${PKI_NAME}/roles/etcd.master-az${AZ}-k8s-cluster-home-client-and-server-crt \

allowed_domains="etcd.master.az1.k8s.cluster.home" \

allow_bare_domains=false \

</PRE>

<PRE>

Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master-az1-k8s-cluster-home-client-and-server-crt

Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master-az2-k8s-cluster-home-client-and-server-crt

Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/etcd.master-az3-k8s-cluster-home-client-and-server-crt

</PRE>

==Тестовая роль для клиентских сертификатов==

<PRE>

vault \

write \

${PKI_NAME}/roles/example-dot-home-client-crt \

country="Ukraine" \

locality="Kharkov" \

street_address="Lui Pastera st. 322 app. 131" \

postal_code="61172" \

organization="Home Network" \

ou="IT" \

allow_subdomains=true \

max_ttl="87600h" \

key_bits="2048" \

key_type="rsa" \

allow_any_name=true \

allow_bare_domains=false \

allow_glob_domain=false \

allow_ip_sans=false \

allow_localhost=false \

client_flag=true \

server_flag=false \

enforce_hostnames=false \

key_usage="DigitalSignature" \

ext_key_usage="ClientAuth" \

require_cn=true

Success! Data written to: k8s_pki_intermediate_ca_for_service_etcd/roles/example-dot-home-client-crt

</PRE>

==Просмотр ролей==

===Список ролей (применительно к конкретному инстансу PKI)===

<PRE>

vault \

list \

${PKI_NAME}/roles

</PRE>

<PRE>

Keys

----

example-dot-home-client-crt

example-dot-home-server-crt

</PRE>

===Просмотр роли===

<PRE>

vault \

read \

${PKI_NAME}/roles/example-dot-home-server-crt

</PRE>

<PRE>

Key Value

--- -----

allow_any_name false

allow_bare_domains false

allow_glob_domains false

allow_ip_sans true

allow_localhost false

allow_subdomains true

allow_token_displayname false

allowed_domains [example.home]

allowed_domains_template false

allowed_other_sans []

allowed_serial_numbers []

allowed_uri_sans []

basic_constraints_valid_for_non_ca false

client_flag false

code_signing_flag false

country [Ukraine]

email_protection_flag false

enforce_hostnames true

ext_key_usage [ServerAuth]

ext_key_usage_oids []

generate_lease false

key_bits 2048

key_type rsa

key_usage [DigitalSignature KeyEncipherment]

locality [Kharkov]

max_ttl 87600h

no_store false

not_before_duration 30s

organization [Home Network]

ou [IT]

policy_identifiers []

postal_code [61172]

province []

require_cn true

server_flag true

street_address [Lui Pastera st 322 app. 311]

ttl 0s

use_csr_common_name true

use_csr_sans true

vault \

read \

${PKI_NAME}/roles/example-dot-home-client-crt

</PRE>

<PRE>

Key Value

--- -----

allow_any_name true

allow_bare_domains false

allow_glob_domains false

allow_ip_sans false

allow_localhost false

allow_subdomains true

allow_token_displayname false

allowed_domains []

allowed_domains_template false

allowed_other_sans []

allowed_serial_numbers []

allowed_uri_sans []

basic_constraints_valid_for_non_ca false

client_flag true

code_signing_flag false

country [Ukraine]

email_protection_flag false

enforce_hostnames false

ext_key_usage [ClientAuth]

ext_key_usage_oids []

generate_lease false

key_bits 2048

key_type rsa

key_usage [DigitalSignature]

locality [Kharkov]

max_ttl 87600h

no_store false

not_before_duration 30s

organization [Home Network]

ou [IT]

policy_identifiers []

postal_code [61172]

province []

require_cn true

server_flag false

street_address [Lui Pastera st. 322 app. 131]

ttl 0s

use_csr_common_name true

use_csr_sans true

</PRE>

=Политики=

* По сути политики определяют права доступа <big>'''ТОКЕНА'''</big> к определнному пути.

