I’m new to Vault but have done extensive work on other PKI systems. I’m not finding a lot of good documentation and examples on the following. Hope someone can point me to some gem in the midst of the noise.
I have engine PKI running, working very well to generate certs and is enabled to require a vault certificate to authenticate at least via vault:8200. I want to mix token and cert auth to different paths with in the PKI engine.
I’m trying to make sense of the other objects/config/policies needed and a better understanding through example how they tie together. Here’s the scenario.
A client already having a certificate with a specific EKU OID be allowed to connect via vert auth to retrieve a token. Your OID will permit a cert req for a cert with specific attributes.
After obtaining a token it then connects to a prescribed pki path to send a cert req and obtain a certificate stamped with a specific OID. I do not want the private key to be created or send by Vault.
Here’s what I have so far but after combing through old and new documentation and google. I haven’t found anything complete and cohesive.
vault write /auth/cert/certs/ name=IoTs certificate=@vaultsubca.crt required_extensions=1.3.6.1.4.1.XXXXX.50.1 display_name=IoTs
curl --header “X-Vault-Token: 30WbXXXXXXXXXXXXL7dz” https://vault.myexample.com:8200/v1/auth/cert/certs/IoTs |json_pp
{
“auth” : null,
“data” : {
“allowed_names” : ,
“allowed_organizational_units” : ,
“allowed_common_names” : ,
“display_name” : “IoTs”,
“allowed_dns_sans” : ,
“policies” : ,
“certificate” : “-----BEGIN CERTIFICATE-----\nMIIEUzCCAzugAwIBAgIRALs1/+2S0d7k+9D7QrcVTZEwDQYJKKfNVva3M92HIjVU\nH82ahBh+lA==\n-----END CERTIFICATE-----”,
“max_ttl” : 0,
“allowed_email_sans” : ,
“ttl” : 0,
“period” : 0,
“allowed_uri_sans” : ,
“required_extensions” : [
“1.3.6.1.4.1.XXXXX.50.1"
]
},
“lease_id” : “”,
“wrap_info” : null,
“request_id” : "a71cdf61-2a8d-90f6-5c47-xxxxxxxxxxxxx”,
“lease_duration” : 0,
“warnings” : null,
“renewable” : false
}
vault login method=cert client-cert=bhorsemen.crt client-key=bhorsemen.key
Token (will be hidden):
Error authenticating: a token must be passed to auth, please view the help for more information