Use PKI with external policy services
Note
The Certificate Issuance External Policy Service requires a Vault Enterprise license.
Challenge
When internal teams submit PKI certificate signing requests (CSRs), operators can be limited by Vault semantics when validating and controlling the issued certificate from PKI secrets engines.
Solution
Vault Enterprise version 1.15.0 introduces a new Certificate Issuance External Policy Service (CIEPS) feature for the PKI secrets engine. CIEPS enables PKI operators to have fine grained control over issued certificates using custom policies from a service defined and built by your organization that operates outside of Vault.
If a CSR does not conform to the rules defined in your policy service, the request is rejected.
Operators can also specify any subject attributes or extensions for issued certificates in the policy service.
Personas
The hands-on lab scenario described in this tutorial involves one persona:
alice
a security operator with privileged permissions to administer Vault secrets engines.
Prerequisites
To perform the tasks described in the tutorial hands-on lab, you need the following.
Vault Enterprise version 1.15.0 or greater binary installed and in your system PATH with valid license. Learn how to request a trial license.
Familiarity with TLS concepts like certificate fields and extended key usage.
Experience with creating and managing certificate authorities with the Vault PKI secrets engine. If you are unfamiliar with these concepts, complete the Build your own certificate authority (CA), and then return to this tutorial.
A text editor that you prefer to work with for creating a script.
Git installed and in your system PATH.
Go installed and in your system PATH for building the example policy service.
- Familiarity with building Go programs is helpful but not required.
A development environment that includes
make
and openssl for building the example policy service binary.curl installed and in your system PATH for API steps.
jq installed and in your system PATH for API output examples.
Versions used for this tutorial
This tutorial was last tested 23 Sep 2023 on macOS using the following software versions.
Scenario introduction
As the Alice persona, you'll set up a lab environment consisting of an example external policy service and a Vault server.
You'll then configure a PKI infrastructure in Vault consisting of a root CA and intermediate CA. You'll then configure the intermediate CA to use the example external policy service.
After establishing the infrastructure, you can request a certificate and key through the external policy service and then examine the certificate to learn about the extension added by the policy service.
Lab setup
Your goal for this section is to deploy and prepare your external policy service and Vault environments for the steps which follow. This involves cloning the example service repository, building the example service from source, and starting the service.
You can a run Vault dev mode server from a terminal session for the purposes of this hands-on lab.
Create hands-on lab home
You can create a temporary directory to hold all the content needed for this hands-on lab and then assign its path to an environment variable for later reference.
Open a terminal, and create the directory
/tmp/learn-vault-pgp
.Export the hands-on directory path as the value to the
HC_LEARN_LAB
environment variable.
External policy service
The CIEPS protocol is a REST-based, optionally mTLS protected webhook. You can learn more about the protocol along with its request and response formats for interacting with Vault in the Certificate Issuance External Policy (CIEPS) documentation.
Development of an external policy service is beyond the scope of this tutorial, but you'll have access to source code for a public example that your engineering team can review as a starting point.
The example code shows how to add an extension to a certificate and how to return warnings to the end user. You can extend this example with validation logic as necessary to meet your use case requirements.
Build and run example policy service
Your goal for this section is to build and run an example external policy service in a terminal session.
The example external service is open source, written in Go, and its source code is publicly available from the vault-pki-cieps-example repository.
When you use the example policy service, the code from the Evaluate()
function in internal/business/policy.go
performs evaluation on the request.
In the example version, it also adds a custom extension to certificates so that you know it was processed with the service:
You should spot the string CIEPS Demo Server Certificate as an extension when decoding the certificate later.
Note
The example policy server processes the certificate request, but does not actually validate the request and instead returns a warning that no validation occurred. You must implement your own validation logic in your policy server code.
Clone the repository.
Change into the vault-pki-cieps-example project directory.
Build the example external service binary.
Example output:
The
Makefile
controls building of the binary and downloads the Vault client SDK for Go if necessary.The binary named
cieps-server
, is built and located in the present working directory.Run
cieps-server
with the--help
flag to learn about the configuration.Example output:
The service requires TLS certificate and key material to run; build the TLS certificate and key.
Example output:
The service is now ready for use.
