The Vault HSM PKI plugin overlays the modifications to the builtin PKI plugin that enable support for certificate signing using a Hardware Security Module via PKCS#11.
The builtin PKI has a specified API in terms of usage which new plugins can conform to, but the code is not expressed as a reusable module.
As this HSM plugin seeks to retain the majority of existing functionality without modification, eg. roles, the builtin PKI code is included in the pkg/pki directory with the addition of the pki_api.go file that makes select functions externally accessible. The rest of the included PKI code is included verbatim in the pkg/pki directory.
The HSM PKI plugin can therefore selectively override some of the PKI paths whilst using some unchanged paths.
The pkcs11helper module provides detailed setup instructions for SoftHSM, Thales's SafeNet and Entrust's nShield.
Please prepare the HSM configuration file in the conf/ directory.
The path to the PKCS#11 client library is specified in this configuration file along with the Slot ID and PIN.
Omit the key_label parameter to randomly generate a new key label.
If you have installed and configured SafeNet DPoD set the environment first for the shell:
cd /opt/safenet/dpod/current
. ./setenv
cd <this git repo download directory>
Note that the following env var may be needed:
export GOSUMDB=off
The following command will build the plugin binary and start the Vault server as an in memory dev instance:
make
Visit INSTALL.md for the persistent plugin installation instructions and registration details.
Now open a new terminal window and login to Vault. This is an example for a dev instance:
export VAULT_ADDR='http://127.0.0.1:8200'
vault login root
These instructions apply if the Intermediate CA has been created and signed by a Root CA externally to Vault.
vault secrets enable -path=hsmpki_inter -options="config=conf/config-softhsm.hcl" vaultplugin-hsmpki
These instructions apply if the Root and Intermediate CAs need to be created and signed by Vault.
- Different configuration files can be passed to each instance of the plugin.
- These may contain alternative HSM slot and PIN settings.
- If no key label is specified then one will be automatically generated and stored within Vault.
- The automatically generated key label is provided in the response to the Generate Root and Generate Intermediate commands.
Root CA path:
vault secrets enable -path=hsmpki_root -options="config=conf/config-safenet.hcl" vaultplugin-hsmpki
Intermediate CA path:
vault secrets enable -path=hsmpki_inter -options="config=conf/config-safenet.hcl" vaultplugin-hsmpki
In this sequence of steps Vault:
- generates a Root CA cert using the hsmpki_root path
- generate an Intermediate CA and CSR using the hsmpki_inter path
- signs the Intermediate CA's CSR producing the cert using the hsmpki_root path
- sets the signed Intermediate CA using the hsmpki_inter path
- creates a role
- issues a new private key and a new cert signed by the Intermediate CA using the hsmpki_path
Notice that key_label is returned alongside serial_number. Also note that the certificate is the same as the issuing certificate.
A key label for the HSM will be generated automatically if a key_label isn't specified in the conf file.
The format of the automatically generated key_label is eg. ROOTCA20210314232939
vault write hsmpki_root/root/generate/internal common_name=safenet.ec.ca.mode51.software key_type=ec key_bits=521 permitted_dns_domains=localhost organization="mode51 Software Ltd" ou="Software" country="GB" locality="Cambridge" province="Cambridgeshire" street_address="1 A Street" postal_code="CB1"
Save the signed Intermediate CA to a file eg. data/root.cert.pem
This CA cert can be imported into a browser for testing.
The format of the automatically generated key_label is eg. INCA20210314233609
vault write hsmpki_inter/intermediate/generate/internal common_name=safenet.ec.interca.mode51.software key_type=ec key_bits=384 permitted_dns_domains=localhost organization="mode51 Software Ltd" ou="Software" country="GB" locality="Cambridge" province="Cambridgeshire" street_address="1 A Street" postal_code="CB1"
Save the CSR to a file, eg. data/intermediate.csr.pem
Use openssl to check the CSR:
openssl req -in ./data/intermediate.csr.pem -text
vault write hsmpki_root/root/sign-intermediate csr=@data/intermediate.csr.pem common_name=safenet.ec.interca.mode51.software key_type=ec key_bits=384 permitted_dns_domains=localhost organization="mode51 Software Ltd" ou="Software" country="GB" locality="Cambridge" province="Cambridgeshire" street_address="1 A Street" postal_code="CB1"
Save the signed Intermediate CA to a file eg. data/intermediate.cert.pem
This CA cert can be imported into a browser for testing.
If the key label has been automatically generated as part of the Generate Intermediate command then it doesn't need to be specified here or in the conf file:
vault write hsmpki_inter/intermediate/set-signed certificate=@data/intermediate.cert.pem hash_algo="SHA-512"
Create a role for the allowed domain, which configures the certificate signing template, in this case localhost:
vault write hsmpki_inter/roles/localhost allowed_domains=localhost allow_subdomains=true ttl=24h max_ttl=72h key_type="ec" key_bits="384"
Ask Vault to create a new key pair, generate a CSR and sign it using the HSM, returning both the private key, the CA and the signed certificate:
vault write hsmpki_inter/issue/localhost common_name=localhost
Set the signed Intermediate certificate and use the HSM PKI extensions supporting the configuration of the HSM key alias and the preferred SHA algorithm.
The key label can also be configured in the conf file passed in to the secrets enable command:
vault write hsmpki_inter/intermediate/set-signed certificate=@data/safenet-inter-0016.ca.cert.pem key_label="ECTestCAInterKey0016" hash_algo="SHA-512"
Create a role for the allowed domain, which configures the certificate signing template, in this case localhost:
vault write hsmpki_inter/roles/localhost allowed_domains=localhost allow_subdomains=true ttl=24h max_ttl=72h key_type="ec" key_bits="384"
Now that Vault is ready for signing, sign a standalone CSR file using the HSM returning the CA and the signed certificate:
vault write hsmpki_inter/sign/localhost csr=@data/localhost512.csr.pem
Ask Vault to create a new key pair, generate a CSR and sign it using the HSM, returning both the private key, the CA and the signed certificate:
vault write hsmpki_inter/issue/localhost common_name=localhost
vault write hsmpki_inter/revoke serial_number="<your serial number>"
vault read hsmpki_inter/cert/<your serial number>
curl --header "X-Vault-Token: root" http://127.0.0.1:8200/v1/hsmpki_inter/crl/pem > data/crl.txt
openssl crl -in ./data/crl.txt -text
Install nginx and setup the TLS certificate and private key for the test site, referred to below as localhost.crt and localhost.key.
These are the private key and the certificate generated by Vault's issue command.
Separately import the Root CA and Intermediate CA into a web browser.
Visit https://localhost:444/ and confirm that the TLS certificate is accepted.
server {
listen 444 ssl http2 default_server;
server_name localhost;
ssl_certificate /etc/nginx/certs/localhost.crt;
ssl_certificate_key /etc/nginx/certs/localhost.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
View the TESTING README
- api_addr must be configured in Vault's server configuration file otherwise plugins don't work properly.
SafeNet DPoD Troubleshooting
The setenv script sets the following environment var. Please use the path to the root of your dpod files:
declare -x ChrystokiConfigurationPath="/opt/safenet/dpod/current"
This can be set in the service section of the systemd configuration file:
Environment="ChrystokiConfigurationPath=/opt/safenet/dpod/current"
- This may indicate that the SafeNet DPoD partition is full
HSM PKI for Vault was sponsored by BT UK, developed by mode51 Software, and contributed to the HashiCorp community under the Mozilla Public License v2.
By Chris Newman