Vault PKI Certificates
Debashish Modak
I am new to Vault, so this question might be vague/silly.
I have an AWS Windows instance and I am running Qualys scan on it. Now the certificate used for RDP is a self-signed one and Qualys reports vulnerabilities:
(Please install a server certificate signed by a trusted third-party Certificate Authority.)
One solution is to generate a CSR, submit to a CA and wait for the verification and signing process to complete.
But this is not practical as i need to automate this scan feature and make sure no vulnerabilities pop up.
Hence Vault.
I am hoping using Vault's PKI solution this issue can be resolved.
I have executed following commands as per documentation:
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
vault write pki/config/urls issuing_certificates="http://vault.example.com:8200/v1/pki/ca" crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"
vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h
vault write pki/issue/example-dot-com common_name=blah.example.com
After execution of the last command, terminal shows 3 certificates:
1. The certificate itself
2. Issuing CA
3. Private Key
Now how to I proceed in terms of using this certificate for RDP.
Things I have tried:
I copied the certificate to a file certificate.crt and the private key to a file privateKey.key
Post that used openssl to convert them into .pfx file and imported the .pfx file to mmc console under Personal Certificates.
OpenSSL> pkcs12 -export -out C:\Users\Administrator\Downloads\certificate.pfx -inkey C:\Users\Administrator\Downloads\privateKey.key -in C:\Users\Administrator\Downloads\certificate.crt
To point Windows RDP to use this certificate:
PS C:\Users\Administrator> wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<Thumbprint of certificate>"
However, this does not seem to be working.
When I am trying to RDP to the instance, it shows following errors:
A revocation check could not be performed for the certificate
The certificate or associated chain is invalid (Code 0x10000)
Jeff Mitchell
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b4b9820a-23ab-4f12-a5ab-3acfb54e646a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
