Hashicorp Vault PKI Secrets Engine Demo for Certificate Management

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi everyone this is sam gabriel and in today's video we're going to discuss public key infrastructure with vault we're going to talk about certificate management we're going to talk about how to create a root ca in vault how to create an intermediate ca also involved and generate leaf certificates we're going to discuss how to put the root can intermediacy inside of windows certificate store to be able to access the the server that you want to access without having to get that screen that tells you hey yeah we don't trust the certificate and so on so we'll dive into all of that so let's uh let's get started all right so on the screen here these are the demo steps that we're going to go through we got eight steps here i'll just walk through them really quickly so you know what we're doing as we go through first step is to run terraform we're going to use the terraform vault provider that's one of my favorite providers because i can control everything involved using that i have it well documented i can you know destroy everything i've done no problem and start over so here we're going to do we're going to do two things we're going to create the root ca and the intermediate ca using volts pki secrets engine so we're going to mount two pki secrets paths and then in the second step we're going to generate leave certificates and i'll show you how easy it is to generate a certificate with different parameters that you'd like to have like the common name the uh sand the um the ttl or the expiry time for for the certificate and so on now step three here we're gonna go and actually add this certificate to grafana i use grafana at home for monitoring different things like i have humidity and temperature sensors in my kids rooms and you know i've been using it with just http protocol but i thought you know for this demo maybe we'll add https and uh make it secure so we're going to do that i have graffana running in docker so we're going to have to restart the docker container to pick up the certs then in step four we're gonna go and check on chrome and you'll notice that the chrome browser will not trust the certificate at this point the reason for that is that it doesn't know our root and intermediate cas right it doesn't know uh that vault is behind that so what we're going to do in step 5 is add the root and intermediate ca that we created in vault so those certs we're going to add them to the windows sort of certificate store so then chrome will look there and then it will trust our certificate and that's what we're going to verify in in step 6. in step 7 we're going to revoke that certificate and once again we'll check in chrome and we'll find that chrome will actually be okay it will still trust that certificate and i did a little bit of research apparently chrome doesn't check the crl or the certificate revocation list whereas if we use microsoft edge it will go ahead and check the crl published through default endpoint and it will give you a notification saying hey we can't take you to the site because the certificate is revoked so we're going to go through all of these steps in more detail and i'll explain everything along the way but this is kind of a highlight of what we're going to do today so let's get started okay so let's go ahead and run a terraform apply so just to show you what's inside this repo let's just close this for a second but basically what we have here is some shell scripts and some terraform configuration so i got a main terraform configuration file i've got a variables file an output a root ca file that's going to get generated in an intermediate ca file so i'll explain all that but let's go ahead and run through the entire demo first and we'll go back and take a look at what's going on here so let's go and do a terraform apply and that should show us what exactly is going to get created and runs a terraform plan in the beginning as usual and then we're going to approve it and and see what happens actually while that runs why don't we go ahead and take a look at vault so as you can see here in vault i don't have i only have an internal or a kv store i have a transit engine running i have a database engine running for mongodb but i don't have pki running at all so we're going to get to that in just a minute once terraform runs so if we look at back here in visual studio code you see that everything is ready to go there are 16 changes that will get created so let's go ahead and say yes and that should only take about 30 seconds or so to run so i'm not gonna stop the recording uh but uh while this runs you can see here it's it's right it's creating a role it's creating the uh the actual search themselves for the the cas the root ca and the intermediate ca and it's already done so let's go back and take a look here so i'll just go here and come back to the secrets tab and you can see the pki root ca mount is here at this path and the pki intermediate ca is at the pki dash in ca path so if we go inside of any one of those you can see that we created some roles and there's the certificate for the intermediate ca itself some configuration and uh you know this here's the configuration you can take a look and see exactly uh what happened here so one thing worth noting is the urls the endpoints that got generated in this case i have an issuing certificates endpoint and the crl which stands for certificate replication list url which is very important because this is where microsoft edge is going to check to see if if our certificate that we're trying to or the server we're trying to access has a certificate that's valid and it's not in the revocation list it hasn't been replicated