How To Setup HashiCorp Vault PKI backend

And use Vault to provide it's own SSL certificates

Background:

Vault is a service for safely storing and generating secrets such as API keys, passwords, or certificates.

Clients communicate with Vault via a HTTP API that can be secured with SSL.

The PKI secrets backend allows Vault to work as a certificate issuing authority.

From https://www.vaultproject.io/docs/secrets/pki/index.html

The PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete.

In this write up, we use the PKI secrets backend to issue and manage Vault's own SSL certificates.

The basic steps are:

Configure Vault for SSL using snakeoil certificates

Configure a root CA and intermediate CA

Sign the intermediate CA with the root CA

Create a role for Vault

Issue SSL certificates for Vault

Create a cron.monthly script to renew certificates

Setup SSL cert path and copy Snakeoil certs

mkdir -p /etc/vault/ssl/ cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/vault/ssl/vault.pem cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/vault/ssl/vault.key chown vault:vault -R /etc/vault

Enable SSL in Vault config /etc/vault/vault.hcl

We're using Consul as the backend here.

backend "consul" { address = "127.0.0.1:8500" path = "vault" scheme = "http" } listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/vault/ssl/vault.pem" tls_key_file = "/etc/vault/ssl/vault.key" }

Enable PKI backend

#!/bin/bash export VAULT_TOKEN="paste-in-your-vault-token-here" # We're disabling SSL host verification to get started. export VAULT_SKIP_VERIFY=1 export VAULT_ADDR='https://127.0.0.1:8200' # create pki secrets backend vault secrets enable pki # -max-lease-ttl=87600h = 10 years vault secrets tune -max-lease-ttl=87600h pki

Generate root ca internally

# Root CA -max-lease-ttl=87600h = 10 years vault write pki/root/generate/internal \ common_name="example.net" \ ttl=87600h \ key_bits=4096 \ exclude_cn_from_sans=true

Alternatively: Load pre-generated root ca certificate.

vault write pki/config/ca \ pem_bundle="$(cat root-ca.key root-ca.crt)"

Configure Urls

vault write pki/config/urls \ issuing_certificates="https://127.0.0.1:8200/v1/pki/ca" \ crl_distribution_points="https://127.0.0.1:8200/v1/pki/crl"

Create Intermediate CA

# -max-lease-ttl=26280h = 3 years vault secrets enable -path=example \ -description="Intermediate CA" \ -max-lease-ttl=26280h pki vault write cwops/config/urls \ issuing_certificates="https://127.0.0.1:8200/v1/example/ca" \ crl_distribution_points="https://127.0.0.1:8200/v1/example/crl"

Generate CSRs for intermediate

curl -X POST "$VAULT_ADDR/v1/example/intermediate/generate/exported" \ -H "Content-Type: application/json" \ -H "X-Vault-Token:$VAULT_TOKEN" \ -d '{ "common_name": "Intermediate CA", "ttl": "26280h", "key_bits": 2048, "exclude_cn_from_sans": true }' > intermediate.json cat intermediate.json | jq -r .data.csr > intermediate.csr cat intermediate.json | jq -r .data.private_key > intermediate.key echo $(cat << JSON { "common_name":"Intermediate CA", "ttl": "26280h", "csr": $(jq -Rs . intermediate.csr) } JSON ) > intermediate_csr.json

Sign intermediate

curl -X POST "$VAULT_ADDR/v1/pki/root/sign-intermediate" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "X-Vault-Token:$VAULT_TOKEN" \ -d @intermediate_csr.json > signed_intermediate.json cat signed_intermediate.json \ | jq -r .data.certificate > intermediate.cert

Set signed cert for intermediate

vault write example/intermediate/set-signed [email protected]

create role for vault ssl

vault write example/roles/vault \ allow_any_name=true \ max_ttl=1440h # 60 days, we should rotate every 30.

Issue certificate

put this in a script in cron.monthly on the vault server(s)

#!/bin/bash VAULT_TOKEN="paste-in-your-vault-token-here" VAULT_ADDR='https://127.0.0.1:8200' curl -X POST $VAULT_ADDR/v1/example/issue/vault \ -H "Content-Type: application/json" \ -H "X-Vault-Token: $VAULT_TOKEN" \ -d '{ "common_name": "vault.service.consul", "alt_names": "active.vault.service.consul,*.vault.service.consul,localhost", "ip_sans": "127.0.0.1" }' | tee > (jq -r .data.certificate > /etc/vault/ssl/vault.pem) \ > (jq -r .data.private_key > /etc/vault/ssl/vault.key) # reload vault to re-read the certificates PID=$(ps aux | grep vault | head -n1 | awk '{print $2}') kill -HUP $PID

OpenVPN with Google Authenticator on Ubuntu 16.04

Install OpenVPN, Easy-RSA, and Google Authenticator

sudo apt-get update -yy && sudo apt-get install -yy openvpn easy-rsa libpam-google-authenticator

Digital Ocean has a pretty good how-to for setting up OpenVPN and Easy-RSA. This is what I used as a starting point for my own server. I won’t repeat their work here.   https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

Create file /etc/pam.d/openvpn and paste in the following:

account [success=2 new_authtok_reqd=done default=ignore]    pam_unix.so account [success=1 new_authtok_reqd=done default=ignore]    pam_winbind.so account requisite           pam_deny.so account required            pam_permit.so auth required pam_google_authenticator.so nullok

Edit /etc/openvpn/server.conf and append these lines to the bottom.

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn reneg-sec 0

I have expanded quite a bit on the make_config.sh script provided by Digital Ocean. You can get it at this Gist, along with the client configuration template used by the script.

https://gist.github.com/spiralsyzygy/a494631a4611e0d997d795185678541e

The script requires you have a configured MTA (Mail Transport Agent)  (apt-get install mailutils)

Install it at /etc/openvpn/client-configs/

run it with the unix username as the first argument, and their email as the second, ie.  

./make_config.sh foo [email protected]

The user will be emailed a URL to a QR code for linking Google Authenticator to their OpenVPN account, as well as the location where they can SCP a tarball of their openvpn client config and certs. 

Having users kick off the process by sending their ssh public key, and having them scp their openvpn config, provides a reasonably safe path for the key VPN key exchange.