TLS Cert Authentication example updates (#9735)

* TLS Cert Authentication example updates

- Updated the Cert Auth example description to clarify which CA
should issue the certificate.
- Removed `-ca-cert` parameter from examples as this caused
confusion.  Is this the auth CA or the CA of the listener?

* Return CA parameter to examples, add Note

- Returned CA parameter to login examples
- Added note above examples to explain which CA is being used in CLI
- Updated examples in API doc to use httpS
- Added note above login example to explain wich CA is being used

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
This commit is contained in:
Michael Ethridge 2020-08-27 18:47:16 -06:00 committed by GitHub
parent ba1adb6d22
commit a71798a445
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 16 deletions

View file

@ -82,8 +82,9 @@ Sets a CA cert and associated parameters in a role name.
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--cacert vault-ca.pem \
--data @payload.json
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
```
## Read CA Certificate Role
@ -103,7 +104,8 @@ Gets information associated with the named role.
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/cert/certs/test-ca
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/certs/test-ca
```
### Sample Response
@ -142,7 +144,8 @@ Lists configured certificate names.
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/cert/certs
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/certs
```
### Sample Response
@ -179,7 +182,8 @@ Deletes the named role and CA cert from the method mount.
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/certs/cert1
```
## Create CRL
@ -209,8 +213,9 @@ Sets a named CRL.
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--cacert vault-ca.pem \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
```
## Read CRL
@ -232,7 +237,8 @@ arbitrary size, these are returned as strings.
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/crls/custom-crl
```
### Sample Response
@ -270,7 +276,8 @@ Deletes the named CRL from the auth method mount.
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/cert/crls/cert1
--cacert vault-ca.pem \
https://127.0.0.1:8200/v1/auth/cert/crls/cert1
```
## Configure TLS Certificate Method
@ -301,8 +308,9 @@ Configuration options for the method.
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--cacert vault-ca.pem \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/cert/certs/cert1
https://127.0.0.1:8200/v1/auth/cert/certs/cert1
```
## Login with TLS Certificate Method
@ -334,9 +342,15 @@ https://tools.ietf.org/html/rfc6125#section-2.3)
### Sample Request
~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
certificate, not the CA that issued the client authentication certificate. This
can be omitted if the CA used to issue the Vault server certificate is trusted
by the local system executing this command.
```shell-session
$ curl \
--request POST \
--cacert vault-ca.pem \
--cert cert.pem \
--key key.pem \
--data @payload.json \

View file

@ -64,17 +64,21 @@ it is up to the administrator to remove it from the method.
### Via the CLI
The below requires Vault to present a certificate signed by `ca.pem` and
presents `cert.pem` (using `key.pem`) to authenticate against the `web` cert
role. Note that the name of `web` ties out with the configuration example
below writing to a path of `auth/cert/certs/web`. If a certificate role name
is not specified, the auth method will try to authenticate against all trusted
certificates.
The below authenticates against the `web` cert role by presenting a certificate
(`cert.pem`) and key (`key.pem`) signed by the CA associated with the `web` cert
role. Note that the name `web` ties to the configuration example below writing
to a path of `auth/cert/certs/web`. If a certificate role name is not specified,
the auth method will try to authenticate against all trusted certificates.
~> **NOTE** The `-ca-cert` value used here is for the Vault TLS Listener CA
certificate, not the CA that issued the client authentication certificate. This
can be omitted if the CA used to issue the Vault server certificate is trusted
by the local system executing this command.
```shell-session
$ vault login \
-method=cert \
-ca-cert=ca.pem \
-ca-cert=vault-ca.pem \
-client-cert=cert.pem \
-client-key=key.pem \
name=web
@ -87,10 +91,15 @@ TLS certificate and when the login endpoint is hit, the auth method will
determine if there is a matching trusted certificate to authenticate the client.
Optionally, you may specify a single certificate role to authenticate against.
~> **NOTE** The `--cacert` value used here is for the Vault TLS Listener CA
certificate, not the CA that issued the client authentication certificate. This
can be omitted if the CA used to issue the Vault server certificate is trusted
by the local system executing this command.
```shell-session
$ curl \
--request POST \
--cacert ca.pem \
--cacert vault-ca.pem \
--cert cert.pem \
--key key.pem \
--data '{"name": "web"}' \