PKI engine - deleting revoked certs
3,763 views
Skip to first unread message
Marko Božiković
Jul 9, 2018, 11:07:21 AM7/9/18
to Vault
Hi all,
I've started playing with PKI and successfully imported an internal intermediate cert to use for issuing certificates and I don't know how to remove revoked certificates (revoked using vault write pki/revoke serial_number=xxxxx)
Thank you,
Marko
I've started playing with PKI and successfully imported an internal intermediate cert to use for issuing certificates and I don't know how to remove revoked certificates (revoked using vault write pki/revoke serial_number=xxxxx)
Thank you,
Marko
Jeff Mitchell
Jul 10, 2018, 11:22:05 AM7/10/18
to Vault
Hi Marko,
See https://www.vaultproject.io/api/secret/pki/index.html#tidy -- make sure you flip tidy_cert_store to true.
Best,
Jeff
Marko Božiković
Jul 10, 2018, 11:27:39 AM7/10/18
to vault...@googlegroups.com
On 10/07/2018 16:21, Jeff Mitchell
wrote:
Hi Marko,
See https://www.vaultproject.io/api/secret/pki/index.html#tidy -- make sure you flip tidy_cert_store to true.
Hi,
I did this (several times :-):
vault write ca/tidy tidy_cert_store=true tidy_revocation_list=true safety_buffer='1'
(my PKI is mounted under ca/ path)
After that, vault list ca/certs still shows the certs, and when I fetch them using vault read ca/cert/<serial_number>, all of them have revocation_time != 0.
The server uses filesystem storage, and both server and client are 0.10.3.
Kind regards,
I did this (several times :-):
vault write ca/tidy tidy_cert_store=true tidy_revocation_list=true safety_buffer='1'
(my PKI is mounted under ca/ path)
After that, vault list ca/certs still shows the certs, and when I fetch them using vault read ca/cert/<serial_number>, all of them have revocation_time != 0.
The server uses filesystem storage, and both server and client are 0.10.3.
Kind regards,
-- Marko Bozikovic Senior Developer Symplectic Email: bo...@symplectic.co.uk
Jeff Mitchell
Jul 12, 2018, 10:29:37 AM7/12/18
to Vault
Hi,
Please file a github issue -- if you can provide a reproduction script that would be great too!
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/c3b1f19e-e3a6-8250-1d46-375d0e037318%40symplectic.co.uk.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Jul 12, 2018, 4:33:48 PM7/12/18
to Vault
It's possible this is you, but this seems like your issue: https://github.com/hashicorp/vault/pull/4916
Best,
Jeff
Marko Božiković
Aug 28, 2018, 9:47:50 AM8/28/18
to vault...@googlegroups.com
Hi,
Sorry for a late reply, I was away...
The linked issue is for adding a parameter to the "tidy" resource to clean up manually revoked certificates (the thing I've been testing).
I have installed Vault 0.10.4 and can't seem to make this work. I may be missing the point here, but the behaviour is confusing. To replicate, I've followed Setup/Usage steps from the Vault guide here: https://www.vaultproject.io/docs/secrets/pki/index.html
Steps to reproduce:
vault secrets enable pki
vault secrets tune -max-lease-ttl=8760h pki
vault write pki/root/generate/internal \
common_name=my-website.com \
ttl=8760h
vault write pki/config/urls \
issuing_certificates="https://my-vault.internal:8200/v1/pki/ca" \
crl_distribution_points="https://my-vault.internal/v1/pki/crl"
vault write pki/roles/my-role \
allowed_domains=my-website.com \
allow_subdomains=true \
max_ttl=72h
vault write pki/issue/my-role \
common_name=www.my-website.com
The generated certificate's serial number in my case was:
72:03:d3:b5:fb:d9:8d:3a:b2:b1:af:1f:9a:51:3b:ea:01:e3:6a:ff
Running
vault list pki/certs
returns
Keys
----
3f-52-9e-c4-3c-3d-ef-9a-9b-64-5e-99-af-0d-cc-ed-8a-14-35-cd
72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
3f-52-.... is the auto-generated root cert.
Running
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
returns the certificate data, with revocation_time 0
If I examine CRL using
curl --header "X-Vault-Token: $token" https://my-vault.internal:8200/v1/pki/crl/pem > crl.pem
openssl crl -inform PEM -in crl.pem -text
I see there are no revoked certificates.
Now, running
vault write pki/revoke serial_number='72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff'
returns
Key Value
--- -----
revocation_time 1535463416
revocation_time_rfc3339 2018-08-28T13:36:56.256644972Z
And running
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
returns certificate data, this time with revocation_time set to 1535463416
If I use curl and openssl again to examine CRL, I can see the certificate in the revoked certificates list.
After this, I would expect that tidying up the storage would delete the certificate. So, I run:
vault write pki/tidy safety_buffer=1 tidy_cert_store=true tidy_revocation_list=true tidy_revoked_certs=true
with a successful output:
Success! Data written to: pki/tidy
If I examine CRL yet again, there are no revoked certificates. However, running
vault list pki/certs
I still get the certificate listed:
Keys
----
3f-52-9e-c4-3c-3d-ef-9a-9b-64-5e-99-af-0d-cc-ed-8a-14-35-cd
72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
If I run
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
I get the certificate data, with revocation_time set to 0 again.
Am I misunderstanding how Vault handles revoked/expired certificates here or not using Vault commands correctly?
Thank you,
Marko
Sorry for a late reply, I was away...
The linked issue is for adding a parameter to the "tidy" resource to clean up manually revoked certificates (the thing I've been testing).
I have installed Vault 0.10.4 and can't seem to make this work. I may be missing the point here, but the behaviour is confusing. To replicate, I've followed Setup/Usage steps from the Vault guide here: https://www.vaultproject.io/docs/secrets/pki/index.html
Steps to reproduce:
vault secrets enable pki
vault secrets tune -max-lease-ttl=8760h pki
vault write pki/root/generate/internal \
common_name=my-website.com \
ttl=8760h
vault write pki/config/urls \
issuing_certificates="https://my-vault.internal:8200/v1/pki/ca" \
crl_distribution_points="https://my-vault.internal/v1/pki/crl"
vault write pki/roles/my-role \
allowed_domains=my-website.com \
allow_subdomains=true \
max_ttl=72h
vault write pki/issue/my-role \
common_name=www.my-website.com
The generated certificate's serial number in my case was:
72:03:d3:b5:fb:d9:8d:3a:b2:b1:af:1f:9a:51:3b:ea:01:e3:6a:ff
Running
vault list pki/certs
returns
Keys
----
3f-52-9e-c4-3c-3d-ef-9a-9b-64-5e-99-af-0d-cc-ed-8a-14-35-cd
72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
3f-52-.... is the auto-generated root cert.
Running
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
returns the certificate data, with revocation_time 0
If I examine CRL using
curl --header "X-Vault-Token: $token" https://my-vault.internal:8200/v1/pki/crl/pem > crl.pem
openssl crl -inform PEM -in crl.pem -text
I see there are no revoked certificates.
Now, running
vault write pki/revoke serial_number='72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff'
returns
Key Value
--- -----
revocation_time 1535463416
revocation_time_rfc3339 2018-08-28T13:36:56.256644972Z
And running
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
returns certificate data, this time with revocation_time set to 1535463416
If I use curl and openssl again to examine CRL, I can see the certificate in the revoked certificates list.
After this, I would expect that tidying up the storage would delete the certificate. So, I run:
vault write pki/tidy safety_buffer=1 tidy_cert_store=true tidy_revocation_list=true tidy_revoked_certs=true
with a successful output:
Success! Data written to: pki/tidy
If I examine CRL yet again, there are no revoked certificates. However, running
vault list pki/certs
I still get the certificate listed:
Keys
----
3f-52-9e-c4-3c-3d-ef-9a-9b-64-5e-99-af-0d-cc-ed-8a-14-35-cd
72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
If I run
vault read pki/cert/72-03-d3-b5-fb-d9-8d-3a-b2-b1-af-1f-9a-51-3b-ea-01-e3-6a-ff
I get the certificate data, with revocation_time set to 0 again.
Am I misunderstanding how Vault handles revoked/expired certificates here or not using Vault commands correctly?
Thank you,
Marko
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GHeErrLETeNyx65Qv%2By01Zu2h560UCEnqdyjUHNSW0OMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeff Mitchell
Aug 30, 2018, 1:12:14 PM8/30/18
to Vault
Hi Marko,
The reason for this behavior is that currently tidy considers the two halves of things (cert store tidying and revoked list tidying) independently. So cert store tidying, which handles tidying the actual cert entries that can be looked up, looks at the safety buffer compared to the cert entry's NotAfter value. However, the revoked cert tidying looks at the entry put into the revoked list and removes that entry under two conditions: one is if tidy_revoked_certs is true, and the other is if we're safety_buffer past the NotAfter value. What's not really visible to you is that these are actually independent entries.
I agree that this is confusing. I'll put a change in for 0.11.1 that removes an entry from the cert store as well if it has been revoked and tidy_revoked_certs is set to true.
Best,
Jeff
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/263b0c66-95c7-7391-9a1e-da0eaf48462a%40symplectic.co.uk.
Jeff Mitchell
Aug 30, 2018, 1:39:37 PM8/30/18
to Vault
Marko Božiković
Aug 31, 2018, 3:34:17 AM8/31/18
to vault...@googlegroups.com
Hi Jeff,
Thank you very much for the explanation!
One thing, though: you said that when tidy_revoked_certs is true, the tidy operation compares the safety buffer to cert's NotAfter value. Shouldn't it compare the safety buffer to revocation_time when it's != 0?
Kind regards,
Marko
Thank you very much for the explanation!
One thing, though: you said that when tidy_revoked_certs is true, the tidy operation compares the safety buffer to cert's NotAfter value. Shouldn't it compare the safety buffer to revocation_time when it's != 0?
Kind regards,
Marko
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GGCc9KFgVRs%2BNZZUYOoQZ4feFa%3DXPm27r%2Bcsf2d-HBH6g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Stephen Prater
Feb 21, 2019, 6:19:24 PM2/21/19
to Vault
I know that I'm sort of necro-threading this - but I have the same problem.
I created a bunch of certificates that I don't need. Nobody is using them so just forgetting they ever existed is not a problem.
They have all been revoked, but `vault tidy` won't remove them because they don't expire until next year some time.
Is there a better option than individually deleting them from the backend? (Dynamo in this case.)
I created a bunch of certificates that I don't need. Nobody is using them so just forgetting they ever existed is not a problem.
They have all been revoked, but `vault tidy` won't remove them because they don't expire until next year some time.
Is there a better option than individually deleting them from the backend? (Dynamo in this case.)
tobt...@gmail.com
Feb 22, 2019, 12:44:02 PM2/22/19
to Vault
Hello Stephen,
deleting a revoked certificate before its end of life has been reached would UNREVOKE this certificate. This is usually not what anyone would want.
If you revoke a certificate, its serial number is added to the certificate revocation list (CRL). Systems which check this CRL will then reject any certificate which is on the list, even if its still within its validity period.
If you would now delete such a revoked certificate, it would disappear from the CRL and systems would then suddenly accept it again.
As far as I know there is no way to delete non-expired certificates via the Vault API, you'd have to file a feature request for that. I'm not a Vault developer, but I believe this feature has not been added yet for security reasons:
1. Deleting revoked certificates which have not expired yet would unrevoke them
2. The log or database of a Certificate Authority should be audit proof. That means it should not be possible for a user to issue a certificate and delete this certificate from the CA inventory afterwards, so that he ends up with a valid certificate that no one knows of. Other CA software will not let you delete arbitrary certificates from their inventory either. Of course if you have raw access to the storage you can wreak havoc there in any possible way.
3. Vault is a secret engine, it builds on the idea of short living secrets which are continuously refreshed. This is also and especially true for its pki backend, because other than OCSP-Must-Staple (which is not yet production ready) there's no reliable way to revoke a certiicate within its validity period. And if your certificates are only valid a few days or weeks theres no point in deleting them before expiration.
deleting a revoked certificate before its end of life has been reached would UNREVOKE this certificate. This is usually not what anyone would want.
If you revoke a certificate, its serial number is added to the certificate revocation list (CRL). Systems which check this CRL will then reject any certificate which is on the list, even if its still within its validity period.
If you would now delete such a revoked certificate, it would disappear from the CRL and systems would then suddenly accept it again.
As far as I know there is no way to delete non-expired certificates via the Vault API, you'd have to file a feature request for that. I'm not a Vault developer, but I believe this feature has not been added yet for security reasons:
1. Deleting revoked certificates which have not expired yet would unrevoke them
2. The log or database of a Certificate Authority should be audit proof. That means it should not be possible for a user to issue a certificate and delete this certificate from the CA inventory afterwards, so that he ends up with a valid certificate that no one knows of. Other CA software will not let you delete arbitrary certificates from their inventory either. Of course if you have raw access to the storage you can wreak havoc there in any possible way.
3. Vault is a secret engine, it builds on the idea of short living secrets which are continuously refreshed. This is also and especially true for its pki backend, because other than OCSP-Must-Staple (which is not yet production ready) there's no reliable way to revoke a certiicate within its validity period. And if your certificates are only valid a few days or weeks theres no point in deleting them before expiration.
Jeff Mitchell
Feb 22, 2019, 3:26:30 PM2/22/19
to Vault
Hi,
It uses the certificate's NotAfter. The reason is that if you tidy the
revoked value while the certificate is still technically valid (from a
pure time-based perspective), and thus remove it from the CRL, then
the certificate is effectively unrevoked now. So we have to do it
after the certificate itself is expired as well.
Best,
Jeff
> To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5c2d5fd1-0a23-c784-f9c1-e4ec4aad964b%40symplectic.co.uk.
It uses the certificate's NotAfter. The reason is that if you tidy the
revoked value while the certificate is still technically valid (from a
pure time-based perspective), and thus remove it from the CRL, then
the certificate is effectively unrevoked now. So we have to do it
after the certificate itself is expired as well.
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages