Mastering Certificate Revocation, CRL Rotation, and Tidy Operations in HashiCorp Vault
HashiCorp Vault is a prominent secret management tool that is designed to handle various secret types, including SSL/TLS certificates. As a system administrator or a developer, you may occasionally need to revoke certificates and/or rotate Certificate Revocation Lists (CRLs) in Vault. This article outlines the steps to delete certificates and rotate CRLs within the HashiCorp Vault environment.
If you need to create a quick two-level PKI Dev environment check this article: Create A Quick PKI HashicorpVault Dev Server
Generate a test certificate
Using the guide above let’s create a simple certificate:
vault write pki_int/issue/example-dot-com common_name="client3.example.com"Output:
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUKuMdTyvkdQzumaXTQs2WVfVjAkUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNzExMTQxMzA0WhcNMjgw
NzA5MTQxMzM0WjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WK24feB
Yppc1ADB6z8EKaA976irkZj+BnfpOU5sLB0L2PeCWj+ULT4hKf7aPMhAyjE4LqE4
Xid+i0Q1dLMV2hL2o6AtukZChjRbMgkTsoF4ek2NYRl6j2OjquwJ9Oz0bhYWKoMH
J2PVqT34Fhpp/uoQnLfbae8r6nWpmnphHBzE542e0cA3FXKb94tXmmRisaPcwJIZ
M325Oaq2m4/MuGyQq7UMuLIqEGCKoOFLr1gpDoZGdA1BKfDGxqAtcB8UITg/Pw8l
Bods1eLJHa2rgyR0kyfFqGSpqyDhi/BBSYjrf8c2D45B+OX8cmjyYbfcNveCYpWI
uA0F3nW6qT7dbQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSLFvPdQ84EZPRQHwBsLtS048fNwjAfBgNVHSMEGDAW
gBS0JVABj3P8T0KDNpz4lQwZE1Qc4zA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAHdd13UtK85pWeRFbvE3DMoJpBU6J1tBrE/n1qxYRiY8L+SaiflX
eF7MAZUn3EAA5pddjpf+U/1vHvhaJ+bBl7oIg1wowOYLgtir+ADbjLgWU7RKsu7B
YVygRD5FoUf1efRHFx2wysqRYQ0zL4yMSBVb/yYo5CmNmTkRaYuDwgKOPvHyGInu
zf+y48r6btTCWOQmFKTUq8dZCWjtSrmOrr+JeDWMb9d6caWiaLIyRvTZsiPjpPh7
DMmnFFZgo8mdqKCod6DBOEMidc/Isq3M8umQYRyN7hDix5lgDH9zV/WOmjibFgvR
pjV2PJQxBfPO1EznhqbXd0lKuIVo2NS5d44=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIUMG5lx+kBGv21cEEayyWjebvfntowDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZXhhbXBsZS5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMzA3MTExNDU0MzdaFw0yMzA4MTAxNDU1MDdaMB4xHDAaBgNVBAMTE2Ns
aWVudDMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC/Tr20Blkg+3Lj3W7E3o7hTWuDKURaHiKObyTKgpEm7ykUvgOz78pOwN9/JElJ
mzRPtdhc+e0rMiKkHR31+Aw8ol3O1o5KgFW9ZnJDPOjQgdWR6pOBwJ3YgwVZL5YI
98p7JKzJJ2FBgzaQQktQcVkaY9iDPPdPbb3Zbea2wss4Qtb3EJrI8K0NBZwrSXL6
aqW2IbCWMemhVLErcOEHSQ6qc2/gPQiO9kGFX7YcbZUQflIY1xC1GmSM3dZilhMI
boqFT5npbfqAEZaVl8reUsH2AGFpyhe3/siXeFBiy6KBuCBxEP+fVQYZNHHS8vTZ
loJxxQwT8B8TsSBPbqbU/jHbAgMBAAGjgZIwgY8wDgYDVR0PAQH/BAQDAgOoMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUV8dO5/ntQmye
rurFm8ypdAsCJLQwHwYDVR0jBBgwFoAUixbz3UPOBGT0UB8AbC7UtOPHzcIwHgYD
VR0RBBcwFYITY2xpZW50My5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
m4K3UWwzhS1r5CbtSL3st+iUidTqP1syAqlU6m7dxUfAPO6UQsDIxvgvF8TgadWF
69YxAJj2WkYxVM3Q3UaojV4j+kbmltJC2/+Lh9ZqOIbePHlJOCQX7zVueHkqM7i1
IqXcs2bajrabImMIX3MzjkCojgqw9knAx9RffBlWFs3B1ObqsEtnoq9YzTzFpkYa
Cte2WxPwaNdbTaP8Y26fD2UUDlZ6ZXnfbysEj0kofE0XRnrPBHi6DwYbmFaz8x46
6PFp4vLdVAx6O3ECCwDDWo1k6+dIE7fX6I7z8KwhuJDQVTvoCNQ38gIdvTMRyfm6
XsGH2FXEcjCT8t0xZ8pgrQ==
-----END CERTIFICATE-----
expiration 1691679307
issuing_ca -----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUKuMdTyvkdQzumaXTQs2WVfVjAkUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNzExMTQxMzA0WhcNMjgw
NzA5MTQxMzM0WjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WK24feB
Yppc1ADB6z8EKaA976irkZj+BnfpOU5sLB0L2PeCWj+ULT4hKf7aPMhAyjE4LqE4
Xid+i0Q1dLMV2hL2o6AtukZChjRbMgkTsoF4ek2NYRl6j2OjquwJ9Oz0bhYWKoMH
J2PVqT34Fhpp/uoQnLfbae8r6nWpmnphHBzE542e0cA3FXKb94tXmmRisaPcwJIZ
M325Oaq2m4/MuGyQq7UMuLIqEGCKoOFLr1gpDoZGdA1BKfDGxqAtcB8UITg/Pw8l
Bods1eLJHa2rgyR0kyfFqGSpqyDhi/BBSYjrf8c2D45B+OX8cmjyYbfcNveCYpWI
uA0F3nW6qT7dbQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSLFvPdQ84EZPRQHwBsLtS048fNwjAfBgNVHSMEGDAW
gBS0JVABj3P8T0KDNpz4lQwZE1Qc4zA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAHdd13UtK85pWeRFbvE3DMoJpBU6J1tBrE/n1qxYRiY8L+SaiflX
eF7MAZUn3EAA5pddjpf+U/1vHvhaJ+bBl7oIg1wowOYLgtir+ADbjLgWU7RKsu7B
YVygRD5FoUf1efRHFx2wysqRYQ0zL4yMSBVb/yYo5CmNmTkRaYuDwgKOPvHyGInu
zf+y48r6btTCWOQmFKTUq8dZCWjtSrmOrr+JeDWMb9d6caWiaLIyRvTZsiPjpPh7
DMmnFFZgo8mdqKCod6DBOEMidc/Isq3M8umQYRyN7hDix5lgDH9zV/WOmjibFgvR
pjV2PJQxBfPO1EznhqbXd0lKuIVo2NS5d44=
-----END CERTIFICATE-----
private_key -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAv069tAZZIPty491uxN6O4U1rgylEWh4ijm8kyoKRJu8pFL4D
