Hashicorp Vault Not So Common Commands
Hashicorp Vault was released in 2015 since then it has become an industry-standard becoming very popular but not popular enough to find edge case examples easily, this is what this post is about.
I do a fair amount of work around Vault and from time to time I need to know how to do a specific thing, a specific edge case and I spend way too long searching the internet for an example of how to do something in Vault.
So I will dump my commands here and if someone finds them useful, you’re welcome.
Signing a CSR using Vault
You would think that there would be examples on their website or even documentation but no, after a while of looking ausmartway helped out.
Once you have set up your root CA and your intermediate CA, and have created a role, How do you use that role to sign a CSR?
vault write pki_root_int/sign/my-role ttl="4380h" csr=@example.csrjust a reminder to create a role:
vault write pki_root_int/roles/my-role allowed_domains="example.com" allow_subdomains=true allow_any_name=true allow_glob_domains=true ttl="4380h" max_ttl="4380h" enforce_hostnames=falsein case you don’t have the Vault CLI available and you want the curl HTTP command to sign CSRs; (you might want this if you want to build a docker image script and don’t want to install Vault inside a docker image.)
CSR=$(cat CSR.csr)curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"csr": "'"${CSR}"'", "ttl": "4380h"}' $VAULT_ADDR/v1/pki_root_int/sign/my-role | jq -r .data.certificate > SIGNED_CERT.crt
note that the bash variable CSR is wrapped in several quotes, if you are providing the variable inside the “ — data” you need to have that format. Thanks for pbaranski for that one.
Basically
For variables without spaces in it i.e. 1:
Simply add ' before and after $variable when replacing desired string
For input with spaces:
Wrap variable with additional " i.e. "el a":”’”${CSR}”’”
When providing the CSR via HTTP like above you will need to provide the CSR as a string with \n on every new line, example:
-----BEGIN CERTIFICATE REQUEST-----\nMIIC6DCCAdACAQAwbDELMAkGA1UE...A handy command to do this is
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' CSR.csr > single_line_CSR.csrThis replaces all the new lines for \n
You will get back a json with the signed request inside if the command was successful.
which leads us to
Common name ___ not allowed by this role
What if the CSR common name has special characters like “(“ or “[“ or spaces
example: “Important Domain (UK) [London]”
If the domain was “Important Domain (UK) [London]” when trying to sign the CSR you would get an error like:
common name Important Domain (UK) [London] not allowed by this rolewhen creating the role you can add:
enforce_hostnames=falseexample:
vault write pki_root_int/roles/my-role allowed_domains="example.com" allow_subdomains=true allow_any_name=true allow_glob_domains=true ttl="4380h" max_ttl="4380h" enforce_hostnames=falseI’ll keep this page updated as I find more edge cases.
