You’ve done nothing but to pick a different file to put your secret in. If you are worried an attacker can read the private key, you are now worried they can read the secret-id that provides the private key. No security gain, just added mere minutes to your hacker’s plan.

Option 2 - setting aside the huge latency and performce issue it brings - would allow the private key to never leave Vault. But you would still credentials to ask Vault to perform the operations. If you absolutely must keep the private key outside your server’s filesystem, you can use a Hardware Security Module (HSM) optimized for that purpose. They are really expensive and hard to manage and usually not worth it in a risk reduction scenario.

The best solution for this is to use short lived certificates issued by Vault. You still need credentials to get them, but at least you get to control and audit what the certificate is used for.

Hi ,thank you both for your answers.
It is still not clear to me how the private key will be stored since it needs to have a “specific format” which I don’t think the kv secret engine supports?

The format of your value doesn’t matter. You can always encode it as text and store it. That said, PEM file is text and can be easily stored as such. CRT files, can be uuencoded and stored.