forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
backport of commit 262b043 (hashicorp#19842)
Co-authored-by: Kit Haines <khaines@mit.edu>
- Loading branch information
1 parent
defccc0
commit a91293c
Showing
6 changed files
with
385 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| --- | ||
| layout: docs | ||
| page_title: pki issue - Command | ||
| description: |- | ||
| The "pki issue" command issues a new intermediate ("issuer") certificate, | ||
| using a parent certificate in vault. | ||
| --- | ||
|
|
||
| # pki issue | ||
|
|
||
| This command creates a intermediate certificate authority certificate signed by | ||
| the `<parent>` in the `<child_mount>`, using the options to determine the fields | ||
| on that certificate. | ||
|
|
||
| ## Usage | ||
|
|
||
| Usage: `vault pki issue [flags] <parent> <child_mount> [options]` | ||
|
|
||
| - `[flags]` are optional arguments described below | ||
|
|
||
| - `<parent>` is the fully qualified path of the Certificate Authority in vault | ||
| which will issue the new intermediate certificate. | ||
|
|
||
| - `<child_mount>` is the path of the mount in vault where the new issuer is saved. | ||
|
|
||
| - `[options]` are the superset of the k=v options passed to generate-intermediate-csr | ||
| and sign-intermediate commands. At least one option must be set. | ||
| See [below](/vault/docs/commands/pki/issue#options). | ||
|
|
||
| ### Flags | ||
|
|
||
| - `-type` `(string: "internal")` - This determines the type of key use for the | ||
| newly created certificate. Valid types are `"existing"` - where we link to | ||
| a key already present in the vault-backend to be used (and expect option | ||
| arguments `"key_ref"`) - `"internal"` - to generate a new key for this | ||
| certificate - or `"kms"` - to link to an external key. Exported keys are not | ||
| available through this API. | ||
|
|
||
| - `-issuer_name` `(string: "")` - If present, the newly created issuer will be | ||
| given this name. | ||
|
|
||
| ### Options | ||
|
|
||
| Other than `type` (which is passed as a flag, see above), this command accepts | ||
| all options provided to the | ||
| [Generate CSR](/vault/api-docs/secret/pki#generate-intermediate-csr) and | ||
| [Sign Intermediate](/vault/api-docs/secret/pki#sign-intermediate) endpoints. | ||
|
|
||
| ### Accessed APIs | ||
|
|
||
| Note that the vault user running this command will need to have access to the | ||
| following API endpoints, each representing a step in the process: | ||
|
|
||
| - `READ /:parent` - used to check validity | ||
| - `WRITE /:child_mount/intermediate/generate/:type` - used to generate the csr | ||
| - `WRITE /:parent/sign-intermediate` - used to sign the csr | ||
| - `WRITE /:child_mount/issuers/import/cert` - used to import the new issuer, | ||
| and the issuer chain | ||
| - `UPDATE /:child_mount/issuer/:issuer_refs` - used to both name the new | ||
| issuer, and also set the name of the parent in the issuer chain | ||
| - `READ /:child_mount/issuer/:new_issuer_ref` - used to verify completion, | ||
| generate the output | ||
|
|
||
| ## Examples | ||
|
|
||
| ```shell-session | ||
| $ vault pki issue -issuer_name="FirstDepartment" /pki_root/issuer/default /pki_int/ common_name="first-department.example.com" | ||
| Key Value | ||
| --- ----- | ||
| ca_chain [-----BEGIN CERTIFICATE----- | ||
| MIIDsDCCApigAwIBAgIULEPuHTW7UDtAQg+qcc18osNWgZIwDQYJKoZIhvcNAQEL... | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| --- | ||
| layout: docs | ||
| page_title: pki list-intermediates - Command | ||
| description: |- | ||
| The "pki list-intermediates" command searches a mount, or set of mounts for | ||
| child certificates. | ||
| --- | ||
|
|
||
| # pki list-intermediates | ||
|
|
||
| This command determines which of a list of certificates were issued by a given | ||
| parent certificate. | ||
|
|
||
| ## Usage | ||
|
|
||
| Usage: `vault pki list-intermediates [flags] <parent> [child] [child] [child...` | ||
|
|
||
| Lists the set of intermediate CAs issued by this parent issuer. | ||
|
|
||
| - `[flags]` listed below determine the type of match required between the `<parent>` | ||
| and each potential child, and the type of output | ||
|
|
||
| - `<parent>` is the certificate that might be the issuer which everything is | ||
| verified against. | ||
|
|
||
| - `[child]` is an optional path to a certificate to be compared to the `<parent>`, | ||
| or pki mounts to look for certificates on. If `[child]` is omitted entirely, the | ||
| list will be constructed from all accessible pki mounts. | ||
|
|
||
| This returns a list of issuing certificates and whether they are a match. | ||
