2015-04-24 17:52:25 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Auth Backend: TLS Certificates"
|
|
|
|
sidebar_current: "docs-auth-cert"
|
|
|
|
description: |-
|
|
|
|
The "cert" auth backend allows users to authenticate with Vault using TLS client certificates.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Auth Backend: TLS Certificates
|
|
|
|
|
|
|
|
Name: `cert`
|
|
|
|
|
|
|
|
The "cert" auth backend allows authentication using SSL/TLS client certificates
|
|
|
|
which are either signed by a CA or self-signed.
|
|
|
|
|
|
|
|
The trusted certificates and CAs are configured directly to the auth
|
|
|
|
backend using the `certs/` path. This backend cannot read trusted certificates
|
|
|
|
from an external source.
|
|
|
|
|
|
|
|
## Authentication
|
|
|
|
|
2015-06-30 13:18:39 +00:00
|
|
|
### Via the CLI
|
|
|
|
```
|
|
|
|
vault auth -method=cert \
|
|
|
|
-ca-cert=ca.pem -client-cert=cert.pem -client-key=key.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
### Via the API
|
2015-04-24 17:52:25 +00:00
|
|
|
The endpoint for the login is `/login`. The client simply connects with their TLS
|
|
|
|
certificate and when the login endpoint is hit, the auth backend will determine
|
|
|
|
if there is a matching trusted certificate to authenticate the client.
|
|
|
|
|
2015-06-30 13:18:39 +00:00
|
|
|
```
|
|
|
|
curl --cacert ca.pem --cert cert.pem --key key.pem \
|
|
|
|
$VAULT_ADDR/v1/auth/cert/login -XPOST
|
|
|
|
```
|
|
|
|
|
2015-04-24 17:52:25 +00:00
|
|
|
## Configuration
|
|
|
|
|
2015-05-07 17:41:23 +00:00
|
|
|
First, you must enable the certificate auth backend:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ vault auth-enable cert
|
|
|
|
Successfully enabled 'cert' at 'cert'!
|
|
|
|
```
|
|
|
|
|
|
|
|
Now when you run `vault auth -methods`, the certificate backend is available:
|
|
|
|
|
|
|
|
```
|
|
|
|
Path Type Description
|
|
|
|
cert/ cert
|
|
|
|
token/ token token based credentials
|
|
|
|
```
|
|
|
|
|
2015-04-24 17:52:25 +00:00
|
|
|
To use the "cert" auth backend, an operator must configure it with
|
|
|
|
trusted certificates that are allowed to authenticate. An example is shown below.
|
2015-07-13 10:12:09 +00:00
|
|
|
Use `vault path-help` for more details.
|
2015-04-24 17:52:25 +00:00
|
|
|
|
|
|
|
```
|
2015-04-24 19:58:39 +00:00
|
|
|
$ vault write auth/cert/certs/web display_name=web policies=web,prod certificate=@web-cert.pem lease=3600
|
2015-04-24 17:52:25 +00:00
|
|
|
...
|
|
|
|
```
|
|
|
|
|
|
|
|
The above creates a new trusted certificate "web" with same display name
|
|
|
|
and the "web" and "prod" policies. The certificate (public key) used to verify
|
2015-04-24 19:58:39 +00:00
|
|
|
clients is given by the "web-cert.pem" file. Lastly, an optional lease value
|
|
|
|
can be provided in seconds to limit the lease period.
|
2015-04-24 17:52:25 +00:00
|
|
|
|