s+/KTsDffyRJSZs0T7XYXPntKzIipB0d9fgMPKJdztaOSoBVvWZyQzzo0IHVkeqT
gcCd2IMFWS+WCPfKeySsySdhQYM2kEJLUHFZGmPYgzz3T2292W3mtsLLOELW9xCa
yPCtDQWcK0ly+mqltiGwljHpoVSxK3DhB0kOqnNv4D0IjvZBhV+2HG2VEH5SGNcQ
tRpkjN3WYpYTCG6KhU+Z6W36gBGWlZfK3lLB9gBhacoXt/7Il3hQYsuigbggcRD/
n1UGGTRx0vL02ZaCccUME/AfE7EgT26m1P4x2wIDAQABAoIBAGgS6Sb30SMdSApo
m2skfGxbVuLa32F7RWdhVY2J7HdW4m1zVcZc7B1d1fhwACK3+YRntBYYrQqz0p6f
bH40fEu8NPZiSLSFDp/kDMNBbpKIH2yrRaXv6K8x0AYN2jx0uUW21Pz1nHYscNGY
DyrrDwNJUC9NSml+lSqlHD9Ox4mJ+LzQsl0kVy0PX1uzNEVcP8oJCWuZl2WqPZFc
vHdDCimqJgIGFyKeJwih8f0MXk5hJI5JuTAj8CGCvt0cwJtZ56akqbUqxmrXoUIO
D3Fs/ZeanlkLzmjU3SzSIPfhukWFTaFh1WYeozlXvC4hG7fLkN87wpxqSukPb6Yb
KSVH0QkCgYEA+PYJkszJJKmBAD9fIxNwiDKEIumqJ8VlOOsIew/8GurNO6KIMBx4
YRcJnU9fv1LvBPERXQRLyFYieDqkU1an8fbKR/9hrn7m7aOgciB7v9IcDsg3YU1X
/NCzZkIWUB4mThy5lQh0TkoN8o4Z32wX4PakxMRBx9tL8zwwZEeOWB0CgYEAxLdp
ZKQY2pm9ZwQzyAg7huXM54RI1gxgYOzy4RRvSQ9mGbrlBjlQD8IPG5ZF1sE0Qzb2
vXbL3YmB7gHy5lEPcowey/z1IQTK2FK9g0RhsjY27PBMCmLJgXDavodeFkYEuimq
XXFJ3xBrd7HWBNAqIplUQ+Rksm3sCflPKvZDQFcCgYEA9aQU6BJEuHbCgJMGdJ5e
nxNwyt3QdLNQX2uPj5TDA2//FcMVKps8r1dCtkM1zpmumiqdHjD58O4DzqrVriDH
TndZONai87/kbD7RNSoVz7so0fD8q3XbxefJyrCUQXKuCs5O0dxonUJ2JofMwWRu
3xmck0StPtuCQbl2acssiIUCgYA5hE8iiABkWjNQ3Z+uSwnspWBGCR2qyC+d52oU
eX8YY5I8z7KLIVLRaLI2JLgC1LbNOFLojsWI3t3Ik3VL9kOIAIQ4rJuXrekJWxfi
O6o9CzEAEjqJhtzYJgEvWDEgXhSfwfL4I1mwCQMDGlIzUhIfz6kduLfgm9c6C1Uk
gKClPQKBgBMMCb1nOpsi7wa23ySeRzo7d0Q1E9pBYJiBg5gZmrTksljHLcw3o3sL
MLzQNppDv4ZbUQS42Ysj/8wtwJh0SEHCUaOJvukvyKMjGD5uqTQHisDW36nl6BqV
B2DkDG/xFRLyLNUyNv54zWFdsv4+6UyM5aPrmIW7Z369zpI/5E5r
-----END RSA PRIVATE KEY-----
private_key_type rsa
serial_number 30:6e:65:c7:e9:01:1a:fd:b5:70:41:1a:cb:25:a3:79:bb:df:9e:daLet’s Revoke That Certificate
Now that we have a test certificate let’s do the following:
- Revoke the serial number of the certificate
- Rotate the CRL (Generate a new CRL)
# Revoke
vault write pki_int/revoke serial_number=30:6e:65:c7:e9:01:1a:fd:b5:70:41:1a:cb:25:a3:79:bb:df:9e:da
# Output
Key Value
--- -----
revocation_time 1689087505
revocation_time_rfc3339 2023-07-11T14:58:25.136955428Z
# Rotate CRL
vault read pki_int/crl/rotate
# Output
Key Value
--- -----
success true
# Generate CRL
curl http://127.0.0.1:8200/v1/pki_int/crl -o crl.pem
# Open CRL with OpenSSL
openssl crl -in crl.pem -text
# Output
openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = example.com Intermediate Authority
Last Update: Jul 11 15:37:02 2023 GMT
Next Update: Jul 14 15:37:02 2023 GMT
CRL extensions:
X509v3 Authority Key Identifier:
8B:16:F3:DD:43:CE:04:64:F4:50:1F:00:6C:2E:D4:B4:E3:C7:CD:C2
Revoked Certificates:
Serial Number: 306E65C7E9011AFDB570411ACB25A379BBDF9EDA
Revocation Date: Jul 11 14:58:25 2023 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
b5:d4:db:f7:b7:29:3d:91:85:e4:be:d2:6b:92:d3:8b:78:4d:
5d:71:1f:f6:cf:04:1c:af:6e:35:07:98:7a:91:0e:f1:36:b2:
77:fe:1a:e5:ee:bb:7c:3a:01:9e:f6:c9:e2:9b:af:fd:4c:24:
ad:5b:d7:2b:15:6f:a1:9c:c1:3e:87:95:64:f6:54:1b:3c:17:
bb:a8:85:de:65:6b:ac:e7:aa:ee:47:15:ef:1d:12:ff:fe:4e:
32:46:b8:43:03:06:e3:91:fe:80:e1:2f:9d:30:e4:86:1c:f9:
d9:f8:e6:ba:b6:d9:ff:a9:cf:05:1f:21:75:c8:72:cb:77:3c:
9f:7c:2b:a1:0a:24:17:1d:e4:e9:7a:9e:c5:21:8b:13:66:43:
ec:76:c2:ea:d8:a6:66:0f:d3:94:25:e4:8e:ad:ff:f0:0a:19:
06:f7:90:7e:63:09:04:d0:96:65:92:d0:76:3c:ab:f3:e6:42:
75:40:f6:da:c8:18:4c:27:e1:fb:6a:78:78:f5:16:1a:fc:fc:
ad:32:94:a4:d4:48:de:78:a8:8f:22:40:96:ce:a9:6f:b5:be:
e6:43:fc:0e:24:42:e1:94:09:58:90:9a:10:c2:16:83:d1:f3:
c5:63:81:9c:5a:63:bd:72:f1:90:ea:18:68:75:5d:e9:8b:a8:
85:19:f3:68
-----BEGIN X509 CRL-----
MIIBxDCBrQIBATANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJleGFtcGxlLmNv
bSBJbnRlcm1lZGlhdGUgQXV0aG9yaXR5Fw0yMzA3MTExNTM3MDJaFw0yMzA3MTQx
NTM3MDJaMCcwJQIUMG5lx+kBGv21cEEayyWjebvfntoXDTIzMDcxMTE0NTgyNVqg
IzAhMB8GA1UdIwQYMBaAFIsW891DzgRk9FAfAGwu1LTjx83CMA0GCSqGSIb3DQEB
CwUAA4IBAQC11Nv3tyk9kYXkvtJrktOLeE1dcR/2zwQcr241B5h6kQ7xNrJ3/hrl
7rt8OgGe9snim6/9TCStW9crFW+hnME+h5Vk9lQbPBe7qIXeZWus56ruRxXvHRL/
/k4yRrhDAwbjkf6A4S+dMOSGHPnZ+Oa6ttn/qc8FHyF1yHLLdzyffCuhCiQXHeTp
ep7FIYsTZkPsdsLq2KZmD9OUJeSOrf/wChkG95B+YwkE0JZlktB2PKvz5kJ1QPba
yBhMJ+H7anh49RYa/PytMpSk1EjeeKiPIkCWzqlvtb7mQ/wOJELhlAlYkJoQwhaD
0fPFY4GcWmO9cvGQ6hhodV3pi6iFGfNo
-----END X509 CRL-----
- The first code block uses HashiCorp Vault’s API to revoke a specific certificate, identified by its serial number, resulting in the certificate’s revocation time being returned in both UNIX timestamp format and RFC3339 format.
- The second block of code invokes a command to rotate the Certificate Revocation List (CRL), an important process to ensure the list’s freshness, and it confirms the successful operation with a
truereturn. - Vault’s CRL is automatically updated upon revocation and is available immediately through the API endpoint (
/v1/pki/crl) without the need for manual rotation. Manual rotation of the CRL (via the/pki_int/crl/rotateendpoint) is not typically necessary. This would only be required in specific circumstances, such as a compromised private key that was used to sign the CRL. - The last part of the code generates the updated CRL, retrieves it through an HTTP request, and saves it to a local file (
crl.pem). This CRL file is then opened with OpenSSL, revealing the details of the revoked certificates, their serial numbers, revocation dates, and other related information.
The Certificate Is Revoked, Now What?
When a certificate is revoked, it is added to a Certificate Revocation List (CRL). However, the revocation does not automatically prevent the certificate from being used on a server or client, it’s more of a flag that the certificate should not be trusted.
For a third-party to know whether a certificate has been revoked, their software (such as a web browser or a server software) must check the revocation status of the certificate. This can be done by checking the CRL: The software can download the CRL from the CA and see if the certificate is listed there. The CRL is simply a list of all certificates that have been revoked by the CA.
So if a revoked certificate is still being used, its ongoing usage would typically not be directly visible to the issuer. However, when a client (for example, a browser) encounters the revoked certificate, it can verify its status against the CRL and refuse to trust the certificate.
Below is a bash script that downloads the CRL, and checks if the certificate in question is revoked.
#!/bin/bash
# Define Vault server URL and PKI path
VAULT_ADDR="http://127.0.0.1:8200/v1"
PKI_PATH="pki_int"
# Certificate to check
CERT_FILE="mycert.pem"
# Download CRL
echo "Downloading CRL..."
curl -s "${VAULT_ADDR}/${PKI_PATH}/crl" -o crl.pem
# Extract serial number of the certificate
echo "Extracting certificate serial number..."
SERIAL_NUMBER=$(openssl x509 -in ${CERT_FILE} -noout -serial | cut -d= -f 2)
# Check if certificate serial number exists in the CRL
echo "Checking certificate status..."
if openssl crl -in crl.pem -noout -text | grep -q "${SERIAL_NUMBER}"; then
echo "Certificate ${SERIAL_NUMBER} has been revoked."
else
echo "Certificate ${SERIAL_NUMBER} is still valid."
fiDeleting VS Tidy in Vault
Deleting, as the term suggests, would mean the complete removal of the certificate from Vault’s storage. In some older versions of Vault, it is not possible to delete a certificate once it is issued. This approach ensures that there is an audit trail and allows for tracking all issued certificates even after their expiration or revocation. This is important from a security perspective as it helps maintain a record of all issued certificates which can be useful for audit or troubleshooting purposes.
Tidying, on the other hand, is an operation Vault performs to clean up its storage. The tidy operation in Vault's PKI Secrets Engine is responsible for removing certificates that are expired and are not found in the Certificate Revocation List (CRL). This operation helps keep Vault's storage lean and efficient by removing certificates that are no longer needed. It's important to note that tidying doesn't affect the CRL, so any certificate that's been revoked will still be listed there, even if the certificate itself is removed.
