Right now, if I want to use a TLS certificate to authenticate to Vault, I need to have a file with the certificate, and a file with the private key, on my client’s filesystem.
On Windows, I’m able to use the OS to store certificates and private keys securely. I know on MacOS there’s the Keychain, and I presume Linux has one or more similar systems.
I asked support, and they said there isn’t currently a way to do this. Does anyone know of any workarounds or other ways to use an OS-installed cert on Windows?
I have not found any work around to having the files local – in our app we moved secret0 to jks store … it isn’t any better, but better than just a cert and key lying around on the filesystem.
A JKS is just a file lying around on the filesystem…
If this is your workstation, have you tried protecting you pvt key with a passprase when you generated them? then it will ask for a passphrase to unlock the key everytime it needs access to it.
Unfortunately that won’t work for this, this is a shared certificate for a service, not a human’s individual certificate.
Give permission for read only to the service and audit, expensive option hardware device, bear in mind in all os compromising the user password will be able to retrieve the pvt key, even in windows when it is set not to export which most dont do, there are options where they were able to retrieve the pvt key.
I’m afraid that I don’t understand what actionable advice you’re giving here for my question.
You need to make the private key readable only by the service account.
Yes, using filesystem permissions, I will/would do that if there weren’t a way to do what I’m asking about, of course.