<BR>

Токен же выдается при логине - т.е. в простейшем случае политики должны назначаться на пользователя (авторизация по логину/паролю)

<br>

<br>

Для доступа к ролям создаем 2 файла с политиками:

==Политика для серверных сертефикатов==

Политики создаются из файлов, причем удобнее это делать в хашикорповском формате - hlc<br>

Тут к сожалению не получится использовать переменные и нужно вставлять имя PKI вручную

<PRE>

example-dot-home-server-crt-policy.hlc

</PRE>

<PRE>

path "k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-server-crt"

{

capabilities = ["read", "create", "list", "update"]

}

</PRE>

==Политика для клиентских сертефикатов==

<PRE>

example-dot-home-client-crt-policy.hlc

</PRE>

<PRE>

path "k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt"

</PRE>

==Создание политик из файлов==

===Политика серверных сертификатов===

* Имя политики - '''example-dot-home-server-crt-policy'''

* Файл с описанием политики - '''example-dot-home-server-crt-policy.hlc'''

<PRE>

vault policy write example-dot-home-server-crt-policy example-dot-home-server-crt-policy.hlc

</PRE>

<PRE>

Success! Uploaded policy: example-dot-home-server-crt-policy

===Политика клиентских сертификатов===

vault policy write example-dot-home-client-crt-policy example-dot-home-client-crt-policy.hlc

</PRE>

<PRE>

Success! Uploaded policy: example-dot-home-client-crt-policy

==Проверка созданных политик==

===Список политик===

vault policy list

</PRE>

<PRE>

default

example-dot-home-client-crt-policy

example-dot-home-server-crt-policy

root

</PRE>

===Просмотр политики example-dot-home-server-crt-policy===

<PRE>

vault policy read example-dot-home-server-crt-policy

path "pki_intermediate_ca/issue/example-dot-home-server-crt"

{

capabilities = ["read", "create", "list", "update"]

}

</PRE>

===Просмотр политики example-dot-home-client-crt-policy===

<PRE>

vault policy read example-dot-home-client-crt-policy

</PRE>

<PRE>

path "pki_intermediate_ca/issue/example-dot-home-client-crt"

{

capabilities = ["read", "create", "list", "update"]

}

</PRE>

=Привязка политик к пользователям=

* Пользователи с логином и паролем хорошо подходят для тестирования

* Включить авторизацию по логину/паролю нужно заранее (https://noname.com.ua/mediawiki/index.php/Vault)

==Просмотр пользователей==

Этот шаг нужен что бы проверить что пользователей которые будем создавать пока не существует

<PRE>

vault \

list \

auth/userpass/users

</PRE>

==Создание пользователей==

* Политики перечисляются через запятую (что не очевидно из документации, возможно уже исправлено)

* Имена пользователей "говорят" о их назначении

* Пароли простые для тестирования но разные у разных пользователей (для того что бы не допустить ошибок при тестировании и не перепутать пользователя)

==Пользователь для получения серверных сертификатов==

<PRE>

write auth/userpass/users/example-dot-home-server-crt-user \

password=server \

policies="example-dot-home-server-crt-policy,default"

</PRE>

==Пользователь для получения клиентских сертификатов==

<PRE>

vault \

write auth/userpass/users/example-dot-home-client-crt-user \

password=client \

policies="example-dot-home-client-crt-policy,default"

==Пользователь для получения и серверных и клиентских сертификатов==

vault \

write auth/userpass/users/example-dot-home-any-crt-user \

password=any \

policies="example-dot-home-server-crt-policy,example-dot-home-client-crt-policy,default"

</PRE>

==Просмотр созданных пользователей==

===Список пользователей===

<PRE>

vault \

list \

auth/userpass/users

</PRE>

<PRE>

</PRE>

===Просмотр пользователя для создания клиентских и серверных сертификатов===

<PRE>

vault \

read \

auth/userpass/users/example-dot-home-any-crt-user

</PRE>

<PRE>

policies [default example-dot-home-client-crt-policy example-dot-home-server-crt-policy]

token_policies [default example-dot-home-client-crt-policy example-dot-home-server-crt-policy]

</PRE>

===Просмотр пользователя для создания серверныхсертификатов===

<PRE>

vault \

read \

auth/userpass/users/example-dot-home-server-crt-user

</PRE>

<PRE>

policies [default example-dot-home-server-crt-policy]

token_policies [default example-dot-home-server-crt-policy]

