How To Setup Hashicorp Vault: Creating PKI And Enabling Cert Auth

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi i'm john with bitsize tech today we're going to go over creating certificates in vault using that secrets engine you can use vault for storage and management of certificates we're also going to create vault as a certificate authority so we can use those certificates for authentication with vault i prefer this method over token it's a little bit easier to manage and a little bit more secure in my personal opinion we will also touch a little bit on policy so actually restricting access based on auth method so we'll go into that a little bit today we'll touch on more of that with other tutorials but that's what we're going to cover thanks for joining me and seeing the rest of the video several days later all right thanks for joining me uh we're back and we're gonna go ahead and get started so what we're gonna do first is we're gonna go ahead and log into our vault server i've already done this in both my cli and in the browser as you can see so what we're going to do is we're going to start by creating some new secrets these secrets we're going to lock down the access to so that only a person using certificate authentication can actually access them so that's how we're going to start this so first we're going to enable a new engine we're going to go to kvpair next and then we're actually gonna start with version two uh actually let me go back i didn't change the name of it so we're gonna disable that we are going to leave it to version two though so that was weird the ui wouldn't let me pull it away so we're going to start we'll say bst v2 is our path and we'll leave that now for this we're going to create a secret um so let's just say that this one is can we access and then yes we can't or actually let's just say secret we'll say secret save that great so we're going to save that as our first pass we're going to go back and do a v1 as well so let's go back to secrets enable engine kv say bsc v1 this time and change that view v1 it wouldn't let me there for some reason uh we're going to say secret again and this time we're gonna do uh let's see can we access we'll say no we can't save great so that's gonna go ahead and get those saved so we'll just need those for later um and this is where we're gonna actually start enabling pki to get that process up so do that we're gonna start by saying volt secrets helps if i type fault right we'll say enable pki interesting oh uh that's because i seem to have disconnected helps if i do that clear now we'll say vault secrets enable pki cannot validate i think our vault address dropped off for some reason i added it to the bash rc but it looks like it didn't save interesting it's actually not in there so just do that again export vault address equals https dot bit size not tech connection refused so oh forgot the port there we go all right so did a little troubleshooting i'm going to keep that in if you run into that issue it's because your session dropped the um address i can try this again by saying dot rc uh and then i need to move the quotes okay that's not safe so we've enabled pki so we're gonna say vault secrets tune so we're going to set this secret a max lease time time to live uh i believe this is 30 days okay oh did i now i can do that command troubleshooting the other thing if you have to do that all right we'll say that great that's now tuned so these will maximum last 30 days so now we need to actually write to that path equal certificate pki slash root slash generate slash internal and then we're gonna say issuing certificates equals to this actual vault address we need to specify that path then let's see just abusing sorry just making sure i spelled that right i didn't this will all be copy and paste for you on my git repository so this will be easier and then we'll say oh i think that wasn't supposed to be in there https vault dot bit pki crm oh actually i think you do need the slash in there we'll see great so we have that certificate in there and then what we're going to do is we're that's the root certificate so this is the root one for you to use it as a certificate authority so that's our first one now we're going to enable another path vault secrets enable path equals pki int pki so we're making a path within that path uh we're going to tune the secrets here tune max release you know equals that's what we're tuning that one yep worked great now we're going to generate an intermediate certificate and then save that to the certificate authority right format equals json pki underscore int slash intermediate slash generate slash internal i spelled for i keep doing that where i hit the e after format don't know why okay great then we'll say common name equal to and this is just going to be your actual domain so mine's bit sized dot tech and then oh we'll say enter immediate authority great and then one more line we're going to pipe that to jq our csr then append that to pki intermediate intermediate can't spell today don't see it silver uh i forgot to install jq uh since the last couple of videos i've uh spun up a new vault uh i've also moved it from one aws environment to another and i've gotten this laptop so if you're wondering why this is a little bit different than previously that's why so i'm going to clear that out now we'll do that great that ran so if i ll i can see that file was created sweet now we're going to sign the intermediate with the root certificate so volt right and then dash format equals json didn't add any that time pki slash root slash sine dash intermediate and then we'll say csr equals also if i can spell csr and then we're gonna say that this format equals pim underscore bundle and time to live equals four three eight zero zero h and we're gonna say pipe that to jq dash r [Music] dot data dot certificate and then we're gonna add that to enter me it search dot pem great so once we're signed that um like if we do a cat on intermediate start dot pem we can see it there we want to import that back into vault so to do that we're going to do vault right pki underscore int slash slash intermediate slash set dash signed certificate equals and we're going to say that file enter mediate dot cert dot pem great now we've signed that back now what we're going to do is we're going to create a role in that domain to be able to generate other certificates for that subdomain this allows us to like actually generate things and give permissions so we're going to assign that role to any command when we're doing it so vault right eki int slash roles slash vault dot bit so oh i forgot this does not actually need to be that so we're going to change it around this is actually how we're going to name the roll so i want to make it very specific say allowed domains and then we'll say equal to bit sized dot tech and then we'll want to allow sub domains sub means equals true so that's just a boolean and we're going to say max ptl equals we'll say 720 hours actually that's 30 days the other ones are months i don't know why i was thinking that that was shorter good math great we've now written that next we're going to generate the certificates we're going to do vault right pki int issue is hue walt dash bit size hashtag and you can do this for your domain this is clearly meant for mine my naming convention uh so feel free to use your domain these are just stand-ins for this tutorial vault dot bit size dot tank all right that looks correct and issue great this has now generated the certificates so we actually want to copy all that i should have just piped it out to an actual file but i didn't so let's copy i'll just open text editor for now i'll say new document paste that in there okay we're gonna have to create a couple of files so pseudo vim i'm