Vault as PKI as trusted root using external Root cert
489 views
Skip to first unread message
Atul Chaudhari
Jun 25, 2020, 11:34:47 PM6/25/20
to Vault
Hello,
Is it possible to setup a private network PKI server using vault (or any other PKI server), such that I import the verified root cert or an intermediate cert to vault, when I create new PKI certs for internal sub-domains these are acknowledged as certs from trusted CA?
--
Regards.
Karsten Heymann
Jun 26, 2020, 12:18:33 AM6/26/20
to vault...@googlegroups.com
Hi Atul,
i think that's not possible. If an official CA would sign you a certificate with CA permissions, you would be able to sign certificates for *any* domain with it. What you have to do is to create a separate internal CA and install that on your clients.
Regards
Karsten
--
In the coming weeks, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
GitHub Issues: https://github.com/hashicorp/vault/issues
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5217c3ce-872e-4ac1-b5ac-4fbdfeaa880do%40googlegroups.com.
Miroslav Kalina
Jun 26, 2020, 1:42:54 AM6/26/20
to vault...@googlegroups.com
Hello guys,
there is x509 extension designed to limit usability of intermediate CA, but it has some issues and official CAs probably won't issue you such intermediate CA.
See https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only
Best regards
Miroslav
there is x509 extension designed to limit usability of intermediate CA, but it has some issues and official CAs probably won't issue you such intermediate CA.
See https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only
Best regards
Miroslav
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAL017hATGrCJB-Ozc4bOKDnTVOymqKKMZQ5TrMcTk%3Dwi3V0iog%40mail.gmail.com.
-- Miroslav Kalina Systems developement specialist mirosla...@livesport.eu +420 773 071 848 Livesport s.r.o. Aspira Business Centre Bucharova 2928/14a, 158 00 Praha 5 www.livesport.eu
Atul Chaudhari
Jun 29, 2020, 2:29:39 PM6/29/20
to Vault
How to create an Intermediate CA?
On Thursday, June 25, 2020 at 10:42:54 PM UTC-7, Miroslav Kalina wrote:
Hello guys,
there is x509 extension designed to limit usability of intermediate CA, but it has some issues and official CAs probably won't issue you such intermediate CA.
See https://security.stackexchange.com/questions/31376/can-i-restrict-a-certification-authority-to-signing-certain-domains-only
Best regards
Miroslav
On 6/26/20 6:18 AM, Karsten Heymann wrote:
Hi Atul,
i think that's not possible. If an official CA would sign you a certificate with CA permissions, you would be able to sign certificates for *any* domain with it. What you have to do is to create a separate internal CA and install that on your clients.
RegardsKarsten
Am Fr., 26. Juni 2020 um 05:34 Uhr schrieb Atul Chaudhari <dext...@gmail.com>:
--Hello,
Is it possible to setup a private network PKI server using vault (or any other PKI server), such that I import the verified root cert or an intermediate cert to vault, when I create new PKI certs for internal sub-domains these are acknowledged as certs from trusted CA?
--Regards.
In the coming weeks, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
GitHub Issues: https://github.com/hashicorp/vault/issues
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/5217c3ce-872e-4ac1-b5ac-4fbdfeaa880do%40googlegroups.com.
--
In the coming weeks, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
GitHub Issues: https://github.com/hashicorp/vault/issues
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAL017hATGrCJB-Ozc4bOKDnTVOymqKKMZQ5TrMcTk%3Dwi3V0iog%40mail.gmail.com.
Jeff LOMBARDO
Jun 30, 2020, 10:57:14 AM6/30/20
to vault...@googlegroups.com
Hello,
You can use a public CA to sign the subCA certificate of your Vault instance that you then use to generate internal certificates. This is possible if your subCA CSR request for the Digital Signature key usage and the Root CA accept the request. Usually it costs more at the public certificate authority.
There is no way of truly restricting FQDN and domain for which you can or cannot sign certificates at the Root CA side. It is the Domain Owner that must handle that through DNS CAA declaration (https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization) or certificate pinning.
This behavior is highly used by all security products that do MitM in order to perform Deep Packet Inspection. The only requirement is to have your own SubCA in the client TrustStore.
Coming back to Vault, you can limit/restrict the type of domain for which a certificate is issues with Role configuration (do you allow localhost, restrict domain to specific value, allow subdomain, enforce hostname verification, etc.).
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/b2c4aed6-aa51-4025-9d01-e26143c13e32o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages