HashiCorp Vault PKI secret engine demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Navis couple I work at Hershey car and today in this demonstration we are going to look at the PGI secret engine in Hershey core vault so as you can see I've also shared the code in this kit hub repository if you want to do it on your own on your laptop or any other host which is Stockard enabled you can try it out yourself alright so the setup looks like this I run Walt within a docker container in dev mode on my laptop and then I enable the secret engine PKI secret engine to configure the root CA so if you have your own root CA you do not need to use that use that but for a demonstration in a dev environment I think it is very helpful to just use Walt as the root CA then I'm going to enable another PKI secret engine which is going to act as the intermediate CA and I'm going to use the common name as example calm and once I have the intermediate CA I'm going to send a certificate signing request to the root CA and once this request a sign that I'm going to set up the intermediate CA with the new certificate received from the root CA alright so once I have this environment set up I'm going to create a new policy and you role involved so that I can generate new certificates using the intermediate CA PGI secret engine and we are going to create one called for the common name test all example comm which I'm going to use for my nginx server I'm going to configure the nginx server set up the private keys that I've also provided with the issuing CA and the certificate that we get from the intermediate CA once done we can test it out by connecting to the nginx server using the browser so it's pretty simple we're also going to look at some features like audit logging and also how you can revoke the certificates and this the certificates and things like that let's jump right into it right so as my previous demos I have written some scripts to enable you and enable myself as well to repeat this demonstration one step after the other so as the first step I'm going to start what this is not the Enterprise version but the open-source version of world and PGI engine secret engine is available in the open-source version itself so we do not need the Enterprise version for this demonstration let's start Walt so the malt is already running in that mode as you can see as a docker container pretty straightforward not too much explaining required here what I do next is enable audit logging on Walt and I'm enabling to audit logs one it's two file and the path is audit Walt audit dot log and the another one is also file but I am logging raw details in this log so that we can actually see the real values the secret values so that we can test it out and understand what the log is containing and if everything is working properly so as a next step I am going to set up Walt tester root CA so let's see how we do that so you can see I'm enabling the PTI secret engine on PK iPad itself I'm giving some maximum leaves time to live value for all the certificates that will be generated under this particular PKI secret engine then I'm generating the root CA using the PKI root generate internal pad or api giving a common name and time to live and I'm storing the output in PG I see a root don't JSON file once done I'm extracting the certificate out into the calotte PEM file this is important because later we are going to use this and upload that into my keychain on my macbook so that we can trust a certificate and then the browser will also trust it and then lastly we are just publishing the URLs for this particular route C so let to run this command to generate the root CA you can see all the commands were successfully executed and I had this new certificate generated and I have a certificate and issuing CA which are both the same in this case because this is the root CA and I've extracted the certificate out into a separate file to use later now we have the root CA setup in our vault instance next I'm going to setup the intermediate CA let's clear this out you can see I'm enabling the PTI secret engine for intermediate see you now at this path PGI underscore int once done I'm again setting up a default max TTL now this is the important part I am using the PKI intermediate generate internal and setting it up as the intermediate certificate authority and I'm extracting the CSR out of the output so the output contains the certificate signing request and I am taking it out so that I can send it to my root CA for signing so the certificate signing request is then sent to my PTI root the root see that we created earlier and I'm using the PGI root sign intermediate API call our path to get the certificate sign from the root CA so you can see I'm sending the CSR and as an output I'm getting back the intermediate certificate which is here so now at the end of this I can then send this certificate back to my intermediate CA and then my setup is complete so if you do do not use Walt as the routes here you are going to send the CSR to the root CA as a result from the CSR you will get the certificate which you are going to put back in to Walt using this command PKI in intermediate set signed so the sign certificate needs to go back to Walt intermediate certificate once done again we are just publishing the URLs and then we are done so let's execute these commands to set up our intermediate CA we can see everything ran successfully and I have the certificate signing request here I have a certificate intermediate certificate here and that's it right so we do not need to do anything else we are set up with the intermediate CA as well now that we have completed these steps the next step we need to take is to create a role so that we can consume this intermediate CA so I'm going to do just that it's a very simple command here now I have created a role which is actually going to be used by a user to create intermediate certificates or request certificates from this intermediate CA alright next step I'm going to do is set up a policy so at the end I'm going to create a user and I want to provide this user with the policy minimal possible permissions and rights to generate the intermediate CA so before I generate it I would like to show you how this policy looks so you can see I'm giving it the right to create an update the PKI on the PKI int path which is our intermediate CA it is able to list the certificates revoke the certificates and it is also able to read the root certificate all right so these are some of the policy parameters I'm providing so let's run this policy creation