This plugin is mostly a fork of the builtin Vault PKI plugin.
It provides additional format options when attempting to issue a certificate.
| Argument | Value |
|---|---|
format |
In addition to the builtin formats, provides a jks option |
password |
When requesting a jks keystore, the password to encrypt the private key with |
When creating a role for issuing certificates, the backend will allow key_bits=1024.
Vault itself prohibits this for good reason, however there are use cases for embedded devices that further encrypt their traffic via other means.
Ensure go on your system, then retrieve the source:
$> go get github.com/tinyzimmer/vault-plugin-java-pkiFirst configure a plugin_directory in vault:
# config.hcl
plugin_directory = "/tmp/vault-plugins"Once vault is started with the above configuration, you can proceed to build and register the plugin. If you use the Makefile, ensure the requirements found below.
The Makefile is not required, and you can run the steps in the build target manually with any other arguments you need.
If you are running vault on Linux:
$> cd "$GOPATH/src/github.com/tinyzimmer/vault-plugin-java-pki"
$> make build_plugin
$> cp bin/vault-plugin-java-pki /tmp/vault-plugins/
$> SHASUM=$(shasum -a 256 /tmp/vault-plugins/vault-plugin-java-pki | cut -d ' ' -f1)
$> vault write sys/plugins/catalog/java-pki \
sha_256="${SHASUM}" \
command=vault-plugin-java-pkiIf you are running vault on macOS or Windows, you will need to compile the plugin for those platforms instead. The Makefile assumes you are compiling for Linux.
Finally enable the plugin with:
$> vault secrets enable -path=pki_java java-pkijqkeytoolgodocker-compose
The helper scripts in the Makefile and test_vault automate the compilation, loading of the plugin, and PKI initialization against a local vault server running in docker.
To only start the vault server:
$> make test_vaultTo compile the plugin, load it into vault, and test a full PKI chain:
$> make testacc