To test the tidy operation let’s generate a 1 min certificate adding ttl=60
vault write pki_int/issue/example-dot-com common_name="client3.example.com" ttl=60
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUKuMdTyvkdQzumaXTQs2WVfVjAkUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNzExMTQxMzA0WhcNMjgw
NzA5MTQxMzM0WjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WK24feB
Yppc1ADB6z8EKaA976irkZj+BnfpOU5sLB0L2PeCWj+ULT4hKf7aPMhAyjE4LqE4
Xid+i0Q1dLMV2hL2o6AtukZChjRbMgkTsoF4ek2NYRl6j2OjquwJ9Oz0bhYWKoMH
J2PVqT34Fhpp/uoQnLfbae8r6nWpmnphHBzE542e0cA3FXKb94tXmmRisaPcwJIZ
M325Oaq2m4/MuGyQq7UMuLIqEGCKoOFLr1gpDoZGdA1BKfDGxqAtcB8UITg/Pw8l
Bods1eLJHa2rgyR0kyfFqGSpqyDhi/BBSYjrf8c2D45B+OX8cmjyYbfcNveCYpWI
uA0F3nW6qT7dbQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSLFvPdQ84EZPRQHwBsLtS048fNwjAfBgNVHSMEGDAW
gBS0JVABj3P8T0KDNpz4lQwZE1Qc4zA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAHdd13UtK85pWeRFbvE3DMoJpBU6J1tBrE/n1qxYRiY8L+SaiflX
eF7MAZUn3EAA5pddjpf+U/1vHvhaJ+bBl7oIg1wowOYLgtir+ADbjLgWU7RKsu7B
YVygRD5FoUf1efRHFx2wysqRYQ0zL4yMSBVb/yYo5CmNmTkRaYuDwgKOPvHyGInu
zf+y48r6btTCWOQmFKTUq8dZCWjtSrmOrr+JeDWMb9d6caWiaLIyRvTZsiPjpPh7
DMmnFFZgo8mdqKCod6DBOEMidc/Isq3M8umQYRyN7hDix5lgDH9zV/WOmjibFgvR
pjV2PJQxBfPO1EznhqbXd0lKuIVo2NS5d44=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIDbDCCAlSgAwIBAgIURZSb9i8sIfBYSFet7Oq8cNdF6BEwDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZXhhbXBsZS5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMzA3MTMxMDUzMjVaFw0yMzA3MTMxMDU0NTVaMB4xHDAaBgNVBAMTE2Ns
aWVudDMuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC1T0uV00vGNi+9rGThh1OaU8bXH8A+lwFJtWc1iw5rzCqirmgWivXWBbJVDg7B
aAZDFY/PVMOYqC2UCuAAwl8FQfAozh70wOYesOuG73jO1jiqr0He8Qr3LzOl2hA0
65qLOYJ9qgLf1rPtTVZVKtvjsTu0u19UNMg7iUTHu2JYbwnP6RFQpWGlB95x3uLl
NNu4wH3sysHd2ACZ/5kbbBr04tqiY0yKV6Y5wq462H7EgiZx65Y/EKS9RWJvASEw
xyiG95hGxYryGhgUPOCl520vibDTYMhtkG/KGquFjDLsnGGoArbrY0iw503sYTaq
8VMSbTfVQnaUAOkmoMttAkm7AgMBAAGjgZIwgY8wDgYDVR0PAQH/BAQDAgOoMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUKUkB8q4+eEl1
mfIW2K8tkk9F+/QwHwYDVR0jBBgwFoAUixbz3UPOBGT0UB8AbC7UtOPHzcIwHgYD
VR0RBBcwFYITY2xpZW50My5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
g1VSeTY2UKXKfVupoVDVITzcvgrzBcsnkJXc2eXbe6+Escmtvrlv23w6Daj1itls
zcK3xX/6GTrmQD/0U741+T5tBSoiD4J+UeA0wtSy6B1mw6sd1tSiORyljRSqGRGT
IIypQG4KsXp3bgkKPp3+DeE5WsiO+r/svVtn4zFKDqe/MabE71xmgzn3SB85Kvtn
PbvF7GI/YEmq6RspG0PIM16BaPHmTCoWlV9/dsW1E81oPvgYHqIndsyK3Wc4QvSs
lyl4ah1W0oPPl2H+75zfTlE2saC7n9SiF5Hc39uAGHADYCoSIh8Gsls9G1uE6mnK
8kI+/oFdREgFI32dUcHpEw==
-----END CERTIFICATE-----
expiration 1689245695
