pki

package module

v0.1.4 Latest Latest Go to latest Published: Apr 17, 2019 License: MPL-2.0 Imports: 41 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tinyzimmer/vault-plugin-java-pki

Links

Open Source Insights

README ¶

JKS Extended Vault PKI Plugin

This plugin is mostly a fork of the builtin Vault PKI plugin. It provides additional format options when attempting to issue a certificate.

Additional Issue Arguments

Argument	Value
`format`	In addition to the builtin formats, provides a `jks` option
`password`	When requesting a `jks` keystore, the password to encrypt the private key with

When creating a role for issuing certificates, the backend will allow key_bits=1024. Vault itself prohibits this for good reason, however there are use cases for embedded devices that further encrypt their traffic via other means.

Installation

Ensure go on your system, then retrieve the source:

$> go get github.com/tinyzimmer/vault-plugin-java-pki

First configure a plugin_directory in vault:

# config.hcl

plugin_directory = "/tmp/vault-plugins"

Once vault is started with the above configuration, you can proceed to build and register the plugin. If you use the Makefile, ensure the requirements found below. The Makefile is not required, and you can run the steps in the build target manually with any other arguments you need.

If you are running vault on Linux:

$> cd "$GOPATH/src/github.com/tinyzimmer/vault-plugin-java-pki"
$> make build_plugin
$> cp bin/vault-plugin-java-pki /tmp/vault-plugins/
$> SHASUM=$(shasum -a 256 /tmp/vault-plugins/vault-plugin-java-pki | cut -d ' ' -f1)
$> vault write sys/plugins/catalog/java-pki \
    sha_256="${SHASUM}" \
    command=vault-plugin-java-pki

If you are running vault on macOS or Windows, you will need to compile the plugin for those platforms instead. The Makefile assumes you are compiling for Linux.

Finally enable the plugin with:

$> vault secrets enable -path=pki_java java-pki

Local Testing and Development

Requirements

jq
keytool
go
docker-compose

Usage

The helper scripts in the Makefile and test_vault automate the compilation, loading of the plugin, and PKI initialization against a local vault server running in docker.

To only start the vault server:

$> make test_vault

To compile the plugin, load it into vault, and test a full PKI chain:

$> make testacc

Documentation ¶

Index ¶

Constants
func Backend(conf *logical.BackendConfig) *backend
func EncodePEMToJKS(pb *certutil.ParsedCertBundle, cb *certutil.CertBundle, passw string) (string, error)
func EncodeToPFX(pb *certutil.ParsedCertBundle, passw string) (string, error)
func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Constants ¶

View Source

const SecretCertsType = "pki"

SecretCertsType is the name used to identify this type

Variables ¶

This section is empty.

Functions ¶

func Backend ¶

func Backend(conf *logical.BackendConfig) *backend

Backend returns a new Backend framework struct

func EncodePEMToJKS ¶

func EncodePEMToJKS(pb *certutil.ParsedCertBundle, cb *certutil.CertBundle, passw string) (string, error)

func EncodeToPFX ¶

func EncodeToPFX(pb *certutil.ParsedCertBundle, passw string) (string, error)

func Factory ¶

func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error)

Factory creates a new backend implementing the logical.Backend interface

Types ¶

This section is empty.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
vault-plugin-java-pki

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL