TLS Cert Authentication example updates (#9735)
* TLS Cert Authentication example updates - Updated the Cert Auth example description to clarify which CA should issue the certificate. - Removed `-ca-cert` parameter from examples as this caused confusion. Is this the auth CA or the CA of the listener? * Return CA parameter to examples, add Note - Returned CA parameter to login examples - Added note above examples to explain which CA is being used in CLI - Updated examples in API doc to use httpS - Added note above login example to explain wich CA is being used Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
This commit is contained in:
parent
ba1adb6d22
commit
a71798a445
|
@ -82,8 +82,9 @@ Sets a CA cert and associated parameters in a role name.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request POST \
|
||||
--cacert vault-ca.pem \
|
||||
--data @payload.json
|
||||
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
|
||||
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
|
||||
```
|
||||
|
||||
## Read CA Certificate Role
|
||||
|
@ -103,7 +104,8 @@ Gets information associated with the named role.
|
|||
```shell-session
|
||||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
|
||||
--cacert vault-ca.pem \
|
||||
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
|
||||
```
|
||||
|
||||
### Sample Response
|
||||
|
@ -142,7 +144,8 @@ Lists configured certificate names.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request LIST \
|
||||
http://127.0.0.1:8200/v1/auth/cert/certs
|
||||
--cacert vault-ca.pem \
|
||||
https://127.0.0.1:8200/v1/auth/cert/certs
|
||||
```
|
||||
|
||||
### Sample Response
|
||||
|
@ -179,7 +182,8 @@ Deletes the named role and CA cert from the method mount.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request DELETE \
|
||||
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
|
||||
--cacert vault-ca.pem \
|
||||
https://127.0.0.1:8200/v1/auth/cert/certs/cert1
|
||||
```
|
||||
|
||||
## Create CRL
|
||||
|
@ -209,8 +213,9 @@ Sets a named CRL.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request POST \
|
||||
--cacert vault-ca.pem \
|
||||
--data @payload.json \
|
||||
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
|
||||
https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
|
||||
```
|
||||
|
||||
## Read CRL
|
||||
|
@ -232,7 +237,8 @@ arbitrary size, these are returned as strings.
|
|||
```shell-session
|
||||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
|
||||
--cacert vault-ca.pem \
|
||||
https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
|
||||
```
|
||||
|
||||
### Sample Response
|
||||
|
@ -270,7 +276,8 @@ Deletes the named CRL from the auth method mount.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request DELETE \
|
||||
http://127.0.0.1:8200/v1/auth/cert/crls/cert1
|
||||
--cacert vault-ca.pem \
|
||||
https://127.0.0.1:8200/v1/auth/cert/crls/cert1
|
||||
```
|
||||
|
||||
## Configure TLS Certificate Method
|
||||
|
@ -301,8 +308,9 @@ Configuration options for the method.
|
|||
$ curl \
|
||||
--header "X-Vault-Token: ..." \
|
||||
--request POST \
|
||||
--cacert vault-ca.pem \
|
||||
--data @payload.json \
|
||||
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
|
||||
https://127.0.0.1:8200/v1/auth/cert/certs/cert1
|
||||
```
|
||||
|
||||
## Login with TLS Certificate Method
|
||||
|
@ -334,9 +342,15 @@ https://tools.ietf.org/html/rfc6125#section-2.3)
|
|||
|
||||
### Sample Request
|
||||
|
||||
~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
|
||||
certificate, not the CA that issued the client authentication certificate. This
|
||||
can be omitted if the CA used to issue the Vault server certificate is trusted
|
||||
by the local system executing this command.
|
||||
|
||||
```shell-session
|
||||
$ curl \
|
||||
--request POST \
|
||||
--cacert vault-ca.pem \
|
||||
--cert cert.pem \
|
||||
--key key.pem \
|
||||
--data @payload.json \
|
||||
|
|
|
@ -64,17 +64,21 @@ it is up to the administrator to remove it from the method.
|
|||
|
||||
### Via the CLI
|
||||
|
||||
The below requires Vault to present a certificate signed by `ca.pem` and
|
||||
presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
|
||||
role. Note that the name of `web` ties out with the configuration example
|
||||
below writing to a path of `auth/cert/certs/web`. If a certificate role name
|
||||
is not specified, the auth method will try to authenticate against all trusted
|
||||
certificates.
|
||||
The below authenticates against the `web` cert role by presenting a certificate
|
||||
(`cert.pem`) and key (`key.pem`) signed by the CA associated with the `web` cert
|
||||
role. Note that the name `web` ties to the configuration example below writing
|
||||
to a path of `auth/cert/certs/web`. If a certificate role name is not specified,
|
||||
the auth method will try to authenticate against all trusted certificates.
|
||||
|
||||
~> **NOTE** The `-ca-cert` value used here is for the Vault TLS Listener CA
|
||||
certificate, not the CA that issued the client authentication certificate. This
|
||||
can be omitted if the CA used to issue the Vault server certificate is trusted
|
||||
by the local system executing this command.
|
||||
|
||||
```shell-session
|
||||
$ vault login \
|
||||
-method=cert \
|
||||
-ca-cert=ca.pem \
|
||||
-ca-cert=vault-ca.pem \
|
||||
-client-cert=cert.pem \
|
||||
-client-key=key.pem \
|
||||
name=web
|
||||
|
@ -87,10 +91,15 @@ TLS certificate and when the login endpoint is hit, the auth method will
|
|||
determine if there is a matching trusted certificate to authenticate the client.
|
||||
Optionally, you may specify a single certificate role to authenticate against.
|
||||
|
||||
~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
|
||||
certificate, not the CA that issued the client authentication certificate. This
|
||||
can be omitted if the CA used to issue the Vault server certificate is trusted
|
||||
by the local system executing this command.
|
||||
|
||||
```shell-session
|
||||
$ curl \
|
||||
--request POST \
|
||||
--cacert ca.pem \
|
||||
--cacert vault-ca.pem \
|
||||
--cert cert.pem \
|
||||
--key key.pem \
|
||||
--data '{"name": "web"}' \
|
||||
|
|
Loading…
Reference in a new issue