so we're just creating the policy right now with this command and the policy is created as a next step I'm going to create a username password to access world you can use any kind of authentication mechanism you can use cloud authentication mechanism like AWS III AM rules or you can use Azure Active Directory you can also use Active Directory Kerberos whatever is required in your you can use that but for this demonstration purpose I am just using username and password you can all scores also use a pro if you want to automate the pulling and pushing off certificates all right so let's create this user and we are going to of course give this user this policy that we created so 0 7 so the user is created and it has the vault username is couple and I have the user ready so let's now that we have the user ready we can sign in to this user or log in to this user and then we are able to generate certificates as that user all right so you can see I'm logging in to that user that I created earlier I get a token back and then I'm using that token basically to create these requests to generate a certificate so this is the first request I am using to generate a certificate using the intermediate CA and you can see this is the role I created earlier and I am putting this created role for test our example comm inside this file we will look at it and then the most important values that we need out of this certificate is the private key the certificate itself and the issuing CA which we are going to extract and make ready for our engine X Server later all right so let's run these commands and we can look at the certificate as well so you can see test on example.com certificate was created it has the private key it has issuing CA and also the certificate that we need right and I have extracted all the values needed for my web server first of all the key and the certificates and the issuing CA within one file which will be consumed by the nginx server alright so now that I have a certificate ready I wanted to show you as well that I can create multiple certificates not just one and this is just a sample where I'm creating five certificates so if I run this command I will generate multiple certificates and this can all be automated programmed and you can easily generate certificates and this particular user can only generate certificates with this particular intermediate CA and nothing else in the world environment alright moving on let's now start our engine Xserve er so you can see this is also running in a docker container but I'm providing two volumes one with the certificate pads and one with the configuration for this nginx container and I'm also enabling the port 443 because we are going to use HTTPS of course in this case and you can see my configuration I have set up the server and enabled enabled 443 as a cell and also name the server and provide the path to the to certificate and the key that we just generated and these are available here all right so let's start the nginx server nginx is now started and now we can go to our browser and check it out all right so if I come here and I go to test our example.com you can see that I'm able to reach this internet server but my certificate is not trusted and it is the certificate that we use test on example com now if we want to enable the trust for our browser we should add the certificate to our machine and we can do that by adding the certificate to my keychain this is the CA dot M that was created for the root certificate so if we if we trust the root certificate we can make this happen all right so we have added this certificate but of course it not trusted and if we start trusting it we should be able to so now you can see there is no warning and we are able to see that we have the example.com intermediate authority and example.com root certificate authority which is being used for this nginx deployment all right what else do I have in this demo for you so I also wanted to quickly go where others are some of the other commands like listing of certificates so you can list certificates with this command easily and let's see the output is so you can see all the keys all the identifiers are listed what else can we do we can also read one of the certificates so I copied over all these keys to this file and as part of reads certificate I'm just reading the first one so you can read a certificate as well using API is using command line of world and you can see it is not relocated and then I can also revoke a certificate so I'm going to revoke the certificate this one so you can see with the PKI interval command providing the serial number I get it woke it also easily and then you can see that it is relocated because we read it again and lastly you can also delete a certificate for that we have the command called tidy and it will clean up all the relocated relocated certificates in the background so if we run this command you can see that the operation has been started and will continue to run in the background all right so that's all I had so what did we do today in this demo we created a route a with Walt we configure our intermediate CA and then we used the certificate signing request and got that sign from the root CA once we did that we had the intermediate C enabled we created a new certificate provided it to our nginx server and also trusted that certificate on our machine and we were able to consume that certificate or or look at that certificate from our browser itself and we also saw some of the other commands like listing reading revoking and tidying of certificates I hope you enjoyed this video thank you so much for watching until next time bye
Info
Channel: Kapil Arora
Views: 3,136
Rating: undefined out of 5
Keywords: hashicorp vault, PKI, x.509, devsecops, security, automation
Id: 4cEWxROsgW4
Channel Id: undefined
Length: 16min 20sec (980 seconds)
Published: Wed May 13 2020
Related Videos
Vault as a PKI engine for Kubernetes
Robert de Bock
54
Introduction to HashiCorp Vault with Armon Dadgar
HashiCorp
135K
How To Setup Hashicorp Vault: Creating PKI And Enabling Cert Auth
bitsized tech
1.4K
Hashicorp Vault PKI Secrets Engine Demo for Certificate Management
TeKanAid
3.3K
Solid State Batteries - Autumn 2021 mass production in Japan. Is it FINALLY happening?
Just Have a Think
1.2M
Deploying HCP Vault and Consul
Ned in the Cloud
455
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
267K
Consul Service Mesh: Deep Dive
HashiCorp
10K
Best Practices for Using HashiCorp Terraform with HashiCorp Vault
HashiCorp
31K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.