Start the example policy service, instructing it to listen on all interfaces on TCP port 8443, and use the certificate and key files created from the last step. Redirect the standard output and standard error to the file
policy-server.log
, and background the process.
The example policy server is ready for use.
Vault dev mode server
Run a Vault dev mode server as a background process from your terminal session, and prepare it for use.
Change back into the hands-on lab home directory.
Export an environment variable with a valid Vault Enterprise license.
Update example value
Use your actual Vault Enterprise license string in place of the example value shown.
Open a terminal and start a Vault dev server using the Vault Enterprise binary with
root
as the initial root token value.The Vault dev server defaults to running at
127.0.0.1:8200
. The server logs to the filevault-server.log
in the present working directory, and gets automatically initialized and unsealed.Dev mode is not for production
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and all contents are lost when the Vault server process is stopped.
Export the environment variable for the
vault
CLI to address the Vault server.Check Vault status.
Example output:
The Vault server is ready for you to proceed with the hands-on lab.
Create a certificate authority
Your goal for this section is to enable PKI infrastructure consisting of 2 PKI secrets engine instances representing a root CA (pki) and intermediate CA (pki_int) for the example.com
domain.
This configuration is based on steps just like those in the Build Your Own Certificate Authority (CA) tutorial. You are encouraged to complete the hands-on lab in that tutorial if you are unfamiliar with the PKI secrets engine.
To save time and typing, you can use this example shell script to enable and configure the secrets engines for the hands-on lab.
Use a text editor to write and save this content to the file
/tmp/learn-vault-pki/enable_engines.sh
.enable_engines.shNote
The values used here are just for the hands-on lab. You should change the values of
common_name
andissuer_name
to match your own values when using these commands outside of the context of the hands-on lab.Make the script executable.
Execute the script to enable and configure the secrets engines.
Abbreviated expected output:
List the enabled PKI secrets engines.
Example expected output:
You have enabled the PKI secrets engines with a basic configuration.
Enable and configure CIEPS
Now that you've created your CAs in Vault, you need to enable and configure CIEPS on the intermediate CA so that you can generate a certificate and key with the external policy service.
Configure CIEPS using the Root 2023 CA and the PEM bundle created earlier.
Example output:
Generate certificate and key with external policy
Your goal in this section is to use the Vault CLI or API to request a certificate and key from Vault that uses the example external policy service.
Tip
It is suggested to limit access to the path-overridden issue API endpoint (on
/pki/issuer/:issuer_ref/external-policy/issue/:policy
) and let the CIEPS
engine override the issuer as necessary.
Generate a certificate and key with the external policy service.
Example abbreviated output:
Vault returns the certificate and key as expected. This behavior is the same for a client whether using CIEPS or not. The difference in this case though, is that the external policy service handled this request and emitted a warning message.
The service also added a custom extension to the certificate which Vault cannot natively add. You can parse the certificate with a tool to learn about this extension.
Capture a certificate and export its value in the CIEPS_CERTIFICATE
environment variable.
Examine a certificate
You can use a tool to examine the certificate and learn about the fields included. You can use a CLI tool like openssl
or another application to examine the certificate.
Here, you'll use a web based tool to visualize the certificate content.
From your terminal session, copy the contents of the certificate file to your system clipboard.
Open your browser and navigate to http://lapo.it/asn1js/.
Paste the certificate content from your clipboard into the text area.
Click decode.
You can view all the certificate fields, including the custom extension and its message CIEPS Demo Server Certificate.
Next steps
You've built and run an example CIEPS server, deployed a Vault dev mode server and used the CIEPS server with the Vault PKI secrets engine. You also learned about the example CIEPS server code, user warnings, and how to a custom extension is added to a certificate by the CIEPS server.
The Vault PKI secrets engine is a popular solution, and there is much for you to learn about it. Some tutorials you can explore next to expand your PKI knowledge include Enable ACME with PKI secrets engine, PKI Unified CRL and OCSP with cross cluster revocation, and PKI secrets engine with managed keys.
Cleanup
Unset the environment variables.
Stop the external policy service by executing the following command in your terminal session.
Stop the Vault dev server by executing the following command in your terminal session.
Change into your home directory.
Remove the hands-on lab home directory,
/tmp/learn-vault-pki
.