How do I retrieve my certificate information from the vault
3,547 views
Skip to first unread message
paul.car...@gmail.com
Jan 31, 2017, 10:30:35 AM1/31/17
to Vault
Hi
I'm just starting with vault and have managed to create a CA and server certificate but can't figure out how to retrieve the server certificate and key?
I did...
export pki_backend=appliance
export endpoint=http://127.0.0.1:8200
export addr="-address=$endpoint"
# unseal and auth
vault mount $addr -path $pki_backend -description="Appliance Root CA" -max-lease-ttl=87600h pki
vault mounts $addr
vault write $addr $pki_backend/root/generate/internal common_name="Appliance CA" ttl=87600h key_bits=4096 exclude_cn_from_sans=true
curl -s http://localhost:8200/v1/$pki_backend/ca/pem | openssl x509 -text
# I see my CA cert
vault write $addr $pki_backend/roles/node-mgr key_bits=2048 max_ttl=8760h allow_any_name=true
vault write $addr $pki_backend/issue/node-mgr common_name="node01.cplm" ip_sans="10.11.12.101" ttl=720h format=pem
# This returns my cert and key
However
curl -s -H "X-Vault-Token:$VAULT_TOKEN" http://localhost:8200/v1/$pki_backend/certs/pem
returns...
{"errors":["1 error occurred:\n\n* unsupported path"]}
Thanks
I'm just starting with vault and have managed to create a CA and server certificate but can't figure out how to retrieve the server certificate and key?
I did...
export pki_backend=appliance
export endpoint=http://127.0.0.1:8200
export addr="-address=$endpoint"
# unseal and auth
vault mount $addr -path $pki_backend -description="Appliance Root CA" -max-lease-ttl=87600h pki
vault mounts $addr
vault write $addr $pki_backend/root/generate/internal common_name="Appliance CA" ttl=87600h key_bits=4096 exclude_cn_from_sans=true
curl -s http://localhost:8200/v1/$pki_backend/ca/pem | openssl x509 -text
# I see my CA cert
vault write $addr $pki_backend/roles/node-mgr key_bits=2048 max_ttl=8760h allow_any_name=true
vault write $addr $pki_backend/issue/node-mgr common_name="node01.cplm" ip_sans="10.11.12.101" ttl=720h format=pem
# This returns my cert and key
However
curl -s -H "X-Vault-Token:$VAULT_TOKEN" http://localhost:8200/v1/$pki_backend/certs/pem
returns...
{"errors":["1 error occurred:\n\n* unsupported path"]}
Thanks
Vishal Nayak
Jan 31, 2017, 12:09:13 PM1/31/17
to vault...@googlegroups.com
Hi Paul,
You are seeing that error because the backend does not expose an API
endpoint for `appliance/certs/pem`. Certificates issued can be listed
by their serial numbers using LIST operation on `appliance/certs/` and
the individual certificates can then be fetched via GET on
`appliance/cert/<serial>`.
Regards,
Vishal
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/b8ff0ef2-90fe-4a9f-8c5a-d1028087afcb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
You are seeing that error because the backend does not expose an API
endpoint for `appliance/certs/pem`. Certificates issued can be listed
by their serial numbers using LIST operation on `appliance/certs/` and
the individual certificates can then be fetched via GET on
`appliance/cert/<serial>`.
Regards,
Vishal
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/b8ff0ef2-90fe-4a9f-8c5a-d1028087afcb%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
vn
paul.car...@gmail.com
Jan 31, 2017, 1:26:14 PM1/31/17
to Vault
Vishal
Thanks, that got me the cert, what about the private key?
Thanks, that got me the cert, what about the private key?
Jeff Mitchell
Jan 31, 2017, 2:10:28 PM1/31/17
to vault...@googlegroups.com
Hi Paul,
I'm a bit confused:
vault write $addr $pki_backend/issue/node-mgr
common_name="node01.cplm" ip_sans="10.11.12.101" ttl=720h format=pem
# This returns my cert and key
So you already have the key...?
Best,
Jeff
> https://groups.google.com/d/msgid/vault-tool/dfc6ff48-980f-4ba8-9eeb-8546f796480f%40googlegroups.com.
I'm a bit confused:
vault write $addr $pki_backend/issue/node-mgr
common_name="node01.cplm" ip_sans="10.11.12.101" ttl=720h format=pem
# This returns my cert and key
Best,
Jeff
paul.car...@gmail.com
Feb 1, 2017, 2:28:00 AM2/1/17
to Vault
Jeff
Yes, but I was assuming it was stored in the vault and could be retrieve later?
Yes, but I was assuming it was stored in the vault and could be retrieve later?
paul.car...@gmail.com
Feb 1, 2017, 2:57:15 AM2/1/17
to Vault
Jeff
My bad, just found this in docs...
The private key is not stored. If you do not save the private key, you will need to request a new certificate.
makes sense when you think about it!
My bad, just found this in docs...
The private key is not stored. If you do not save the private key, you will need to request a new certificate.
makes sense when you think about it!
Reply all
Reply to author
Forward
0 new messages