issuing_ca -----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUKuMdTyvkdQzumaXTQs2WVfVjAkUwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjMwNzExMTQxMzA0WhcNMjgw
NzA5MTQxMzM0WjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1WK24feB
Yppc1ADB6z8EKaA976irkZj+BnfpOU5sLB0L2PeCWj+ULT4hKf7aPMhAyjE4LqE4
Xid+i0Q1dLMV2hL2o6AtukZChjRbMgkTsoF4ek2NYRl6j2OjquwJ9Oz0bhYWKoMH
J2PVqT34Fhpp/uoQnLfbae8r6nWpmnphHBzE542e0cA3FXKb94tXmmRisaPcwJIZ
M325Oaq2m4/MuGyQq7UMuLIqEGCKoOFLr1gpDoZGdA1BKfDGxqAtcB8UITg/Pw8l
Bods1eLJHa2rgyR0kyfFqGSpqyDhi/BBSYjrf8c2D45B+OX8cmjyYbfcNveCYpWI
uA0F3nW6qT7dbQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBSLFvPdQ84EZPRQHwBsLtS048fNwjAfBgNVHSMEGDAW
gBS0JVABj3P8T0KDNpz4lQwZE1Qc4zA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAHdd13UtK85pWeRFbvE3DMoJpBU6J1tBrE/n1qxYRiY8L+SaiflX
eF7MAZUn3EAA5pddjpf+U/1vHvhaJ+bBl7oIg1wowOYLgtir+ADbjLgWU7RKsu7B
YVygRD5FoUf1efRHFx2wysqRYQ0zL4yMSBVb/yYo5CmNmTkRaYuDwgKOPvHyGInu
zf+y48r6btTCWOQmFKTUq8dZCWjtSrmOrr+JeDWMb9d6caWiaLIyRvTZsiPjpPh7
DMmnFFZgo8mdqKCod6DBOEMidc/Isq3M8umQYRyN7hDix5lgDH9zV/WOmjibFgvR
pjV2PJQxBfPO1EznhqbXd0lKuIVo2NS5d44=
-----END CERTIFICATE-----
private_key -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtU9LldNLxjYvvaxk4YdTmlPG1x/APpcBSbVnNYsOa8wqoq5o
For11gWyVQ4OwWgGQxWPz1TDmKgtlArgAMJfBUHwKM4e9MDmHrDrhu94ztY4qq9B
3vEK9y8zpdoQNOuaizmCfaoC39az7U1WVSrb47E7tLtfVDTIO4lEx7tiWG8Jz+kR
UKVhpQfecd7i5TTbuMB97MrB3dgAmf+ZG2wa9OLaomNMilemOcKuOth+xIImceuW
PxCkvUVibwEhMMcohveYRsWK8hoYFDzgpedtL4mw02DIbZBvyhqrhYwy7JxhqAK2
62NIsOdN7GE2qvFTEm031UJ2lADpJqDLbQJJuwIDAQABAoIBAE29RidjhaXjLe0h
sc+ReqM9MJCkqIUtsfussCghC3nk/JLsPO0NgALYRnJ5qJH8zFKPOC4ppgQaeBB1
6T3qGVvjvdmBJ3zCCOk36oTcwOvOplVo99FjgNQjhP2j1jcanhT7/5tp/fmD0Xn6
Iv45djbWk0cW3/T2/LOqU7df/Pb1TBt8ImILj9qs1Aeg4zT6pMGP0WzUje5t2pC9
t2F5knROzfnfU3uJHkdmB2USJJoPdrUghm9dKlDKAirkKvHpO0r7vxnVFHKA09qc
sBPf7zgyZHbQ85DpQ5okQGxJ+t5QaF3fdqnCCc0OmkpH/VAQglPMRPBbJuwnHVbU
+yt5ywECgYEA5Zyd5jXQXAB2GdENUq7CbMCUtzAMo7Ziw/qfcKqynfO6wJ3ZPnYP
UxvbM7/xdAJ0JdE3r5LdAkSVBWS2BpVE8W6PlZ8OaiZHtoc0Lat2/psHXQxMmLgn
g76j93BXNtAGxkyXfPOmCFTnyW6+bVkbDYZJTvt8CNOh1tjfemlCJOECgYEAyiWW
6axAZa6C/BZxVR/WKE7SuRoyTcrKLCChWa4L60uO6wnrtI2ptzdftY9CWUAtaGg5
ylKF+gWkDkhLj5n5/JrpSPjw+eF00Je00r/8vTgdokwvmt2PgjmG3CnPk48W6Zy5
Ig0WZAsq7NBo4olbXrBpgXYI1NBQaJQ2IQRvJhsCgYEAgm/cS2EawokIjlXyCZx5
mqo0UXScWYxMwyRm2uw9l/lTiASj2xXaUs4qUlWh5tNWA/28cqMtphIrzeqOdWLq
zXSPYOIAoFCqwIhCHgegC7cqEbPg94j1+aOdJf3NrbezgYcVL8iB8424NvgQebH6
6k3060d2CNWgxJpjKfkNuEECgYEAtYMBOntoK6WCihcg1r3Kj9EPWBRUvRNtbCg0
mZE1tKbZAuWalzpo/VIkh6PGgNumqkyEL87f7HvqLsTtzFkHZrI27UZTIx01xiOi
w2aO690ahuQADwAJX3aGSOTmNepTOZt3hULZKyX3+kK9G0UZHTIs2omBLo6K1QzY
eddAcqcCgYBZC8guzY/C1GKU9+CPLBGgcwkMVaN+MjGOofzS3o9K7Zv389fvYsJ5
7jBzPbdh8fslCxbTTTMVZyRUkQJ/JqpoOvhnJMdbB9TlNpOGdvxBuU8Vk16Ca0nX
E9tHj9D5PwVutuZ2iBbidIV2md/2njU7L13CrGxD9O7UWlllmp3rBQ==
-----END RSA PRIVATE KEY-----
private_key_type rsa
serial_number 45:94:9b:f6:2f:2c:21:f0:58:48:57:ad:ec:ea:bc:70:d7:45:e8:11We can check if it has expired using something like:
CERTIFICATE=$(vault read -format=json pki_int/cert/45:94:9b:f6:2f:2c:21:f0:58:48:57:ad:ec:ea:bc:70:d7:45:e8:11 | jq -r .data.certificate)
echo "$CERTIFICATE" | openssl x509 -noout -enddate
# Output
notAfter=Jul 13 10:54:55 2023 GMTNow we’ll tidy the expired certificates
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true safety_buffer="1m"
# Output
WARNING! The following warnings were returned from Vault:
* Tidy operation successfully started. Any information from the operation
will be printed to Vault's server logs.The tidy function takes two parameters: tidy_cert_store and tidy_revocation_list . When set to true, tidy_cert_storeremoves expired certificates from the backend storage, while tidy_revocation_list deletes expired entries from the revocation list. It’s important to note that these operations are quite resource-intensive and can affect Vault’s performance if run frequently or during peak times. Therefore, they should be used judiciously and preferably scheduled during off-peak hours.
The safety_buffer parameter is specified as a duration (in this case, "1m" for 1 minute), and is meant to provide a margin of safety while tidying up.
What this means is that the tidy operation will consider a certificate as expired and ready for deletion only if the certificate’s expiration date is at least the specified safety_buffer duration in the past. In this specific case, with a safety_buffer of "1m", the tidy operation will only delete certificates that expired more than 1m ago.
After the tidy command has been run, if you run the same operation to retrieve the expiration date, calling the certificate, the certificate won’t be there any more.
CERTIFICATE=$(vault read -format=json pki_int/cert/45:94:9b:f6:2f:2c:21:f0:58:48:57:ad:ec:ea:bc:70:d7:45:e8:11 | jq -r .data.certificate)
echo "$CERTIFICATE" | openssl x509 -noout -enddate
# Output
No value found at pki_int/cert/45:94:9b:f6:2f:2c:21:f0:58:48:57:ad:ec:ea:bc:70:d7:45:e8:11tldr:
The article provides a comprehensive guide on how to revoke SSL/TLS certificates, rotate Certificate Revocation Lists (CRLs), and tidy expired certificates in HashiCorp Vault, thereby optimizing certificate management and storage efficiency.
