Skip to content

Enhance with pkiCert template to return full CA chain#1962

Merged
JMGoldsmith merged 1 commit into
hashicorp:mainfrom
astundzia:caChainOnWithPki
Jul 10, 2024
Merged

Enhance with pkiCert template to return full CA chain#1962
JMGoldsmith merged 1 commit into
hashicorp:mainfrom
astundzia:caChainOnWithPki

Conversation

@astundzia
Copy link
Copy Markdown
Contributor

@astundzia astundzia commented Jul 4, 2024

This is for Github issue #1961

This provides the CAChain data on the with pkiCert function. This is necessary to support rotation of a intermediary CA without causing service interruptions.

Instead of using this template:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- end }}
          {{- with secret "pki/astundzia/issuing_ca/cert/ca_chain" -}}
          {{- .Data.ca_chain }}
          {{- .Data.ca_chain | writeToFile "/etc/certs/client.crt" "" "" "0644" "append,newline" }}
          {{ end }}

I can instead just use:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .CAChain }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- range .CAChain }}
          {{- . | writeToFile "/etc/certs/client.crt" "" "" "0644" "append" }}
          {{- end }}
          {{- end }}

While similar, this has two critical benefits:

  1. During intermediary CA rotation, the leaf certificate never expires. Vault agent is not aware nor should it be. The with secret however now pulls a new ca_chain which causes a client certificate to be created that is {Leaf cert v1, Issuing CA V2}. Since The leaf cert was issued by a different issuer (the previous one) the chain that vault-agent creates is invalid (Authority/signatures do not match).
  2. Since ca_chain is returned on the with pkiCert, we no longer make a high number of API calls to vault ca_chain endpoint.

Without this code, we could not find a way to trust a single rootCA & support rotation of a intermediary CA/issuing CA.

This passes existing tests, and I've tested it manually using a self built version of the vault 1.8.0-beta code.

This also retains backwards compatibility (CA object on with pkiCert does not change functionally.

Please review!

@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Jul 4, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@sgmiller sgmiller self-requested a review July 5, 2024 15:31
sgmiller
sgmiller approved these changes Jul 5, 2024
View reviewed changes
Copy link
Copy Markdown

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable.

@JMGoldsmith JMGoldsmith merged commit d77ed64 into hashicorp:main Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sgmiller sgmiller sgmiller approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@astundzia @sgmiller @JMGoldsmith