</PRE>

===Просмотр пользователя для создания клиентских сертификатов===

<PRE>

vault \

read \

auth/userpass/users/example-dot-home-client-crt-user

</PRE>

<PRE>

policies [default example-dot-home-client-crt-policy]

token_policies [default example-dot-home-client-crt-policy]

=Проверка получения сертефикатов=

* Получить сертификат для тестового домена

* Проверить что пользователь с правами на серверные сертификаты не может получить клиентские и то что пользователь с правами на серверные сертификаты не может получить клиентские

==Получение серверного сертефиката==

===Авторизация с логином и паролем===

username=example-dot-home-server-crt-user \

password=server

token s.Wiy7YVCrte88i0QIHc4jmvQP

token_accessor ptB7o9d6yOq5w4Ra5Q44W1FF

token_policies ["default" "example-dot-home-server-crt-policy"]

policies ["default" "example-dot-home-server-crt-policy"]

token_meta_username example-dot-home-server-crt-user

===Получение сертефиката===

* Получаем сертификат для тестового домена - '''vault.example.home''' и Alt Name '''pki.example.home'''

vault \

write \

-format=json \

${PKI_NAME}/issue/example-dot-home-server-crt \

common_name="vault.example.home" \

alt_names="pki.example.home" \

ttl="43800h" > vault.example.home.crt

===Проверка полученного сертефиката===

Результат в файле:

<PRE>

cat vault.example.home.crt

</PRE>

Сокращенный вывод:

"request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e",

"lease_id": "",

"lease_duration": 0,

"renewable": false,

"data": {

"ca_chain": [

"-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----"

],

"certificate": "-----BEGIN CERTIFICATE-----m35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----",

"expiration": 1822736540,

"issuing_ca": "-----BEGIN CERTIFICATE-----rCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----",

"private_key": "-----BEGIN RSA PRIVATE KEY-----vNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----",

"private_key_type": "rsa",

"serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1"

},

"warnings": null

{{#spoiler:show=Полный вывод результатов|

{

"request_id": "d2ff6e16-1bf6-730a-f4d1-2aefa2fcbb3e",

"lease_id": "",

"lease_duration": 0,

"renewable": false,

"data": {

"ca_chain": [

"-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----"