or revoked okay so let's uh go back and um check and see what's the next step here so we ran the rand terraform we created the the secrets engine now let's generate a leaf certificate i'll show you how easy it is i have a um i have a script here to do that really quick so um let's grab the information we have here so as you can see i will generate this command i'm going to or this command is really what generates the the certificate but i'm going to run this script directly and i'll explain exactly what this does in just a second here so let's run this create server certs oh i forgot to specify so i actually should run this one second here okay so the arguments i'm giving it is the name of the certificate that i'm going to give it just the name and it's going to create a folder with the certificate also the common name that's going to be used in this case docker01.home the ipsams so this is the actual ip so i can the ip of the server that's running grafana so i can do two things i can either access the server or access the the website the grafana site straight from the fully qualified domain name or using the ip address so they're both in the certificate all right so what happened here if we just refresh this you can see that the output folder this i'm not checking this into git so you're not going to see that in the git but it will get generated if you run terraform and if you run the if you run this script to create the server certs so will happen here is when we ran terraform two things happened the root ca folder got created and in the root ca folder i have my private key and i have my certificate and i also have a key bundle in the intermediate ca folder i have the intermediate cert dot pem so the actual certificate itself sits here i also have my leaf certificate under this grafana folder that just got created and what will happen next is i'm going to take this and put it inside of inside of graffana so graffana can pull it when when we when we start grafana all right so let's let's go ahead and do that and let's go back to my readme file um okay so i have the command here ready to go which will basically scp my certs that got created into into my server so this should get generated here so if i go back and take a look and just bring this over here there we go now we have this let's clear this out now we have this certs folder which has all the certificates that's going to get created or is needed by the graffana site so let's restart docker so docker restart and my container here is epc so let's go ahead and restart this okay let's move this out of the way for now and if we go back to our next step which is to uh yeah let's go ahead and check and see what happened in our browser so remember we're doing https docker01.home and i'm listening on port 3000 and as expected you get this your connection is not private message because there's the certificate authority is invalid and if we go ahead and check if you look at the certificate path docker01.home is right here and there's no chain of trust so basically what chrome is saying i don't trust this certificate because i don't know who issued it this person or this ca or certificate authority that issued it is not in my root store which is where i trust the different cas so typically because this is vault that created it and it's not part of the operating system the windows operating system that comes you know pre-packaged with the different the different certificate authorities we're going to have to go and do this manually so the way you do this is you basically go here and let's search for certificate manage computer certificates this is it in the control panel and every operating system will be different but this is the way it works here in windows 10. uh as you can see we're in the store right now so two things we're going to do we're going to add in the trusted root certificate folder under certificates these are all the root cas that windows understands and chrome also taps into this store to to check so we're going to add our certificate in here the ca the root ca from vault and then the intermediate ca will be added here as well so to do that let's go back and i have a shell command that will convert so this shell script is basically going to convert pim to 2.crt that's going to be used by by the windows store so if we go back and take a look at our output now what we've created make sure we refresh again now we created the same certificate the intermediate ca certificate and also the root ca certificate but with the dot crt format so now as i mentioned here we go here and then we just say action all tasks import so we're going to go ahead and import this and find this it's in output root ca so that's the right one and next next finish and that should be done all right so next we're going to do the same thing for the intermediate ca action import next let's find this output under intermediate ca and here's the cert let's go ahead and import it all right that is done so now we have the home intermediate certificate right here that that was issued from from vault and as you can see also the bottom here you'll find the home uh root ca as well from vault and we'll take a deeper look at the certificate and the content of those certificates in just a little bit okay so that is great let's close that for now and uh let's go ahead and go back to here and see if that made a difference all right let's let's make sure that we do this again okay so this is a little bit tricky sometimes it works and sometimes i find i found that i had to restart the entire desktop so i had to restart windows in some documentation tells you just to restart [Music] chrome but for some reason you know it it's not picking it up what we can do is actually to double check um