PKI secrets - how to determine remaining TTL of a certificate

[daniel stark]

Hello,

I'm trying to create a relatively short lived certificate. I would like to know when it's about to expire, but I'm having problems seeing the TTL remaining before the certificate expires.

I've created a role and certificate in the following way:

vault write pki/roles/example-dot-com \

   allowed_domains="example.com" \

   allow_subdomains="true" max_ttl="2h"

vault write pki/issue/example-dot-com common_name=blah.example.com

When I read the secret, I see a revocation_time of 0.

vault read pki/cert/43:4b:93:e0:c7:5e:d4:85:74:c7:b8:44:b9:b2:16:46:6e:04:4f:ca

Key             Value

---             -----

certificate     -----BEGIN CERTIFICATE-----

MIIDzjCCAragAwIBAgIUQ0uT4Mde1IV0x7hEubIWRm4ET8owDQYJKoZIhvcNAQEL

BQAwIjEgMB4GA1UEAxMXc21hcnRsaW54LXBraS12YXVsdC5jb20wHhcNMTcwNTI4

MTAxNTM0WhcNMTcwNTI4MTIxNjA0WjAcMRowGAYDVQQDExFibGFoMy5leGFtcGxl

LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO4snLGDmvYcvCZh

u0GN/f7G+uNiZQr73dtzIWXzpjPCGjfVdrn35Sl/FOmNjetfINSVIyvszJJ17L0H

xiuCmcfZ2T0+5kMprBf0bPcPiMNJQ0AXvvVo0fCNNMDBCPmb3faXPx+/Y8f3ZDDx

OympX6Sq9pLaGIFdEJhp7FfvZVCIXH35jt8BXbUzQy3+advgiA/8i86HtXDGQujx

WrA8GlYw0kth7OHyvFE0LB7lRzqruaihVWp7/tlzSygE+aNmiM1pU3qfw+7B9V1P

T/RHeUOn0WPjlL+Ee5QSWGk0EkXzVIr4nf2ULvNSFcGs7TALwxVKi6pIgyRoSiiM

xavaS3sCAwEAAaOCAQAwgf0wDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsG

AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUWtm4mnxF/oK85SDM2YobMprd484w

HwYDVR0jBBgwFoAUN1+qIvqljM77zKnlZmMeTJc252gwOwYIKwYBBQUHAQEELzAt

MCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4xOjgyMDAvdjEvcGtpL2NhMBwG

A1UdEQQVMBOCEWJsYWgzLmV4YW1wbGUuY29tMDEGA1UdHwQqMCgwJqAkoCKGIGh0

dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY3JsMA0GCSqGSIb3DQEBCwUAA4IB

AQDR9knogI7iPdLASllFEyDaJfBzksks+EksN/mVqQueZ0YfTF6M6ENfhDxwolQ1

x2sJL71kttKyJfnoa3RZloYmSSuHQCBmsje7DU9uEFn0moPCHgbSRYeTb06sCmNo

qlcNN1EP0a1pPbxr6UZXQY4FCAAo0w9SYU7rzSnSHNBH0oahmE3+XkrcdvxlY8Zx

csEh7NlVRAkwPmAGokfuSK1IvP79gkjrCQxuW014+LoK+bgyfAtqd5Vm9RlVUlX+

OrzqbQXMiZfUZxYoAe/ANUUkSIbNt/y0pOrrAq6ztKtxxvmWlaeUJuXkDB7+kamj

uZYcFZoE1xAY1GbTCRXIFUBJ

-----END CERTIFICATE-----

revocation_time 0

I also can request my list of certificates, with a lease_duration of 0 (not sure what this means here but I'm looking for certificate-specific TTL anyway).

{"request_id":"606726c7-0edb-2fc9-14aa-f071e523c854","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["03:ad:a2:1e:e3:8d:5a:53:03:37:98:50:4a:09:76:f8:db:ce:94:da","0c:7f:37:f3:39:9b:ee:04:33:b2:d9:b4:97:d8:b3:a4:8f:28:17:82","20:aa:6b:16:ab:c6:8a:20:11:fe:a1:6a:25:36:06:ad:28:36:b5:94","22:68:e4:da:98:8d:8e:0a:0a:70:b8:39:00:54:14:be:00:e8:44:1a","22:bd:8e:39:2b:b1:28:23:29:61:56:a2:bd:d6:da:dc:bc:70:60:c1","2b:03:2e:65:fe:ae:cb:9a:55:ef:fa:cd:52:54:3e:d1:3d:2e:95:c3","2b:4e:dc:e3:11:78:ad:2f:2b:f0:8e:e4:8c:0c:bd:35:ac:42:8e:02","3b:ac:d3:c3:ed:ef:04:ab:27:94:dc:18:86:bb:46:bc:13:c7:a1:26","43:4b:93:e0:c7:5e:d4:85:74:c7:b8:44:b9:b2:16:46:6e:04:4f:ca","4f:64:2d:ac:09:f0:ab:44:26:df:08:c5:79:47:a8:6f:53:ac:68:e0","58:a9:fd:63:78:53:e9:40:72:aa:98:fa:e4:21:52:fb:d0:41:cc:5e"]},"wrap_info":null,"warnings":null,"auth":null}

I know my TTL is being respected, because I see them expiring on my Vault server.

2017/05/26 22:55:39.003970 [INFO ] expire: revoked lease: lease_id=pki/issue/example-dot-com/92f61792-bda0-b411-23c2-be83a8d9d7d9

This is probably such a noob question but I can't seem to figure it out. I'm probably mixing my terms up.  Thanks in advance!

[Brian Lalor]

You can see the time that the cert expires by inspecting it with openssl: openssl x509 -text -noout -in /path/to/cert

The cert is only valid for as long as the backend or write call have been configured for.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/4b6bb581-ba89-488b-9d55-96f12d5bcd5c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

— 

Brian Lalor

bla...@bravo5.org

[daniel stark]

Thanks Brian, this is a helpful solution. I was hoping I would be able to query Vault directly to view certificate expiry status without having to pull the cert itself.  If not, I can get by with pulling the certs and inspecting them.

[Jeff Mitchell]

Hi Daniel,

In the latest release of Vault you can look up lease status if you have the lease ID.

Also keep in mind that when writing a role definition in the pki backend the default now is to not generate leases for certificates.

Best,

Jeff

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/76037421-88ee-46b2-916c-78350db3bf88%40googlegroups.com.