],

"certificate": "-----BEGIN CERTIFICATE-----\nMIIFOTCCBCGgAwIBAgIUKKwgMv5GsnhhEfBG2ufSzwL8T/EwDQYJKoZIhvcNAQEL\nBQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxJTAjBgNV\nBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNVBBETBTYxMTcy\nMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJBgNVBAsTAklU\nMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2UgRVRDZDAeFw0y\nMjEwMDYxMTQxNTRaFw0yNzEwMDUxMTQyMjBaMIGbMRAwDgYDVQQGEwdVa3JhaW5l\nMRAwDgYDVQQHEwdLaGFya292MSQwIgYDVQQJExtMdWkgUGFzdGVyYSBzdCAzMjIg\nYXBwLiAzMTExDjAMBgNVBBETBTYxMTcyMRUwEwYDVQQKEwxIb21lIE5ldHdvcmsx\nCzAJBgNVBAsTAklUMRswGQYDVQQDExJ2YXVsdC5leGFtcGxlLmhvbWUwggEiMA0G\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtTjglMxGwqqsaF3+O38oyzNXVN1Br\nv2UnsUDPr9BIDqI/dZgo+d3p5U6my7KfVkaMi+Q3GS9ml3DujB0DtGYanhxzX+Ew\nZPwz26nvwjajSoCZb1X7QonxANbXJhaJGS5MwvDUoGvTlzZgoB4GdI/KUzJ2Gxvy\n7xkG0wqIlyyMfRI/NBSfjKy0le8gflXgs7i8UlEKcaCqDtktoQbI8S95uuRMVONy\n/BpDnPY1kt7B5qWiZQ5wzzTLT5+eDoDQxqLBDgGCezaz9HNeikPexUtzrEXSc4yr\nLmCssE6EF7ieeDYv9Geyagx42qilJFW3TuWAErnSaClehdN6Pgbo5+YnAgMBAAGj\nggFWMIIBUjAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD\nVR0OBBYEFExMIsFEaCXQa6p/q1yOFvW3vN+vMB8GA1UdIwQYMBaAFGBBMXlYkKlj\nYsIm/Y8CtgcaHVxQMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov\nL3ZhdWx0LmhvbWU6ODIwMC92MS9rOHNfcGtpX2ludGVybWVkaWF0ZV9jYV9mb3Jf\nc2VydmljZV9ldGNkL2NhMC8GA1UdEQQoMCaCEHBraS5leGFtcGxlLmhvbWWCEnZh\ndWx0LmV4YW1wbGUuaG9tZTBXBgNVHR8EUDBOMEygSqBIhkZodHRwOi8vdmF1bHQu\naG9tZTo4MjAwL3YxL2s4c19wa2lfaW50ZXJtZWRpYXRlX2NhX2Zvcl9zZXJ2aWNl\nX2V0Y2QvY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQB67vlaiNztDbH3JpfZ+pjns0Ph\nb/rkPE3f/CY2+F5zaDlq15lTGRYG7CV8s3/GH/sSYegwfPqvEEgaM7fz+PTEKL85\nQkFgZht6LVpPd6MZ8aptwaRhlW3dSIxtjtYUVfhhTV1y0YcuntTDyoQUv7Ekoq+s\nvZLlwFcZ1Sg2vP/aZ+gYzcZvId3ssXWIYMPV+4vPkeBFMIn8mfy0MmwvJ2HcEKWL\nRD9Q4ECcbdbBi8ZNeeGcbkYWe90+90ZfUaD1pA7XsOg70S65Rf1gtrqNZT2twfgu\nh6ZhLtDoLvXRO75DKgzT1x28x07PYDHm35waa9ld+hkNIcf/1qR4Gvwae9w0\n-----END CERTIFICATE-----",

"expiration": 1822736540,

"issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUNQ7Ve4VVV9OZ7Sw1x9vTmaybowEwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAzMTU1MzA1WhcNNDIwOTI4MTU1MzM1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAwwQ18ClZM9ujioj2RLDf7a9iIM2zZ6yYFSKWx8cE31TF\nJs2a5HvmCSP7uavQCBefCsOf9UXLiVXEhw7lfq61h2Q5BAWYxZecftGncPKVZMXI\nxPy8b49Xu06TylZtARDsPCcEeUYPJ3G0lS70PI8iJny3UfqxgGakP19aS7Z6YFVI\nqRXfMuL+zuShVjQ9JxzgmWKgQOZuySNiZEofPFQBB9iIiNcBS/x3r1IckkyF5lyl\n4R6fhhsoTPzRYq0PMoCoO1bnftFzEYYMHH8UWLv/F1O0MVSZ6ThtgYHp20pHO+af\ndfsrEBbzFlKjk8uTmmdYStY9PF0/QqDYW2Vfcbo+VwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRgQTF5WJCpY2LC\nJv2PArYHGh1cUDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAZfidbG1qFNM3Mq7B3ibzyJ/mFV+DI1pnhWdJ26CEf6WAdTh4+Zrk\nUHwClcUfnVNJZSakf1bSsbn3YINzYfFrJjllv4xvgZSC/iOhDO5k27Zlouc3EgIU\nSyt267CXl6D45Q6qkFilBZiJ/npMXrvOKxSY+SeFtI6mvXthJ5YbJvmq8AWlgfxf\nGjNGpB4p7UZzQ5x3mBS3nsugH8qjFD8BDHsCmiemFVtJw/QkECxvJqkxtY5VEffo\nJmW5CxYrCdewvVGkgifREEGI2GltrDrH6rMugtVjuNAWzW40pVLKl/+0/Jv87wAv\nfITqQgiqa0FjitvfYQO2qIxSCJkt+kD3Vg==\n-----END CERTIFICATE-----",