before i have to stop the recording and restart again to restart the computer let's go ahead and try this with microsoft edge let's see if it works https docker so this is what i'm looking for and this one actually works so um as you can see that we're actually confirming that the certificate is good to go we're not getting an error so it's just a matter of getting um chrome to work so let's try one more time here if not we'll continue with microsoft edge it's not it's not a big deal so let's try maybe an inconvenient window and try this again and there you go the incognito window works um you see the certificate now is valid and if you click on the certificate you can see the uh details about it so it's issued to docker 01.home the home intermediate certificate is the issuer and it's valid for a year and that was all specified that you know the ttl is what we specified for how long it's going to run or how long it's valid for in here you'll see all the details so a serial number is very important to keep track of because that's what we're going to use to revoke the certificate you can see the issuer as we saw before more information about the issuer valid from valid to the subject public key and if i go down a little bit more the the authority information access this is the url we saw earlier inside of vault for the issuer and then the subject alternative name or san so you see docker01.home is the dns name that i used for the common name for the cert and then the ip address that i used as well so what that's telling you is basically you can use this ip to to log in as well so if i go i'll do this in a second but you can also see this which is important the uh the crl distribution point and that's what we specified with the role inside of when we were creating the intermediate ca so this is where microsoft edge is going to check to see if the certificate that we're trying to access or use is revoked or not and that's pretty much it now this is key to see as we saw before we only saw the docker01.home but now since we've imported the rootca and the intermediate ca we see the entire chain of trust so we see that this certificate was issued by the home intermediate certificate which was then issued by the home route ca and if you click on any one of those you can verify the certificate for each one of those cas as well so the home intermediate ca was issued by the home route ca issue two the home intermediate certificate or ca and it's valid for five years also this is configurable uh the details the serial number if we need to revoke it and you know everything else is the crl as well in this case the crl is the pki root path um and then the the path here is that you know the home intermediate certificate was created by the home route once again you can view the home route in this case it's the root certificate is always self-signed right so you have to start somewhere so it's signing itself issue two home route issued by home route and once again you can go ahead and take a look at the details here but that's pretty much what what you would expect the other piece here is the sand so if i were to go and do this let's port 3000 and of course i didn't specify https so let's do that uh you see it's also valid because we included the ip ipsan in there okay excellent so this is all working it's working great now let's go back to our demo list and see where we're at okay so we are at step number six we showed that now we're trusting the certificate everything is good let's go ahead and revoke this certificate and see what happens all right so i had to stop the video because um i revoked the certificate but i had some issues with the windows machine to be able to identify that you know this certificate is no longer valid so i recreated a new certificate and i figured out what the issue is and i'll talk to that in just a second so how are we going to how are we going to revoke this certificate you go to your vault ui you could do this also through the cli so through the ui you go to the pki nca and this is the actual ca that issued that leave certificate so here are the certificates that we have and the initial certificate was the c723 that that i revoked earlier uh but for now you can see that i also revoked the other one that uh the recent one that i created when i stopped the video so basically what you do is you go over here and you can just go like that and revoke and click revoke that's just going to revoke the certificate there's another way of doing it you'll see it in the readme section of this repo it shows you how to do that through the cli vault write pki revoke and you always need to be able to get the serial number to uh to do that so that serial number you can get it directly from the the folder where you stored the certificate or you can easily do it from um like if i want to see vote this vaults certificate you can go in here and if you go to details you'll find the serial number right here so you can copy that and and go ahead and revoke it through the cli or through the api okay now that we've revoked this certificate i want to show you what needed to happen for this to uh to actually get revo actually for windows to recognize that it was revoked and there are a couple of commands that you need to run so you open a command prompt in administrator mode and first you want to check the cache there's something called the crl cache and in the cache here you can see that here is the url for where vault is storing the crls the certificate revocation list crl so the the actual command that you need to run is uh this command here so let me just you know cls here so you can see it a bit better uh i also have this in the readme so you can check it out but you issue this command and then you have to close