Skip to main content

A command-line utility for declaratively provisioning PKI in Hashicorp Vault

Project description

pkictl

License Python Version Docker Coverage Status CircleCI

pkictl is a CLI tool for declaratively configuring and provisioning PKI secrets in HashiCorp Vault. Root and Intermediate Certificate Authorities (CAs) along with their associated roles and policies can be defined and created from a YAML file. It simplifies automating the provisioning of an internal PKI using Vault and strives to achieve idempotency.

pkictl is inspired by kubectl.

How It Works

pkictl uses the Vault HTTP API to mount PKI secrets engines for Root and Intermediate CAs. Intermediate CAs can be signed by a Root CA or other Intermediate CAs. Roles and Policies can be defined in the YAML file for Intermediate CAs.

The Key/Value secrets engine is also used to store the private keys of Intermediate CAs that are configured for export (ie. spec.type: exported).

Installation

pkictl can be installed via pip:

$ pip install pkictl

Compatibility

pkictl has been tested against versions 0.10.X, 0.11.X, and 1.0.X of Vault.

Usage

$ pkictl --help

declaratively configure PKI secrets in Hashicorp Vault

optional arguments:
-h, --help     show this help message and exit
-d, --debug    enable debug output
-v, --version  show program's version number and exit

subcommands:

    init         Initializes the Hashicorp Vault server
    apply        Creates PKI secrets from a YAML file

Prerequisites

If you're unfamiliar with Vault's PKI secrets, read this guide: Build Your Own Certificate Authority (CA)

pkictl requires an unsealed Hashicorp Vault server and an authentication token with privileges to:

  • mount PKI and KV secrets engines
  • read and write PKI secrets
  • write KV secrets

Initializing the Vault server

Initialize a new Vault server and unseal it:

$ pkictl init -u https://localhost:8200

The Vault server will be initialized with 5 key shares and a key threshold of 3.

  • the root token is saved in .vault-token
  • the master keys shares are saved in vault.log

Initializing and unsealing the Vault server this way is only provided as a convenience for development/testing and is highly discouraged.

Declaratively provisioning PKI secrets

A YAML manifest file is used to define Root and Intermediate CAs, Key/Value engines, roles and policies.

Create a manifest file:

---
kind: RootCA
metadata:
  name: demo-root-ca
  description: pkictl demo Root CA
spec:
  key_type: ec
  key_bits: 384
  ttl: 17532h
  exclude_cn_from_sans: true
  subject:
    common_name: Demo Root CA
    organization: pkictl
    ou: README Demo
    country: US
    locality: San Francisco
    province: California
---
kind: IntermediateCA
metadata:
  name: demo-intermediate-ca
  description: pkictl demo Intermediate CA
  issuer: demo-root-ca
  kv_backend: demo-kv-engine
spec:
  type: exported
  key_type: rsa
  key_bits: 4096
  ttl: 8766h
  subject:
    common_name: Demo Intermediate CA
    organization: pkictl
    ou: README Demo
    country: US
    locality: San Francisco
    province: California
  roles:
  - name: server
    config:
      max_ttl: 8766h
      ttl: 8766h
      allow_subdomains: true
      allowed_domains:
        - demo.pkictl.com
      client_flag: false
      server_flag: true
  - name: client
    config:
      max_ttl: 336h
      ttl: 336h
      allow_any_name: true
      client_flag: true
      server_flag: false
  policies:
  - name: demo-intermediate-ca-pkey
    policy: |
      path "demo-kv-engine" {
        capabilities = ["list"]
      }
      path "demo-kv-engine/demo-intermediate-ca" {
        capabilities = ["read"]
      }
  - name: demo-intermediate-ca-server
    policy: |
      path "demo-intermediate-ca/issue/server" {
        capabilities = ["read", "update"]
      }
      path "demo-intermediate-ca/sign/server" {
        capabilities = ["read", "update"]
      }
  - name: demo-intermediate-ca-client
    policy: |
      path "demo-intermediate-ca/issue/client" {
        capabilities = ["read", "update"]
      }
      path "demo-intermediate-ca/sign/client" {
        capabilities = ["read", "update"]
      }
---
kind: KV
metadata:
  name: demo-kv-engine
  description: pkictl demo KV v1 engine
spec:
  options:
    version: 1

The above example will create:

  • an ECDSA-based Root CA with a TTL of 2 years
  • a RSA-based Intermediate CA with a TTL of 1 year signed by the Root CA
  • a Role named server permitting the Intermediate CA to issue or sign TLS server certificates for any subdomains on demo.pkictl.com
  • a Role named client permitting the Intermediate CA to issue or sign TLS client certificates
  • a Policy mapped to the server role
  • a Policy mapped to the client role
  • a Key/Value engine to store the exported private key of the Intermediate CA
  • a Policy permitting retrieval of the exported private key from the KV engine

Create PKI secrets from the YAML manifest file:

