Still learning to use Vault, I want to experiment accessing the Vault using a client certificate instead of a regular token. This proved to be not-so-easy for reasons I hadn’t foreseen…

Step 1 - generate a certificate

This is well-documented on the Internet, with one caveat: many how-to’s don’t let you protect your key with a passphrase. I think you should. And this exactly turned out to be the unforeseen reason this whole thing was harder than expected…!

For documentation reasons, I will add my own method.

First create a config file to facilitate experimentation; please change the values in the [ dn ] section and eg. call the file cert.conf:

[ req ]
default_bits = 2048
prompt = no
encrypt_key = yes
default_md = sha256
distinguished_name = dn

[ dn ]
C = Country Name (2 letter code)
ST= State or Province Name (full name)
L = Locality Name (eg, city)
O = Personal
0.CN= Your Name

Now generate a key and certificate with passphrase using this config file (I will use th3p@ss as the passphrase throughout this text):

openssl req -config cert.conf -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 14

The certificate will only be valid for 14 days - plenty of time to experiment :-) You can now verify the certificate:

$ openssl x509 -in cert.pem -noout -text
        Version: 1 (0x0)
        Serial Number: 11244389068616569346 (0x9c0c1848572d1202)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, ST=Vlaams-Brabant, L=Rotselaar, O=Personal/, CN=Jo Vandeginste
            Not Before: Jul 20 13:07:24 2016 GMT
            Not After : Aug  3 13:07:24 2016 GMT
        Subject: C=BE, ST=Vlaams-Brabant, L=Rotselaar, O=Personal/, CN=Jo Vandeginste
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Step 2 - connect to the Vault server

Now try to contact your Vault server with it:

$ curl --cert cert.pem --key key.pem
curl: (35) error reading X.509 key or certificate file: Decryption has failed.

What? So this I spent a long time figuring out, until the answer became obvious: the key is encrypted (passphrase), but curl doesn’t prompt for the passphrase. After some digging around, I found out that you need to put the passphrase together with the cert.pem:

$ curl --cert cert.pem:th3p@ss --key key.pem

Okay, better now! (Not really, since I see my passphrase clear text on the command line… There are ways around this but I still feel dirty now!)

Sadly, the vault binary does not (yet) support encrypted keys:

$ VAULT_ADDR= vault auth -method=cert -client-cert=cert.pem -client-key=key.pem
Error initializing client to auth: crypto/tls: failed to parse private key

I found no solution, so for the binary to work we need an unencrypted key. We can decrypt our current key:

$ openssl rsa -in key.pem -out key.insecure.pem
Enter pass phrase for key.pem:
writing RSA key

With this insecure key, both curl and vault will work:

$ curl --cert cert.pem --key key.insecure.pem
$ VAULT_ADDR= vault auth -method=cert -client-cert=cert.pem -client-key=key.insecure.pem
Error making API request.

Code: 400\. Errors:

* invalid certificate or no client certificate supplied

Okay, it doesn’t actually work, since the Vault server doesn’t know my certificate yet. This is the next step.

Step 3 - uploading your client certificate

This was surprisingly easy with sufficient documentation on Vault’s site. You do obviosly need a token with sufficient rights to perform these changes. I’m working on an experimental setup, so I have the root token my-token at hand…

First make sure the cert backend is enabled, then upload your new certificate (and grant it the root policy for testing):

$ VAULT_TOKEN=my-token VAULT_ADDR= vault auth-enable cert # this may fail if it was already enabled
Successfully enabled 'cert' at 'cert'!
$ VAULT_TOKEN=my-token VAULT_ADDR= vault write auth/cert/certs/ display_name="Your Name" policies=root certificate=@cert.pem ttl=3600
Success! Data written to: auth/cert/certs/

Verify the content of the auth/cert:

$ VAULT_TOKEN=my-token VAULT_ADDR= vault read auth/cert/certs/
Key             Value
---             -----
certificate     -----BEGIN CERTIFICATE-----
display_name    Your Name
policies        root
ttl             3600

Step 4 - use your certificate

Now the real test :-) We can use our client certificate now to generate tokens to actually do something on the Vault. So step 1 is generating a token:

$ VAULT_ADDR= vault auth -method=cert -client-cert=cert.pem -client-key=key.insecure.pem
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: 52xxxx8e-xxxx-e22b-xxxx-e326xxxx0b7b
token_duration: 3599
token_policies: [root]

So now I have a Vault token 52xxxx8e-xxxx-e22b-xxxx-e326xxxx0b7b, which I can use for 1 hour to do anything root can (that was the policy I assigned to my certificate). Let’s do some basic stuff! First I exported VAULT_TOKEN and VAULT_ADDR for the sake of brevity.

Look at the information about the token itself:

$ vault token-lookup
Key                     Value
---                     -----
accessor                98xxxx5d-xxxx-3906-xxxx-fcebxxxx8e58
creation_time           1469021773
creation_ttl            3600
display_name            cert-Your Name
explicit_max_ttl        0
id                      52xxxx8e-xxxx-e22b-xxxx-e326xxxx0b7b
meta                    map[authority_key_id: common_name:Your Name subject_key_id:]
num_uses                0
orphan                  true
path                    auth/cert/login
policies                [root]
renewable               true
ttl                     3468

Let’s do some Vaulty actions with the token:

$ vault list /secret/                 # List the currently existing keys at /secret/
$ vault read /secret/test             # Read pre-existing data that I put there earlier
Key                     Value
---                     -----
refresh_interval        2592000
a                       b
c                       4
$ vault write /secret/test d=5        # Overwrite the pre-existing data
Success! Data written to: secret/test
$ vault read /secret/test             # Yup, it's gone now!
Key                     Value
---                     -----
refresh_interval        2592000
d                       5

Now we wait for the rest of the hour to pass and verify our token has expired:

$ vault token-lookup
error looking up token: Error making API request.

Code: 400\. Errors:

* permission denied

You can get a new token any time with the auth command, until your certificate expires (hopefully not after it expires, but I haven’t tried it)