all the web browsers that are using right to be able to make sure that it got revoked so that it picks it up basically now let's go back to our graffana site again and i think i called it https docker01 home and now if you go there you're gonna see that you know your connection is not private uh network error certificate revoked right so now the certificate is revoked there is uh you can't you know continue at this point because you know it's it's unsafe this has been revoked it's no longer secure and that's it that's pretty much it that you know shows how the um how through vault you can just easily revoke this if if you don't need that certificate anymore or maybe you made a mistake when you issued it um or for any reason that you might have now if we take a look at the um here actually i i mentioned that you know edge recognizes a certain and now when chrome doesn't so this was a mistake on my part you have to run those two commands and then chrome will actually see that as well and uh and it will give you that error the error for the certificate being revoked okay so what i want to do now is walk you quickly through the actual terraform config to kind of give you an overview of how this all works so really quickly variables file this is where i define the domain and this repo is actually created by i need to give some credit here to um if i go to the top here you can see it's steve dylan he put together this github repo it's uh it's great because i can mention in the beginning of the video it allows you to use terraform with the vault provider to configure all of this i didn't find a lot of material out there talking about that especially for pki but he did a great job here and you can see what uh what's inside here with uh you know all the different things that he's doing with the with terraform and also there is a medium guide here that you can follow and it talks about all that sorry the medium guide is right here and here's his github repo as well so let's uh let's take a look here at what we're doing so you can create client certificates and server certificates for the purpose of this demo we only did server certificates but obviously you can use vault spki for mutual tls and that's actually what it's intended for to be honest and not necessarily for websites but you can use it for that as well so here in the variables section we define out where i define the the domain that i'm going to use is home and anything that i'm going to issue is going to be under this domain so the docker01.home was issued under this specific domain so let's get a look at the main file and it's very simple as usual with terraform 0.13 this is the recommendation to always have a terraform stanza with the required providers in it and always pin your version of the provider you're using so here's the vault provider for the terraform and then you have a provider stanza i'm exporting the environment variables to connect to vault and that is stored in an envir vars shell script i have a sample of it here so this is what i'm running so you put your vault token you put your vault address run this first and then you can run your terraform plan and apply and here you can see the role that we're creating for the server certs and this is important you have to do this and there are a lot of options in here make sure that you choose the options that you need so for example you can allow subdomains to be created under that home domain that i just mentioned and what else allowing ipsans as well you can specify the ou the organization the country locality and maximum ttl ttl no store this tripped me up so if you have it set as true it's not going to store the certificates in vault so the default is false but if you put it in true in true mode then you won't see the search i just showed you so you can't revoke it from the ui you have to it's not actually going to be stored at all so even through the cli you won't be able to revoke those certificates and it's intended for very short-lived certificates that you might want to and maybe they're not very sensitive and they're going to expire anyway right so that's the intention and the reason for that is from a performance perspective it's highly performant right you're not storing the certs anymore inside a vault all right excellent the other role here is for the client cert so exactly the same as the server cert so that's it for the main terraform file then we have two files the root ca and the intermediate ca so let's take a look briefly at both in the root ca we have a vault mount so where are we mounting a vault or the pki for the root ca and this is the path we specified and we saw inside of the vault ui then you can see the config urls the one for the issuing certificates and the crl distribution points so that's where we were able to see what the certificate revocation list is is is at and that actually it reminds me we can do a quick test here and come back in just a second if we go back to configuration here and see the actual config that we have you'll see the crl under urls you'll see the actual distribution point for crl so if i copy that and if i paste it in a new tab i've downloaded a number of times but once it comes down you'll see the certification list information and right away you'll see the serial numbers of the certificates that were that were revoked so the cc723 and the latest one that i recreated the c76e as well so that's just a quick hint here that you can actually you know get this to the api or you put in a browser you download the crl all right let's get back to looking through the config now this option here is commented out but basically the way this works uh if you're going to use vault as the root cert or the root ca and you don't want to expose the private key in any way you can you can do that and the private key will get stored in in vault but as you see here in the comment the ca infrastructure now is tied to the vault and pretty much the server you created the ca on so in this case i'm commenting this out because i want to get the private uh the private key for um for for the root ca again you don't have to do that but keep that in mind that it is possible and so here we're doing we're creating the private key as you can see and we're storing the private key in the output file and i think i mentioned or showed this before so the output folder has a few things here so this is grafana there is the root ca so in here you're going to find the key this is what it's referencing so the private key got created and put here for you once again this is all local i'm not pushing this to get and neither should you it's putting the the file permission as well and here's creating a self-signed certificate remember we have to self-sign the root ca so this is what it's doing um and then here's the the local files writing the ca cert to so the ca cert right here is written here uh then this one is the bundle the ca bundle that you see right right here and finally the what is this doing let's is configuring the backhand ca uh okay this is the the pin bundle okay yeah so what it's doing the route says that we just created we store it now in the mount itself so once you created the certificate you have to pass it back to vault to be stored in the in the pki root ca path excellent so that's the root ca now we have a root ca in place let's take a look at the final file here here the intermediate ca once again very similar we have a mount that this time we gave it a different name pki nca then you have the same thing the the paths for the issuing certificates and the crl and here you got the certificate request so creating a csr certificate signing request um and step two now we've got to get the root ca to sign the csr so this is the stanza to do that and once again we're saving the public part of the certificate and stored in a local file so as you can see the file is going to be under nca and where's that it's right over here ncaa cert pem step three now the csr is processed we have a signed certificate once again you have to put it back in back into vault right so this is where we're mounting it again so that's it i mean at the configuration you do this once that's the beauty about it you you run this terraform once and then from then on all you need to do it becomes like a factory it's it's creating certificates at will so once you you're done with this all you have to do is go here in this shell script that i created and where i modified i should say steve dylan he's the one who initially created it uh there you can specify in your as you're running the command the different variables that that i have here so the certificate name that that will create the actual uh folder here which is grafana and give it some some names here for the certificate and then you have your common name and then you have your ipsans and then a time like a time to live this case i have it for a year but of course you can modify that and all it's doing here it's creating uh the certificates the dot pen files for you so you can see all of these are get are created and the main vault command here is this so this is what you use to issue a certificate so once again this can be done through the cli as you see here or through an api command and this is the the factory really you can keep creating at will and it's very simple it's an api call can you imagine it's just an api call and you're getting a certificate with the private key with everything that you need to put this in your application in my case i put it into graffana your fan is able to read it i specified it in the graphene dot any file and and it's good to go right so you can do this for multiple files or multiple servers web servers and uh and it's it's very very easy and it really simplifies the whole process of pki and certificate management which can be quite a hassle um so with that i believe we covered pretty much everything the output file just outputs a few things you can you can take a look at it to add your own convenience but basically this concludes this video i think it's a bit long but it actually walked you through the entire process of creating a pki secrets engine inside of vault and how to create certificates at will and shows you how easy is it it is to just you know issue those certificates straight from the api without having to go through the manual process of you know creating a csr certificate signing a request and going through the whole hassle of this which speaking to many sysadmins you know it's it's not an easy job and especially that especially since you know you do this once every i don't know two three years some others you know have the have the expiry date uh you know in the in the five the ten years range uh which is definitely not recommended from a security practice so hopefully this uh helpful this video has been helpful and i'll catch you in the next one

Info

Channel: TeKanAid

Views: 3,361

Rating: undefined out of 5

Keywords: Hashicorp Vault PKI Secrets Engine, vault terraform provider pki, Vault PKI secrets engine, hashicorp vault pki demo, hashicorp vault pki engine, hashicorp Vault public key infrastructure, Certificate Management with HashiCorp Vault, hashicorp vault pki tutorial, hashicorp vault tutorial, hashicorp vault pki, public key infrastructure, hashicorp vault demo, public key infrastructure tutorial, hashicorp vault, Certificate management windows 10, Vault secrets management

Id: ZWaKF-UXtx8

Channel Id: undefined

Length: 36min 58sec (2218 seconds)

Published: Mon Oct 19 2020