"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEArU44JTMRsKqrGhd/jt/KMszV1TdQa79lJ7FAz6/QSA6iP3WY\nKPnd6eVOpsuyn1ZGjIvkNxkvZpdw7owdA7RmGp4cc1/hMGT8M9up78I2o0qAmW9V\n+0KJ8QDW1yYWiRkuTMLw1KBr05c2YKAeBnSPylMydhsb8u8ZBtMKiJcsjH0SPzQU\nn4ystJXvIH5V4LO4vFJRCnGgqg7ZLaEGyPEvebrkTFTjcvwaQ5z2NZLewealomUO\ncM80y0+fng6A0MaiwQ4Bgns2s/RzXopD3sVLc6xF0nOMqy5grLBOhBe4nng2L/Rn\nsmoMeNqopSRVt07lgBK50mgpXoXTej4G6OfmJwIDAQABAoIBAGO5rvU4/eT7UJoj\nC3Pbsy6oUCPxQIXADSVaCkF4mhHc2eBKetSZc+kz2p6AeLjXnKEjnp9WDsCqRIIA\nfnGzTU3jzdtWQO7oLXhp3s/ooig0puuj9YYwM9BK+1WyxST/KHVjd9Hivilzygaw\nHJb6XAPA/DiaQOr6SxxyNI2E8E2meH35efKv4bpAnNiU1k5VVNm38XWRqdU3Pjdc\n8Rl+50YsLG06DqEsAqiXzobU9+YRitQFXErBBe1EmYkIf5sTpg8ZW552d5IdTK7V\nlJsspNxgroidSb7DiYwDA9+4JurqlAaZwVb6AgrlXyqaFCtUj7BWlObjY4aeQE2h\n8+LjbgECgYEA0QVokrbb/89gNg3mVmlJFhvsyp+rQyAe3KKvo0c35+n8Cv1HmUtn\nABLPg4xDE8ZXILonk53N5AEy1PYEKL7JwlgpXorgIbzaI4AwWh9qwn7NZDJV2zYC\nKUev8MY1UkogiKOctfP6jFkAhe2FbchVyPpPkLQxQaiuF7woyA6zyhECgYEA1EHR\npQRR05ns538WGtC5ytHWTDe0qmPOnn5gcSXyL/VGYTpfGmW+yJde1PcN+3Ukh5Wx\nediQBylnJSWVM3GLei/ETk4MG1Cs1q7fRBuqeUFL2rhBoMIWw2Y4MaBeY+tNzSWA\nXsJEwSZtWJbdlXWzveM8OmeUkS/Neg9PV8znNLcCgYAbkZ8NWtkBkJScDJFI7HIb\nXGuK/ixUmjP33e1Ul9wj1pTLzkRXT76yH8kHDMT8IrjzNBpsOfAiFpZhyGEcDq4F\n2CL8uUx+pq4O6KV3/ZTTOm5UvN7eHu2CDFaEZ2A5DlXkL9BHn3p4cHTFNWLX7AiE\njZ9Y8qtcgacUslieqnHEQQKBgQCkBCBN1WKtkloAILIiEnwe/7sKtlkC+ZDl5F39\n0QaujGfQJdzrdwfP1ThQdH/3eXO62a+EqhXRkurDR6FdWTYgOt0EbUbprJOCaSrZ\nZE981zoYTx1XbeNNJqXxoyyNJXy/M2VY0+FxJ5KDTED5hzRXXUpjDzs8XaX31fDH\ntexLTQKBgQCwhsWc0rA8tE1C4vjp5qAKsZxB7WNOLmkMxyU9Iw5tC3dHnwxUJZkA\nvNhpK6RKn2b4EExuuZTRAcPEV3ddhOOoZpyy48WVEF5Iq3s+7/NZOq66poZUz17z\nwhRJIuic/EzYBnmKy0T4wdCyhkqLVGHIvH+412cJ5eqyHeMQbzG+oA==\n-----END RSA PRIVATE KEY-----",

"private_key_type": "rsa",

"serial_number": "28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1"

},

"warnings": null

</PRE>

}}

Из JSON можно выделить отдельные поля

<PRE>

cat vault.example.home.crt | jq -r .data.ca_chain[] > vault.example.home.ca_chain.pem

cat vault.example.home.crt | jq -r .data.certificate > vault.example.home.certificate.pem

cat vault.example.home.crt | jq -r .data.issuing_ca > vault.example.home.issuing_ca.pem