| By default, the type of match required is whether the `<parent>` has the | ||
| expected subject, [authority/subject key id match](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1), and could have (directly) signed this issuer. | ||
| The match criteria can be updated by changed the corresponding flag. | ||
|
|
||
| ### Flags | ||
|
|
||
| - `-use_names` `(bool: "false")` - this determines how issuers are referred to | ||
| in the output, whether by issuer_id (the default), or by their name, or status | ||
| as default issuer (when use_names is true) | ||
|
|
||
| The following flags determine what sorts of relationship between the parent and | ||
| potential child issuers are considered a match. | ||
|
|
||
| - `-subject_match` `(bool: "true")` - determines whether the subject of the | ||
| parent-issuer must match the issuer of the potential child for this to be | ||
| considered a match | ||
|
|
||
| - `-key_id_match` `(bool: "true")` - determines whether the identifier of the | ||
| parent-issuer must match the IUI of the potential child for this to be | ||
| considered a match | ||
|
|
||
| - `-direct_verify` `(bool: "true")` - determines whether it is required for this | ||
| to be a match that someone trusting the parent certificate would trust the | ||
| potential-child certificate (without any more information) | ||
|
|
||
| - `-indirect-sign` `(bool: "true")` - determines whether it is required for this | ||
| to be a match that if someone trusted the first certificate, they would trust | ||
| the potential-child certificate (using the certificate chains available) | ||
|
|
||
| - `-path_contains` `(bool: "false")` - determines whether it is required for | ||
| this to be a match for the ca_chain of the potential child certificate to | ||
| contain the parent certificate | ||
|
|
||
| ### Accessed APIs | ||
|
|
||
| Note that the vault user running this command will need to have access to the | ||
| following API endpoints, each representing a step in the process: | ||
|
|
||
| - `READ /:parent` | ||
| - `LIST /sys/mounts` - when no `[child]` argument is provided, this is used to | ||
| find a list of pki mounts | ||
| - `LIST /:child_mount/issuers/` - when no `[child]` argument is provided, or the | ||
| `[child]` argument is a mount rather than an issuer, this is used to find a list | ||
| of pki issuers on the mount | ||
| - `READ /:child` - each potential child issuer is read for comparison against | ||
| the parent | ||
|
|
||
| ## Examples | ||
|
|
||
| ```shell-session | ||
| $ vault pki list-intermediates /pki_root/issuer/default | ||
| intermediate match? | ||
| ------------ ------ | ||
| pki_int_2/issuer/d4404ccc-3ad4-83a9-f5df-398637654b3b true | ||
| pki_int_2/issuer/db0b0a6c-6641-ac15-363a-4e5261315581 true | ||
| pki_root/issuer/9464c4fe-e8a6-d96a-0566-021575e7382c true | ||
| pki_int/issuer/2f958ec5-1838-336e-331b-07032379b958 true | ||
| pki_int/issuer/b8cc0b41-e0e9-1a92-12c4-6849c9d6f837 true | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| --- | ||
| layout: docs | ||
| page_title: pki reissue - Command | ||
| description: |- | ||
| The "pki reissue" command issues a new intermediate ("issuer") certificate, | ||
| using an existing certificate in vault as a template, and using a parent | ||
| certificate in vault to issue the new certificate. | ||
| --- | ||
|
|
||
| # pki reissue | ||
|
|
||
| Frequently, a reissued CA certificate is to be very similar to another. | ||
| This command enables reissuing a CA, using an existing issuer within | ||
| Vault as a template, but allowing modifications to the desired attributes. | ||
|
|
||
| ## Usage | ||
|
|
||
| Usage: `vault pki reissue [flags] <parent> <template> <child_mount> [options]` | ||
|
|
||
| - `[flags]` are optional arguments described below. | ||
|
|
||
| - `<parent>` is the fully qualified path of the Certificate Authority in vault | ||
| which will issue the new intermediate certificate. | ||
|
|
||
| - `<template>` is the fully qualified path of an intermediate certificate in vault | ||
| which will be used to populate certificate fields not overridden by `[options]`. | ||
|
|
||
| ~> **Note**: not all possible certificate fields are supported by Vault, and | ||
| this template reader covers only those vault generates as a best effort. If | ||
| unknown fields are set, such as when an external CA was imported into Vault, | ||
| there may not be a warning that those are missing from the new issuer. | ||
|
|
||
| - `<child_mount>` is the path of the mount in vault where the new issuer is saved. | ||
|
|
||
| - `[options]` are the superset of the k=v options passed to generate/intermediate | ||