gonna create three one's gonna be the ca one's gonna be the issuing ca or actually four files uh the priv key and the ca chain so we need all four of those so to do that sudo vim and we're gonna do uh we'll start with vault underscore ca.pem actually you don't need to sudo you're creating the files you don't have to suit them um and then we're going to use that one i started with the ca itself so the certificate so we want to grab all of that come on oh this will just be easier copy paste right escape right quit okay we're going to do the issuing ca now vault see insert mode that one was a lot smoother for whatever reason won't question it escape right quit great and then we're going to say vault proof key pimp insert mode you don't want to share these with anybody obviously i'm doing it for this tutorial but i will be deleting them afterwards right let's make sure that guy's got a space at the beginning make sure you don't have any just in case right quit safe all right and then finally we're gonna do the whole issuing ca or the whole uh ca chain i mean volt ca chain dot pem and this guy insert mode okay okay right quit great those are all saved now so we have those saved we're going to enable cert auth and we're going to attach a policy so we'll start with volt right pka int slash roles slash vault cert then we're going to say allow any name equals true so we're creating a role for the cert authentication itself and placing and creating a place to store them so um true max 2x's for extreme ttl equals 720 hours generate lease equals true okay now we're going to actually have to create a policy so just do that we're going to sudo vim vault dash cert.hcl now i have one that will be in the github repo and let's see template there we go this guy why no you should know to open a vs code we're going to open it in vs code so i'm going to copy paste all of this now something you'll need to note is in this file you see these paths at the bottom so if you remember we have uh two paths so we're gonna say bstv1 anything within this path so you'll need to update these um we'll have the capabilities of reading and listing whenever you actually do it so you you have a couple of options you can read you can list you can create and you can delete all this can be found in the policy rules we'll go through that a little bit more but essentially what we're saying here is we can both read and list them those are two different things you can see all the secrets if you have the list ability but you can't read them so that's why we have both now for v2 paths when you're adding it to the policy because of the api everything's always stored in data so really what you need to do is say anything in bst v2 if you do the plus sign that just says anything in the next directory and then after that you want to add like secret or the exact path um you could put in data literally there but a plus sign is also a good stand in um so this way you can actually read those in the v2 as well so it should be everything we need to update in this file we're going to right quit that now we're going to write that policy for that role vault dash cert so volt dash cert hcl great that's now the policy finally we're going to write and sign the current certificates to be usable for authentication so we're going to import them it'll modify them and then you'll be able to use them for authentication after that because they'll actually get signed so to do so it's going to be a pretty long command vault write dash format equals json pki it slash issue the reason i'm doing json as a format is i'm using jq so that's why i'm i'm exporting into jq you know and and then rewriting into those certs so that's why i'm using format json you can do it another way this is just easiest i find to have it in a json format pki issue say vault dash cert common name and we'll say these are the vault certs we're going to t that i'm going to say jq dash r dot data dot certificate sure i spelled it right i'm going to go to vault underscore ca dot pam then we're going to say jq we're doing this for all of them so we need it for the issuing the certificate and the private key those are the specific ones we need dot data dot ca and you can see why i named them the way i did because it's easier to tell in the line see not pimp finally jq r dot data dot private key we're sending that to vault priv key dot pem okay three hours later all right i'm back did some troubleshooting had a problem with the roll also had a problem with some parts in the roll policy so i've updated that so the template is different in the role it wasn't allowing the subdomains or any the the any domain for the vault cert role so i fixed that we're now back so there's a bit of a jump cut took me a little while um so that is now done so we can enable by doing vault off enable cert that is now allowed so we're going to do vault right off slash cert slash vault dash cert say display name equal vault ca.pim the client key equals vault priv key dot pim then we're going to say certificate equals at unsupported path oh cert certs there's a another part in that path there not carts spelling today is killing me unable to i felt a part certificate i think i know why i had in testing anyway we're gonna jump cut again a few moments later okay so for some reason even though i was doing the command line my policy wasn't applying don't know why it is now applying to the correct authentication method so i've fixed that i'll make sure to go through and update the documentation to make sure that works but you can see i'm now getting that secret if i go through and update the policy we're going to remove that path save it uh i should actually i was testing that one there we'll save now if i try and get we'll get that 4-3 error again which is what we should have got the first time so technically that was working um and then we'll do v2 flash data secret no value foul here's what i found okay google thanks um obviously v2 let's check our secrets ah i know what it is it should be oh no it should be should be secret oh you don't need it derp okay so it automatically injects it in when you do it in the command line so this is what we did want yes we can get it so that works so we've verified it works uh i will make sure to update the documentation if you have problems where you're getting that 403 error you can go into the ui like i did and double check because in the cli it was telling me something different if you go to edit certificate you want to check tokens because every time you log in you technically get a token even if it's through a certificate and check your generated tokens policies and make sure that that vault cert is added that's what i made sure it should have been added in the command line it should have because i designated policies i'll make sure that it's there so yeah that's what we want it works we're going to do some policy work and some other things next time we'll dive a little bit further into that um we'll also add some more authentication methods so there's more to come this is the you know sorry it took so long i've been working on certifications and other things but hopefully that was helpful and i'll see you in the next video guys you

Info

Channel: bitsized tech

Views: 1,434

Rating: undefined out of 5

Keywords: hashicorp, vault, hashicorp vault, linux, secrets, secret management, accessing secrets, api, vault api, tech, tutorial, devops, sre, backend, computers, cli, vault cli, hashicorp vault cli, consul, development stack, hcl, terraform, nomad, secret manager, technology, saas, security, IT, cloud, packer, Vault, HashiCorp Vault, HashiCorp, secrets management, Dynamic Secrets, Data Encryption, IT security

Id: _Nqx0guy5RY

Channel Id: undefined

Length: 32min 18sec (1938 seconds)

Published: Mon Apr 05 2021