Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New x509 command #74

Closed
jhunt opened this issue Mar 10, 2017 · 0 comments
Closed

New x509 command #74

jhunt opened this issue Mar 10, 2017 · 0 comments
Assignees
@jhunt

Comments

@jhunt
Copy link
Contributor

jhunt commented Mar 10, 2017
edited
Loading

Build a new command set, safe x509 for dealing with x509 PKI certificate stuff, without being constrained by the limitations of the pki backend in Vault.

This new command should allow us to issue new certificate authorities, storing the certificate and key somewhere under secret/, and also use those CAs (identified by path) to sign other certificates and store them in under other arbitrary paths under secret/.

We should allow the special cases of self-signed certificates and intermediary CAs.

The point of this new command is to expose as much raw functionality as possible for setting up complicated PKI implementations as possible. In part, this replaces safe {pki,cert,ca-pem,crl-pem,revoke} A future command will be introduced to provide a more simplified interaction for zone-based authority domains like those found in Cloud Foundry. That command will use backend logic that we build out for the x509 command (but not call front-end commands directly)

Example invocations:

# Issue a simple self-signed certificate
safe x509 issue secret/my/cert --name www.example.com

# Put some alias (Domain and IP SANs) in the self-signed cert
safe x509 issue secret/my/cert --name www.example.com --name example.com

# Create a Certificate Authority
safe x509 issue --ca secret/my/ca --ttl 10y

# Issue a 2-year certificate, signed by the CA we just created
safe x509 issue secret/my/cert --signed-by secret/my/ca --ttl 2y --name mail.example.com

# Revoke a certificate
safe x509 revoke secret/my/cert --signed-by secret/my/ca

For certificate authorities, the following attributes should be set on the CA path:

  • certificate - PEM-encoded X.509 certificate
  • key - PEM-encoded RSA secret key (un-encrypted)
  • serial - Certificate serial number for this CA (used internally by safe x509)
  • crl - PEM-encoded Certificate Revocation List for this CA

For non-CA certificates, the following attributes should be set on the certificate path:

  • certificate - PEM-encoded X.509 certificate
  • key - PEM-encoded RSA secret key (un-encrypted)
@jhunt jhunt self-assigned this Mar 10, 2017
jhunt added a commit that referenced this issue Mar 14, 2017
@jhunt
A Better x.509 Implemenation
b3ff5dc 
The `safe x509` command (and all of its sub-commands) now allow flexible
creating, verification, and revocation of x.509 (TLS/SSL) certificates.
This new set of commands supports arbitrarily-deep certificate
authorities, painless self-signed certificates, and more.

In time, this will replace the `pki`, `cert`, `revoke`, `crl-pem` and
`ca-pem` commands as we move away from the Vault `pki/` backend.

Fixes #74.
@jhunt jhunt mentioned this issue Mar 14, 2017
Merged
jhunt added a commit that referenced this issue Mar 15, 2017
@jhunt
A Better x.509 Implemenation
d7d0289 
The `safe x509` command (and all of its sub-commands) now allow flexible
creating, verification, and revocation of x.509 (TLS/SSL) certificates.
This new set of commands supports arbitrarily-deep certificate
authorities, painless self-signed certificates, and more.

In time, this will replace the `pki`, `cert`, `revoke`, `crl-pem` and
`ca-pem` commands as we move away from the Vault `pki/` backend.

Fixes #74.
jhunt added a commit that referenced this issue Mar 15, 2017
@jhunt
A Better x.509 Implemenation
14d0191 
The `safe x509` command (and all of its sub-commands) now allow flexible
creating, verification, and revocation of x.509 (TLS/SSL) certificates.
This new set of commands supports arbitrarily-deep certificate
authorities, painless self-signed certificates, and more.

In time, this will replace the `pki`, `cert`, `revoke`, `crl-pem` and
`ca-pem` commands as we move away from the Vault `pki/` backend.

Fixes #74.
@jhunt jhunt closed this as completed in #77 Mar 15, 2017
jhunt added a commit that referenced this issue Mar 15, 2017
@jhunt
A Better x.509 Implemenation
191078a 
The `safe x509` command (and all of its sub-commands) now allow flexible
creating, verification, and revocation of x.509 (TLS/SSL) certificates.
This new set of commands supports arbitrarily-deep certificate
authorities, painless self-signed certificates, and more.

In time, this will replace the `pki`, `cert`, `revoke`, `crl-pem` and
`ca-pem` commands as we move away from the Vault `pki/` backend.

Fixes #74.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhunt jhunt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhunt