Vault PKI Certificates

[Debashish Modak]

I am new to Vault, so this question might be vague/silly.

 

I have an AWS Windows instance and I am running Qualys scan on it. Now the certificate used for RDP is a self-signed one and Qualys reports vulnerabilities:

(Please install a server certificate signed by a trusted third-party Certificate Authority.)

 

One solution is to generate a CSR, submit to a CA and wait for the verification and signing process to complete.

But this is not practical as i need to automate this scan feature and make sure no vulnerabilities pop up.

 

Hence Vault.

I am hoping using Vault's PKI solution this issue can be resolved.

I have executed following commands as per documentation:

 

vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h
vault write pki/issue/example-dot-com common_name=blah.example.com

 

After execution of the last command, terminal shows 3 certificates:

1. The certificate itself

2. Issuing CA

3. Private Key

 

Now how to I proceed in terms of using this certificate for RDP.

 

Things I have tried:

I copied the certificate to a file certificate.crt and the private key to a file privateKey.key

Post that used openssl to convert them into .pfx file and imported the .pfx file to mmc console under Personal Certificates.

 

OpenSSL> pkcs12 -export -out C:\Users\Administrator\Downloads\certificate.pfx -inkey C:\Users\Administrator\Downloads\privateKey.key -in C:\Users\Administrator\Downloads\certificate.crt

 

To point Windows RDP to use this certificate:

PS C:\Users\Administrator> wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<Thumbprint of certificate>"

 

However, this does not seem to be working.

When I am trying to RDP to the instance, it shows following errors:

A revocation check could not be performed for the certificate

The certificate or associated chain is invalid (Code 0x10000)

[Jeff Mitchell]

Hi Debashish,

Unfortunately I know very little about how RDP uses certificates, but a post on a forum that is relaying hearsay from another forum is that RDP may require an OCSP responder, not CRLs. Vault does not support OCSP currently. That said, an (old) blog from Microsoft (https://cloudblogs.microsoft.com/enterprisemobility/2011/04/11/how-to-enable-certificate-revocation-checking-on-a-remote-desktop-gateway-client/) doesn't necessarily seem to agree.

I'd make sure at a minimum that the CRL endpoint you configured is working -- you should be able to hit it with curl and get back a reply.

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b4b9820a-23ab-4f12-a5ab-3acfb54e646a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[d.gavr...@gmail.com]

Hi, did you manage to get this working? I am working on a similar solution. I think its your Windows config. It's not true that you *need* OCSP for RDP w/certs to work. I manage to get it to work without OCSP by just using local certificates in local client stores. The downside is obviously the clients don't check a revocation until cert expires. So , if you need the client to always check whether its a valid certificate, then you need OCSP.