Storing certificates as secret

[Nils Hjelte]

What is the recommended usage pattern for storing certificates in vault? It is not a certificate that I want to use to authenticate against vault, it is a certificate I want to use in my deployment pipeline, to automatically provision the production certificates.

I tried something like

vault write secret/certs/my.domain.com/site.crt value=$(cat site.crt)

but vault does not seem to like multiline values. Is this a bad strategy for deploying SSL certificates?

// Nils

[Nils Hjelte]

Maybe it is better to do something like this: https://www.calazan.com/how-to-deploy-encrypted-copies-of-your-ssl-keys-and-other-files-with-ansible-and-openssl/

In the section "What about files that get copied to the server such as private keys for SSL certificates?" they describe how to encrypt the raw key file, and store the encryption key in the vault, rather than the entire certificate-file.

--
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/CEC1LmlRplI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To post to this group, send email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/77940e82-dc42-41b8-9f45-2493b899d500%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Armon Dadgar]

Hey Nils,

This should work, but you may want to try wrapping the value in quotes to keep it from getting splatted.

If this fails, you may want to try base64 encoding the value.

Hope that helps!

Best Regards,

Armon Dadgar

--
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Jeff Mitchell]

Use Vault to provision the production certificates!

See https://github.com/hashicorp/vault/pull/310 andhttps://gist.github.com/jefferai/e2bebc3bb97fed521666

--Jeff

--

[Sheldon Hearn]

You can take the value from stdin or files:

cat site.crt | vault write secret/certs/my.domain.com/site.crt value=-

vault write secret/certs/my.domain.com/site.crt value=@site.crt

See https://vaultproject.io/docs/commands/read-write.html for more.

As an aside, note that Vault might be overkill if you only want to distribute public certificates; it's the keys that are sensitive. Well it's the keys that should be: I'd try hard to avoid putting sensitive information in certificates, unencrypted.