open-vault/website/source/docs/auth/cert.html.md

69 lines
1.9 KiB
Markdown
Raw Normal View History

2015-04-24 17:52:25 +00:00
---
layout: "docs"
page_title: "Auth Backend: TLS Certificates"
sidebar_current: "docs-auth-cert"
description: |-
The "cert" auth backend allows users to authenticate with Vault using TLS client certificates.
---
# Auth Backend: TLS Certificates
Name: `cert`
The "cert" auth backend allows authentication using SSL/TLS client certificates
which are either signed by a CA or self-signed.
The trusted certificates and CAs are configured directly to the auth
backend using the `certs/` path. This backend cannot read trusted certificates
from an external source.
## Authentication
2015-06-30 13:18:39 +00:00
### Via the CLI
```
vault auth -method=cert \
-ca-cert=ca.pem -client-cert=cert.pem -client-key=key.pem
```
### Via the API
2015-04-24 17:52:25 +00:00
The endpoint for the login is `/login`. The client simply connects with their TLS
certificate and when the login endpoint is hit, the auth backend will determine
if there is a matching trusted certificate to authenticate the client.
2015-06-30 13:18:39 +00:00
```
curl --cacert ca.pem --cert cert.pem --key key.pem \
$VAULT_ADDR/v1/auth/cert/login -XPOST
```
2015-04-24 17:52:25 +00:00
## Configuration
First, you must enable the certificate auth backend:
```
$ vault auth-enable cert
Successfully enabled 'cert' at 'cert'!
```
Now when you run `vault auth -methods`, the certificate backend is available:
```
Path Type Description
cert/ cert
token/ token token based credentials
```
2015-04-24 17:52:25 +00:00
To use the "cert" auth backend, an operator must configure it with
trusted certificates that are allowed to authenticate. An example is shown below.
Use `vault path-help` for more details.
2015-04-24 17:52:25 +00:00
```
$ vault write auth/cert/certs/web display_name=web policies=web,prod certificate=@web-cert.pem lease=3600
2015-04-24 17:52:25 +00:00
...
```
The above creates a new trusted certificate "web" with same display name
and the "web" and "prod" policies. The certificate (public key) used to verify
clients is given by the "web-cert.pem" file. Lastly, an optional lease value
can be provided in seconds to limit the lease period.
2015-04-24 17:52:25 +00:00