$ pkictl apply -u https://localhost:8200 -f manifest.yaml

[*] pkictl - the Vault server has been initialized and is not sealed
[*] pkictl - Enabled KV backend: demo-kv-engine
[*] pkictl - Enabled PKI backend: demo-root-ca
[*] pkictl - Generated Root CA: demo-root-ca
[*] pkictl - Enabled PKI backend: demo-intermediate-ca
[*] pkictl - Created intermediate CA: demo-intermediate-ca
[*] pkictl - Signed intermediate CA 'demo-intermediate-ca' with issuing CA: demo-root-ca
[*] pkictl - Set signed certificate for intermediate CA: demo-intermediate-ca
[*] pkictl - Configured URLs for CA: demo-intermediate-ca
[*] pkictl - Set CRL configuration for CA: demo-intermediate-ca
[*] pkictl - Stored private key for 'demo-intermediate-ca' in KV backend: demo-kv-engine
[*] pkictl - Configured role 'server' for intermediate CA: demo-intermediate-ca
[*] pkictl - Configured role 'client' for intermediate CA: demo-intermediate-ca
[*] pkictl - Configured policy 'demo-intermediate-ca-pkey' for intermediate CA: demo-intermediate-ca
[*] pkictl - Configured policy 'demo-intermediate-ca-server' for intermediate CA: demo-intermediate-ca
[*] pkictl - Configured policy 'demo-intermediate-ca-client' for intermediate CA: demo-intermediate-ca

Obtain a Vault token attached to the demo-intermediate-ca-server Policy:

$ VAULT_TOKEN=$(vault token create -policy=demo-intermediate-ca-client -ttl=1h -format json | jq -r .auth.client_token)

Use this token to obtain a TLS server certificate and private key for web.demo.pkictl.com from the Intermediate CA:

$ vault write demo-intermediate-ca/issue/server common_name=web.demo.pkictl.com ttl=2160h

Alternatively, you can generate a certificate signing request (CSR) and private key locally and have the CSR signed by the Intermediate CA:

$ openssl req -batch -nodes -sha256 -new -newkey rsa:2048 \
  -keyout web.demo.pkictl.com.key -out web.demo.pkictl.com.csr -subj '/CN=web.demo.pkictl.com/'

$ vault write demo-intermediate-ca/sign/server csr=@web.demo.pkictl.com.csr ttl=2160h

Vault will return the signed TLS server certificate along with the full chain (the certificates for the Root and Intermediate CA).

Obtain a Vault token attached to the demo-intermediate-ca-client Policy:

$ VAULT_TOKEN=$(vault token create -policy=demo-intermediate-ca-client -ttl=1h -format json | jq -r .auth.client_token)

Use this token to obtain a TLS client certificate and private key from the Intermediate CA:

$ vault write demo-intermediate-ca/issue/client common_name="example@demo.pkictl.com" ttl=24h

Since spec.type: exported, the private key of this CA has been saved in the KV engine demo-kv-engine. A Vault token attached to the demo-intermediate-ca-pkey Policy is required to retrieve it:

$ VAULT_TOKEN=$(vault token create -policy=demo-intermediate-ca-pkey -ttl=1m -format json | jq -r .auth.client_token)
$ vault kv get -version=1 demo-kv-engine/demo-intermediate-ca

Documentation

For documentation and additional examples, see the docs directory.

Testing

nose2 is used for testing. Tests are located in pkictl/tests.

To run the unit tests:

$ make test

End to end tests requires Vault running locally. To build and run the Vault container:

$ make build-vault-container
$ make run-vault-container

Run the end-to-end tests:

$ make e2e-test

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pkictl-0.2.1.tar.gz (11.4 kB view details)

Uploaded Source

Built Distribution

pkictl-0.2.1-py3-none-any.whl (18.1 kB view details)

Uploaded Python 3

File details

Details for the file pkictl-0.2.1.tar.gz.

File metadata

  • Download URL: pkictl-0.2.1.tar.gz
  • Upload date:
  • Size: 11.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.8

File hashes

Hashes for pkictl-0.2.1.tar.gz
Algorithm Hash digest
SHA256 6c26775de3f47c0535542fcc9850ec50cc459907054a702cd64970b7c1fb585a
MD5 2968f7d7fb0b4c611cffc8fe6643ac44
BLAKE2b-256 55570513231c0caec20144c9650a0df741d5e4a7b405c8393aff652f88332618

See more details on using hashes here.

File details

Details for the file pkictl-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: pkictl-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 18.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.31.1 CPython/3.6.8

File hashes

Hashes for pkictl-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 3936649928c213744d31821a9b78a6702be82f4e1fa4bd5b0d40ebc9f29cbfe8
MD5 c6482b966c83222c4bf7a5e115f80045
BLAKE2b-256 908c982fe1c6726e12b62fb2c0b073fd8e99b22865912558a842753f7e4ec71a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page