| and sign-intermediate commands. See [below](/vault/docs/commands/pki/reissue#options). | ||
|
|
||
| The output of this command when it is successful is to read the resulting new | ||
| issuer entry. | ||
|
|
||
| ### Flags | ||
|
|
||
| - `-type` `(string: "internal")` - This determines the type of key use for the | ||
| newly created certificate. Valid types are `"existing"` - where we link to | ||
| a key already present in the vault-backend to be used - `"internal"` - to | ||
| generate a new key for this certificate - or `"kms"` - to link to an external | ||
| key. Exported keys are not available through this API. | ||
|
|
||
| ~> **Note**: It is only possible to generate a new certificate with an existing | ||
| key that exists in the same mount where that key-material exists. This | ||
| command is expected to fail should the template exist on a different mount, | ||
| `existing` is the selected type, and no `key_ref` for a key in the new issuer | ||
| mount is provided. | ||
|
|
||
| - `-issuer_name` `(string: "")` - If present, the newly created issuer will be | ||
| given this name. | ||
|
|
||
| ### Options | ||
|
|
||
| Other than `type` (which is passed as a flag, see above), this command accepts | ||
| all options provided to the | ||
| [Generate CSR](/vault/api-docs/secret/pki#generate-intermediate-csr) and | ||
| [Sign Intermediate](/vault/api-docs/secret/pki#sign-intermediate) endpoints. | ||
|
|
||
| ### Accessed APIs | ||
|
|
||
| Note that the vault user running this command will need to have access to the | ||
| following API endpoints, each representing a step in the process: | ||
|
|
||
| - `READ /:parent` - used to check validity | ||
| - `READ /:template` - used to generate the options for the new certificate | ||
| - `WRITE /:child_mount/intermediate/generate/:type` - used to generate the csr | ||
| - `WRITE /:parent/sign-intermediate` - used to sign the csr | ||
| - `WRITE /:child_mount/issuers/import/cert` - used to import the new issuer, | ||
| and the issuer chain | ||
| - `UPDATE /:child_mount/issuer/:issuer_refs` - used to both name the new | ||
| issuer, and also set the name of the parent in the issuer chain | ||
| - `READ /:child_mount/issuer/:new_issuer_ref` - used to verify completion, | ||
| generate the output | ||
|
|
||
| ## Examples | ||
|
|
||
| ```shell-session | ||
| $ vault pki reissue -issuer_name="SecondDepartment" /pki_root/issuer/default /pki_int/issuer/FirstDepartment /pki_int_2/ common_name="second-department.example.com" | ||
| Key Value | ||
| --- ----- | ||
| ca_chain [-----BEGIN CERTIFICATE----- | ||
| MIID0DCCArigAwIBAgIUdfRe05B5eRXsg3pvsJ/g94eYuWkwDQYJKoZIhvcNAQEL``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| --- | ||
| layout: docs | ||
| page_title: pki verify-sign - Command | ||
| description: |- | ||
| The "pki verify-sign" command verifies the relationship between two issuer | ||
| certificates in vault | ||
| --- | ||
|
|
||
| # pki verify-sign | ||
|
|
||
| This command verifies whether the listed issuer has signed the listed issued | ||
| certificate. | ||
|
|
||
| This command returns five fields of information: | ||
|
|
||
| - `signature_match`: was the key of the issuer used to sign the issued. | ||
|
|
||
| - `path_match`: the possible issuer appears in the valid certificate chain | ||
| of the issued. | ||
|
|
||
| - `key_id_match`: does the [key id](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1) | ||
| of the issuer match the key_id of the subject. | ||
|
|
||
| - `subject_match`: does the subject name of the issuer match the issuer | ||
| subject of the issued. | ||
|
|
||
| - `trust_match`: if someone trusted the parent issuer, is the chain | ||
| provided sufficient to trust the child issued. | ||
|
|
||
| ## Usage | ||
|
|
||
| Usage: `vault pki verify-sign <parent> <child>` | ||
|
|
||
| - `<parent>` is the fully name-spaced path to the issuer certificate which will be | ||
| used to verify the `<child>` certificate | ||
|
|
||
| - `<child>` is the fully name-spaced path to the potential child-certificate to be | ||
| verified | ||
|
|
||
| A fully namespaced path looks like, for instance, 'ns1/mount1/issuer/issuerName/json'. | ||
|
|
||
| ## Example | ||
|
|
||
| ```shell-session | ||
| $ vault pki verify-sign pki_root/issuer/root pki_int/issuer/FirstDepartment | ||
| issuer:pki_root/issuer/root | ||
| issued:pki_int/issuer/FirstDepartment | ||
| field value | ||
| ----- ----- | ||
| subject_match true | ||
| path_match true | ||
| trust_match true | ||
| key_id_match true | ||
| signature_match true | ||
| ``` |
Oops, something went wrong.