2015-04-24 17:52:25 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
2017-09-13 01:48:52 +00:00
|
|
|
page_title: "TLS Certificates - Auth Methods"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
sidebar_title: "TLS Certificates"
|
2015-04-24 17:52:25 +00:00
|
|
|
sidebar_current: "docs-auth-cert"
|
|
|
|
description: |-
|
2017-09-13 01:48:52 +00:00
|
|
|
The "cert" auth method allows users to authenticate with Vault using TLS client certificates.
|
2015-04-24 17:52:25 +00:00
|
|
|
---
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
# TLS Certificates Auth Method
|
2015-04-24 17:52:25 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The `cert` auth method allows authentication using SSL/TLS client certificates
|
2015-04-24 17:52:25 +00:00
|
|
|
which are either signed by a CA or self-signed.
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The trusted certificates and CAs are configured directly to the auth method
|
|
|
|
using the `certs/` path. This method cannot read trusted certificates from an
|
2015-10-30 21:34:17 +00:00
|
|
|
external source.
|
2015-04-24 17:52:25 +00:00
|
|
|
|
2018-06-07 13:44:57 +00:00
|
|
|
CA certificates are associated with a role; role names and CRL names are normalized to
|
2015-10-30 21:34:17 +00:00
|
|
|
lower-case.
|
2015-10-20 16:23:14 +00:00
|
|
|
|
|
|
|
## Revocation Checking
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Since Vault 0.4, the method supports revocation checking.
|
2015-10-30 21:34:17 +00:00
|
|
|
|
|
|
|
An authorised user can submit PEM-formatted CRLs identified by a given name;
|
|
|
|
these can be updated or deleted at will. (Note: Vault **does not** fetch CRLs;
|
|
|
|
the CRLs themselves and any updates must be pushed into Vault when desired,
|
|
|
|
such as via a `cron` job that fetches them from the source and pushes them into
|
|
|
|
Vault.)
|
|
|
|
|
|
|
|
When there are CRLs present, at the time of client authentication:
|
|
|
|
|
|
|
|
* If the client presents any chain where no certificate in the chain matches a
|
|
|
|
revoked serial number, authentication is allowed
|
2017-09-13 01:48:52 +00:00
|
|
|
|
2015-10-30 21:34:17 +00:00
|
|
|
* If there is no chain presented by the client without a revoked serial number,
|
|
|
|
authentication is denied
|
|
|
|
|
|
|
|
This method provides good security while also allowing for flexibility. For
|
|
|
|
instance, if an intermediate CA is going to be retired, a client can be
|
|
|
|
configured with two certificate chains: one that contains the initial
|
|
|
|
intermediate CA in the path, and the other that contains the replacement. When
|
|
|
|
the initial intermediate CA is revoked, the chain containing the replacement
|
|
|
|
will still allow the client to successfully authenticate.
|
|
|
|
|
|
|
|
**N.B.**: Matching is performed by *serial number only*. For most CAs,
|
2017-09-13 01:48:52 +00:00
|
|
|
including Vault's `pki` method, multiple CRLs can successfully be used as
|
2015-10-30 21:34:17 +00:00
|
|
|
serial numbers are globally unique. However, since RFCs only specify that
|
|
|
|
serial numbers must be unique per-CA, some CAs issue serial numbers in-order,
|
|
|
|
which may cause clashes if attempting to use CRLs from two such CAs in the same
|
2017-09-13 01:48:52 +00:00
|
|
|
mount of the method. The workaround here is to mount multiple copies of the
|
|
|
|
`cert` method, configure each with one CA/CRL, and have clients connect to the
|
2015-10-30 21:34:17 +00:00
|
|
|
appropriate mount.
|
2015-10-20 16:23:14 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
In addition, since the method does not fetch the CRLs itself, the CRL's
|
2015-12-05 20:12:43 +00:00
|
|
|
designated time to next update is not considered. If a CRL is no longer in use,
|
2017-09-13 01:48:52 +00:00
|
|
|
it is up to the administrator to remove it from the method.
|
2015-12-05 20:12:43 +00:00
|
|
|
|
2015-04-24 17:52:25 +00:00
|
|
|
## Authentication
|
|
|
|
|
2015-06-30 13:18:39 +00:00
|
|
|
### Via the CLI
|
2017-09-13 01:48:52 +00:00
|
|
|
|
2017-04-30 15:37:10 +00:00
|
|
|
The below requires Vault to present a certificate signed by `ca.pem` and
|
|
|
|
presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
|
2018-06-05 01:34:17 +00:00
|
|
|
role. Note that the name of `web` ties out with the configuration example
|
|
|
|
below writing to a path of `auth/cert/certs/web`. If a certificate role name
|
|
|
|
is not specified, the auth method will try to authenticate against all trusted
|
|
|
|
certificates.
|
2017-04-30 15:37:10 +00:00
|
|
|
|
2015-06-30 13:18:39 +00:00
|
|
|
```
|
2017-09-13 01:48:52 +00:00
|
|
|
$ vault login \
|
|
|
|
-method=cert \
|
|
|
|
-ca-cert=ca.pem \
|
|
|
|
-client-cert=cert.pem \
|
|
|
|
-client-key=key.pem \
|
2017-04-30 15:37:10 +00:00
|
|
|
name=web
|
2015-06-30 13:18:39 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### Via the API
|
2015-04-24 17:52:25 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The endpoint for the login is `/login`. The client simply connects with their
|
|
|
|
TLS certificate and when the login endpoint is hit, the auth method will
|
|
|
|
determine if there is a matching trusted certificate to authenticate the client.
|
|
|
|
Optionally, you may specify a single certificate role to authenticate against.
|
|
|
|
|
|
|
|
```sh
|
|
|
|
$ curl \
|
|
|
|
--request POST \
|
|
|
|
--cacert ca.pem \
|
|
|
|
--cert cert.pem \
|
|
|
|
--key key.pem \
|
|
|
|
--data '{"name": "web"}' \
|
2018-03-23 15:41:51 +00:00
|
|
|
http://127.0.0.1:8200/v1/auth/cert/login
|
2015-06-30 13:18:39 +00:00
|
|
|
```
|
|
|
|
|
2015-04-24 17:52:25 +00:00
|
|
|
## Configuration
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Auth methods must be configured in advance before users or machines can
|
|
|
|
authenticate. These steps are usually completed by an operator or configuration
|
|
|
|
management tool.
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Enable the certificate auth method:
|
2015-05-07 17:41:23 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
```text
|
|
|
|
$ vault auth enable cert
|
|
|
|
```
|
2015-04-24 17:52:25 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
1. Configure it with trusted certificates that are allowed to authenticate:
|
2015-10-20 16:23:14 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
```text
|
|
|
|
$ vault write auth/cert/certs/web \
|
|
|
|
display_name=web \
|
|
|
|
policies=web,prod \
|
|
|
|
certificate=@web-cert.pem \
|
|
|
|
ttl=3600
|
|
|
|
```
|
2015-10-20 16:23:14 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
This creates a new trusted certificate "web" with same display name and the
|
|
|
|
"web" and "prod" policies. The certificate (public key) used to verify
|
|
|
|
clients is given by the "web-cert.pem" file. Lastly, an optional `ttl` value
|
|
|
|
can be provided in seconds to limit the lease duration.
|
2015-10-20 16:23:14 +00:00
|
|
|
|
|
|
|
## API
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
The TLS Certificate auth method has a full HTTP API. Please see the
|
|
|
|
[TLS Certificate API](/api/auth/cert/index.html) for more details.
|