</PRE>

====Сертификат сервера====

Наиболее интересные поля - ожидаемые значения:

* CN = '''vault.example.home'''

* X509v3 Subject Alternative Name: DNS:pki.example.home, DNS:vault.example.home

* IP адреса в AltNames не присутвуют

<PRE>

openssl x509 -in vault.example.home.certificate.pem -text -noout

</PRE>

<PRE>

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

28:ac:20:32:fe:46:b2:78:61:11:f0:46:da:e7:d2:cf:02:fc:4f:f1

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd

Validity

Not Before: Oct 6 11:41:54 2022 GMT

Not After : Oct 5 11:42:20 2027 GMT

Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st 322 app. 311, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:ad:4e:38:25:33:11:b0:aa:ab:1a:17:7f:8e:df:

...

e5:80:12:b9:d2:68:29:5e:85:d3:7a:3e:06:e8:e7:

e6:27

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Key Identifier:

4C:4C:22:C1:44:68:25:D0:6B:AA:7F:AB:5C:8E:16:F5:B7:BC:DF:AF

X509v3 Authority Key Identifier:

keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50

Authority Information Access:

CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca

X509v3 Subject Alternative Name:

DNS:pki.example.home, DNS:vault.example.home

X509v3 CRL Distribution Points:

Full Name:

URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl

Signature Algorithm: sha256WithRSAEncryption

7a:ee:f9:5a:88:dc:ed:0d:b1:f7:26:97:d9:fa:98:e7:b3:43:

...

====Промежуточный CA====

openssl x509 -in vault.example.home.issuing_ca.pem -text -noout

* Видно '''CN = Intermediate CA for service ETCd''', другими словами это промежуточный сертификат удостоверяющего центра (СА) для ETCd

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

35:0e:d5:7b:85:55:57:d3:99:ed:2c:35:c7:db:d3:99:ac:9b:a3:01

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network v2

Validity

Not Before: Oct 3 15:53:05 2022 GMT

Not After : Sep 28 15:53:35 2042 GMT

Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:c3:04:35:f0:29:59:33:db:a3:8a:88:f6:44:b0:

...

58:4a:d6:3d:3c:5d:3f:42:a0:d8:5b:65:5f:71:ba:

3e:57

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Certificate Sign, CRL Sign

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Subject Key Identifier:

60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50

X509v3 Authority Key Identifier:

keyid:02:F8:85:2B:75:F8:E1:1C:69:28:30:32:21:2D:86:71:AF:AB:EC:3C

Authority Information Access:

CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_root_ca/ca

X509v3 CRL Distribution Points:

Full Name:

URI:http://vault.home:8200/v1/k8s_pki_root_ca/crl

Signature Algorithm: sha256WithRSAEncryption

65:f8:9d:6c:6d:6a:14:d3:37:32:ae:c1:de:26:f3:c8:9f:e6:

...

42:08:aa:6b:41:63:8a:db:df:61:03:b6:a8:8c:52:08:99:2d:

fa:40:f7:56

</PRE>

====Верефикация====

Окончательная проверка цепочки доверия

<br>

Корневой Сертификат → Промежуточный для СА Etcd → Тестовый Сертификат

* Корневой сертификат не является секретным (в отличие от ключа!) и его всегда можно скачать с Vault:

<PRE>

echo "-----BEGIN CERTIFICATE-----" > k8s_pki_root_ca.pem && \

curl "http://vault.home:8200/v1/k8s_pki_root_ca/ca" | base64 >> k8s_pki_root_ca.pem && \

echo "-----END CERTIFICATE-----" >> k8s_pki_root_ca.pem

</PRE>

* Указать промежуточный как untrusted (или добавить в доверенные)

<PRE>

openssl \

verify \

-verbose \

-CAfile k8s_pki_root_ca.pem \

-untrusted vault.example.home.issuing_ca.pem \

vault.example.home.certificate.pem

</PRE>

<PRE>

vault.example.home.certificate.pem: OK

</PRE>

Однако в этой команде меня смущает слово '''-untrusted'''

Второй способ - это создание "бандла" (те поместить в один файл промежуточный CA а за ним сертификат)

