Vault PKI in Practice, with GCP

Generate root CA key/cert

vault write pki/root/generate/exported \
  common_name=myca \
  key_type=ec \
  key_bits=256

Configure certificate issuing and CRL (Certificate Revocation List) endpoints

vault write pki/config/urls \
  issuing_certificates="https://VAULT_ADDR:8200/v1/pki/ca" \
  crl_distribution_points="https://VAULT_ADDR:8200/v1/pki/crl"

Create a PKI role against which a certificate will be issued

vault write pki/roles/gameserver \
  max_ttl=24h \
  allow_any_name=true \
  key_type=ec \
  key_bits=256

Setup a policy to grant ceritificate issue capabilities to the role

vault policy write server-policy policy.hcl
# file: policy.hcl
# Allow tokens to look up their own properties
path "auth/token/lookup-self" {
    capabilities = ["read"]
}

# Allow tokens to renew themselves
path "auth/token/renew-self" {
    capabilities = ["update"]
}

# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
    capabilities = ["update"]
}

path "pki/*" {
  capabilities = [ "create", "read", "update" ]
}

Setup a GCP auth role. Vault Agent running on GCE instances will authenticate with this role and will be bound by the policies defined in server-policy

vault write auth/gcp/role/server \
  type="gce" \
  policies="server-policy" \
  bound_projects="MYGCPPROJECT"

Configure Vault Agent to authenticate into Vault via GCP auth method

# file: config.hcl
pid_file = "./pidfile"

vault {
  address = "https://VAULT_ADDR:8200"
  namespace = "VAULT_NAMESPACE"
}

auto_auth {
  method {
    type = "gcp"

    config = {
      type = "gce"
      role = "server"
    }
  }

  sink {
    type = "file"

    config = {
      path = "/tmp/sink"
    }
  }
}

template {
  source      = "cert.tpl"
  destination = "cert.pem"
}

template {
  source      = "key.tpl"
  destination = "key.pem"
}

template {
  source      = "ca_cert.tpl"
  destination = "ca_cert.pem"
}

vault agent -config=config.hcl

image

Checking revoked certificates

curl https://VAULT_ADDR:8200/v1/pki/crl/pem \
  -H 'X-Vault-Namespace: VAULT_NAMESPACE' | openssl crl -noout -text