用Hashicorp Vault作为中级CA

Hashicorp Vault提供了一个简单的X.509证书API,可以自动化签发证书。本文简述配置证书API、创建中级CA以及和Active Directory Certificate Services的交互过程。

前提条件:

由于证书的有效期通常长达数个月至数年,而Vault默认情况下不支持这么长时间的lease,我们需要事先配置Vault的最长lease时间,即在配置文件中加入:

max_lease_ttl = "87660h"

然后重启Vault服务器以应用配置。

配置CA

接下来我们来初始化CA。登录到Vault,这个不用多说:

export VAULT_ADDR=https://vault.example.com
vault login

首先我们新建一个PKI类型的secret engine并生成密钥:

vault secrets enable -path=test-ca pki
vault secrets tune -max-lease-ttl=87660h test-ca
vault write test-ca/intermediate/generate/internal -field=csr -<<EOF
{
    "type": "internal",
    "common_name": "DO_NOT_TRUST Vault Test Intermediate CA for example.com",
    "alt_names": "vault.example.com",
    "format": "pem",
    "private_key_format": "der",
    "key_type": "rsa",
    "key_bits": 2048,
    "ttl": "4380h",
    "ou": [
        "CN=vault.example.com,DC=corp,DC=contoso,DC=com"
    ],
    "organization": [
        "example.com, LLC."
    ],
    "country": [
        "US"
    ],
    "locality": [
        "Cupertino"
    ],
    "province": [
        "Caliafornia"
    ],
    "street_address": [
        "1 Infinite Loop"
    ],
    "postal_code": [
        "95014"
    ]
}
EOF

把获得的CSR保存成一个.req文件。想办法把这个文件复制到rootCA上,然后我们去root CA那边签发证书。

certreq -submit -attrib "CertificateTemplate: SubCA" subca.req

选择需要使用的CA,点击确定,会给你一个Request ID。然后打开certsrv.msc,在Pending Request里面找到刚提交的请求,右键->Issue。最后我们用刚刚获得的Request ID取回签好名的证书:

certreq -retrieve 2

再次点击刚选择的CA,确定后会提示保存。如果你不是用certreq导出的证书,而是在certsrv.msc里面点击右键导出的二进制数据,则需要转换一下:

openssl x509 -inform der -in dump_cert.der -out subca.cer

回到Vault导入签好名的证书:

vault write test-ca/intermediate/set-signed [email protected]

设置一下root CA的URL和CRL distribution point:

vault write test-ca/config/urls -<<EOF
{
    "issuing_certificates": [
        "https://example.com/rootca.crt"
    ],
    "crl_distribution_points": [
        "https://vault.example.com/v1/test-ca/crl"
    ],
    "ocsp_servers": []
}
EOF

加一个role:

vault write test-ca/roles/test-role -<<EOF
{
    "name": "corp.example.com",
    "ttl": "8760h",
    "max_ttl": "26280h",
    "allow_localhost": false,
    "allowed_domains": [
        "corp.example.com"
    ],
    "allow_bare_domains": false,
    "allow_subdomains": true,
    "allow_glob_domains": false,
    "allow_any_name": false,
    "enforce_hostnames": true,
    "allow_ip_sans": false,
    "allowed_uri_sans": "",
    "allowed_other_sans": "",
    "server_flag": true,
    "client_flag": true,
    "code_signing_flag": false,
    "email_protection_flag": true,
    "key_type": "rsa",
    "key_bits": 4096,
    "key_usage": [
        "DigitalSignature", 
        "KeyAgreement", 
        "KeyEncipherment"
    ],
    "ext_key_usage": [],
    "ext_key_usage_oids": [
        "1.3.6.1.4.1.1145141919810.1.1.1"
    ],
    "use_csr_common_name": true,
    "use_csr_sans": true,
    "ou": [],
    "organization": [],
    "country": [],
    "locality": [],
    "province": [],
    "street_address": [],
    "postal_code": [],
    "generate_lease": false,
    "no_store": false,
    "require_cn": true,
    "policy_identifiers": [
        "1.3.6.1.4.1.1145141919810.5.1.3"
    ],
    "basic_constraints_valid_for_non_ca": true,
    "not_before_duration": "30s"
}
EOF

签发证书

接下来就可以签发证书啦。

vault write pki/issue/test-role common_name=test-website.corp.example.com

如果需要把签发的证书导入Windows,那么需要OpenSSL做一下转换:

openssl pkcs12 -export -out cert.p12 -inkey privatekey.pem -in publickey.pem -certfile cert.pem

输入两次密码即可获得能被Windows识别的p12格式证书文件。


参考:

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据