vault-pki: Random new user questions. (certificate display, default TTLs, multiple SANS, keystores)
135 views
Skip to first unread message
Dan Bryan
Mar 8, 2019, 3:56:20 PM3/8/19
to Vault
Hello,
We recently just stood up a vault ca, and primarily use the web ui to issue. There are a few common tasks that I am finding to be tedious, and I was wondering if their is an easier way to accomplish.
1.) When choosing a active certificate to revoke, I have to goto the server that has the cert, inspect the cert, copy the serial number, find the matching serial number on the certificates page, then click revoke. Ideally i would like to be able to search the ui for the common name, or search by issue date.
2.) On my intermediate CA, I have a webserver role with a TTL of 1 year, and Max TTL of 2 years. When I issue a cert via clicking the role in the UI, I still have to set the TTL to 365 days everytime, otherwise it defaults to 30 days. Where is this 30 days coming from? Why is it not using the TTL value in the role?
3.) When trying to add multiple SANs to a certificfate it only adds the first 1. in the SANs field I type 'san1.domain.com san2.domain.com san3.domain.com' , but only san1.domain.com shows in the issued certificate.
4.) Can Vault-pki create keystores? Currently I take the cert, key and chains and create PFX, and JKS manually, are their any automated way to get vault to return the keystore / password?
Love the tool so far and looking forward to understanding it better,
Thanks!
--Dan
Jeff Mitchell
Mar 12, 2019, 10:46:56 AM3/12/19
to Vault
Hi Dan,
> 1.) When choosing a active certificate to revoke, I have to goto the server that has the cert, inspect the cert, copy the serial number, find the matching serial number on the certificates page, then click revoke. Ideally i would like to be able to search the ui for the common name, or search by issue date.
Not currently.
> 2.) On my intermediate CA, I have a webserver role with a TTL of 1 year, and Max TTL of 2 years. When I issue a cert via clicking the role in the UI, I still have to set the TTL to 365 days everytime, otherwise it defaults to 30 days. Where is this 30 days coming from? Why is it not using the TTL value in the role?
See https://www.vaultproject.io/docs/concepts/tokens.html#token-time-to-live-periodic-tokens-and-explicit-max-ttls
-- we probably need to move or add some color in the PKI docs to make
it clear it applies to leased items too. We don't issue leases for PKI
certs (by default) anymore but we still honor system and mount
settings, so you should check that.
> 3.) When trying to add multiple SANs to a certificfate it only adds the first 1. in the SANs field I type 'san1.domain.com san2.domain.com san3.domain.com' , but only san1.domain.com shows in the issued certificate.
I'm not sure about the web UI field here, but try using commas, not spaces.
> 4.) Can Vault-pki create keystores? Currently I take the cert, key and chains and create PFX, and JKS manually, are their any automated way to get vault to return the keystore / password?
Not currently.
Best,
Jeff
> 1.) When choosing a active certificate to revoke, I have to goto the server that has the cert, inspect the cert, copy the serial number, find the matching serial number on the certificates page, then click revoke. Ideally i would like to be able to search the ui for the common name, or search by issue date.
> 2.) On my intermediate CA, I have a webserver role with a TTL of 1 year, and Max TTL of 2 years. When I issue a cert via clicking the role in the UI, I still have to set the TTL to 365 days everytime, otherwise it defaults to 30 days. Where is this 30 days coming from? Why is it not using the TTL value in the role?
-- we probably need to move or add some color in the PKI docs to make
it clear it applies to leased items too. We don't issue leases for PKI
certs (by default) anymore but we still honor system and mount
settings, so you should check that.
> 3.) When trying to add multiple SANs to a certificfate it only adds the first 1. in the SANs field I type 'san1.domain.com san2.domain.com san3.domain.com' , but only san1.domain.com shows in the issued certificate.
> 4.) Can Vault-pki create keystores? Currently I take the cert, key and chains and create PFX, and JKS manually, are their any automated way to get vault to return the keystore / password?
Best,
Jeff
Reply all
Reply to author
Forward
0 new messages