<PRE>

cat vault.example.home.issuing_ca.pem > vault.example.home.ca_bundle

cat vault.example.home.certificate.pem >> vault.example.home.ca_bundle

Теперь верификация проходит без беспокоящего '''-untrusted'''

<PRE>

openssl \

verify \

-verbose \

-CAfile k8s_pki_root_ca.pem \

vault.example.home.ca_bundle

</PRE>

<PRE>

vault.example.home.ca_bundle: OK

</PRE>

====Верефикация c nginx====

Для полноты картины создадим тестовый web-сервер и используем подписанный сертификат

* Пример виртуалхоста

* Путь к ключу и сертификату (ключ можно получить из оригинального вывода Vault при создании сертификата,

ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle;

ssl_certificate_key /etc/nginx/certs/vault.example.home.key;

'''Формат в nginx отличается''' - в файле /etc/nginx/certs/vault.example.home.ca_bundle СНАЧАЛА идет сертификат сервера, а потом - промежуточный сертификат (https://nginx.org/en/docs/http/configuring_https_servers.html)

* Полный конфиг

server {

listen 8203 default_server ssl;

root /var/www/html;

server_name vault.example.home;

access_log /var/log/nginx/vault.example.home-access.log postdata;

error_log /var/log/nginx/vault.example.home-error.log;

ssl_certificate /etc/nginx/certs/vault.example.home.ca_bundle;

ssl_certificate_key /etc/nginx/certs/vault.example.home.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

location / {

client_body_buffer_size 64k;

client_body_in_single_buffer on;

proxy_pass http://127.0.0.1:8200;

proxy_set_header Host $host:$server_port;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;

proxy_request_buffering off;

}

</PRE>

Для того что бы проверить, нужно на том хосте откуда делается запрос добавить сертификат СА в доверенные

* в /usr/local/share/ca-certificates/extra положить СА (его всегда можно скачать)

* запустить update-ca-certificates

<PRE>

# update-ca-certificates

</PRE>

<PRE>

Updating certificates in /etc/ssl/certs...

1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...

Adding debian:k8s_pki_root_ca.pem

done.

done.

После этого curl может подключиться без ошибок верефикации

curl -v https://vault.example.home:8203

</PRE>

<PRE>

* successfully set certificate verify locations:

* CAfile: none

CApath: /etc/ssl/certs

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server accepted to use http/1.1

* Server certificate:

* subject: C=Ukraine; L=Kharkov; street=Lui Pastera st 322 app. 311; postalCode=61172; O=Home Network; OU=IT; CN=vault.example.home

* start date: Oct 6 11:41:54 2022 GMT

* expire date: Oct 5 11:42:20 2027 GMT

* subjectAltName: host "vault.example.home" matched cert's "vault.example.home"

* issuer: C=Ukraine; L=Kharkov; street=Lui Pastera st. 322 app. 131; postalCode=61172; O=K8s The Hardest Way Labs; OU=IT; CN=Intermediate CA for service ETCd

* SSL certificate verify ok.

> GET / HTTP/1.1

> Host: vault.example.home:8203

> User-Agent: curl/7.64.0

> Accept: */*

>

< HTTP/1.1 404 Not Found

< Server: nginx/1.14.2

< Date: Fri, 07 Oct 2022 17:22:22 GMT

< Content-Type: text/plain; charset=utf-8

< Content-Length: 19

< Connection: keep-alive

< Cache-Control: no-store

< X-Content-Type-Options: nosniff

</PRE>

Код 404 тут ожидаем так как нет задачи получить данные, а только проверить правильность настройки SSL

==Получение клиентского сертефиката==

====Проверка прав (негативный сценарий)====

С "серверным" пользователем - нет прав

<PRE>

login \

-method=userpass \

username=example-dot-home-server-crt-user \

password=server

</PRE>

<PRE>

Success! You are now authenticated. The token information displayed below

is already stored in the token helper. You do NOT need to run "vault login"

again. Future Vault requests will automatically use this token.

Key Value

--- -----

token s.P9nYzZ3Pev2IeNKaUYvDIDdt

token_accessor AbXtLIzNhYJRvv6paZr3U6cn

token_duration 768h

token_renewable true

token_policies ["default" "example-dot-home-server-crt-policy"]

identity_policies []

policies ["default" "example-dot-home-server-crt-policy"]

token_meta_username example-dot-home-server-crt-user

vault \

write \

-format=json \

${PKI_NAME}/issue/example-dot-home-client-crt \

common_name="vault.example.home" \

alt_names="pki.example.home" \

ttl="43800h" > vault.example.home-client.crt

<PRE>

Error writing data to k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/issue/example-dot-home-client-crt

Code: 403. Errors:

* 1 error occurred:

* permission denied

</PRE>

Результат соответствует ожидаемому.

====Получение клиентского сертификата c правильным пользователем====

username=example-dot-home-any-crt-user \

password=any

-format=json \

${PKI_NAME}/issue/example-dot-home-client-crt \

common_name="vault.example.home" \

alt_names="pki.example.home" \

ttl="43800h" > vault.example.home-client.crt.json

Success! You are now authenticated. The token information displayed below

is already stored in the token helper. You do NOT need to run "vault login"

again. Future Vault requests will automatically use this token.

Key Value

--- -----

token s.vAKcP6hGLv9OHkm8ToBHFq5M

token_accessor OoNShUinoMhne5s8scFcZ0Hm

token_duration 768h

token_renewable true

token_policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"]

identity_policies []

policies ["default" "example-dot-home-client-crt-policy" "example-dot-home-server-crt-policy"]

token_meta_username example-dot-home-any-crt-user

=====Проверка полученного результата=====

cat vault.example.home-client.crt.json | jq -r '.data.certificate' > vault.example.home-client.crt

cat vault.example.home-client.crt.json | jq -r '.data.private_key' > vault.example.home-client.key

<PRE>

X509v3 Extended Key Usage:

TLS Web Client Authentication

</PRE>

<PRE>

openssl x509 -noout -text -in certificate_client.pem

Version: 3 (0x2)

Serial Number:

51:de:46:e0:72:1e:2b:28:30:3b:9e:94:f4:da:71:f8:19:5e:26:6d

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd

Validity

Not Before: Oct 8 16:53:43 2022 GMT

Not After : Oct 7 16:54:10 2027 GMT

Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = vault.example.home

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:c3:21:f6:55:f9:f0:a7:19:52:b9:22:a6:9a:99:

...

05:e5

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature

X509v3 Extended Key Usage:

TLS Web Client Authentication

X509v3 Subject Key Identifier:

C9:F1:9F:83:D7:0B:B8:F2:7E:BB:84:D1:FE:6F:7E:75:7B:40:F4:86

X509v3 Authority Key Identifier:

keyid:60:41:31:79:58:90:A9:63:62:C2:26:FD:8F:02:B6:07:1A:1D:5C:50

Authority Information Access:

CA Issuers - URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/ca

X509v3 Subject Alternative Name:

DNS:pki.example.home, DNS:vault.example.home

X509v3 CRL Distribution Points:

Full Name:

URI:http://vault.home:8200/v1/k8s_pki_intermediate_ca_for_service_etcd/crl

Signature Algorithm: sha256WithRSAEncryption

94:bb:a8:54:41:86:16:75:06:e7:fb:5a:5f:e0:56:61:5d:ff:

...

3e:56:1a:6f

</PRE>

=====Проверка полученного результата=====

Расширенная проверка - проверить что сертификат нельзя использовать в качестве серверного

Конфиг nginx не отличается ничем кроме собственно содержимого сертификата

* Ответ собственно и говорит об этом - '''unsupported certificate purpose''', клиентский сертификат не оч

curl: (60) SSL certificate problem: unsupported certificate purpose

More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

===Проверка прав для пользователя any===

* работает каки ожидалось - можно получить сертификаты как для сервера так и для клиента

source ./00_env

unset VAULT_TOKEN

vault \

login \

-method=userpass \

username=example-dot-home-any-crt-user \

password=any

${PKI_NAME}/issue/example-dot-home-client-crt \

common_name="vault.example.home" \

alt_names="pki.example.home" \

ttl="43800h" > vault.example.home.CLIENT_by_any_user.json

vault \