Git Product home page Git Product logo

ejbca-vault-pki-engine's Introduction

EJBCA Vault PKI Secrets Engine

EJBCA PKI Engine and Backend for HashiCorp Vault. Used to issue, sign, and revoke certificates using the EJBCA CA via HashiCorp Vault

Integration status: Production - Ready for use in production environments.

About the Keyfactor API Client

This API client allows for programmatic management of Keyfactor resources.

Support for EJBCA Vault PKI Secrets Engine

EJBCA Vault PKI Secrets Engine is open source and supported on best effort level for this tool/library/client. This means customers can report Bugs, Feature Requests, Documentation amendment or questions as well as requests for customer information required for setup that needs Keyfactor access to obtain. Such requests do not follow normal SLA commitments for response or resolution. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com/

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
EJBCA logo EJBCA logo

EJBCA PKI Secrets Engine for HashiCorp Vault

Go Report Card

The EJBCA PKI Secrets Engine for HashiCorp Vault enables DevOps teams to request and retrieve certificates from EJBCA using HashiCorp Vault, while security teams retain control over backend PKI operations.

The secrets engine is built on top of the EJBCA REST API and uses the EJBCA Go Client SDK for programmatic access. The EJBCA PKI Secrets Engine is a Vault plugin that replicates the built-in Vault PKI secrets engine, but processes requests through EJBCA instead of through Vault. The plugin was designed to be swapped for the built-in Vault PKI secrets engine with minimal changes to existing Vault configurations.

Get Started

To get started with EJBCA PKI Secrets Engine for HashiCorp Vault, see Getting Started.

System Requirements

To run the EJBCA PKI Secrets Engine for HashiCorp Vault, the EJBCA REST API needs to be set up with certain endpoints. There are also requirements on certain versions of Git, Golang, EJBCA, and HashiCorp Vault.

See the complete list in System Requirements.

Community Support

In the Keyfactor Community, we welcome contributions.

The Community software is open-source and community-supported, meaning that no SLA is applicable.

Commercial Support

Commercial support is available for EJBCA Enterprise.

License

For License information, see LICENSE.

Related Projects

See all Keyfactor EJBCA GitHub projects.

ejbca-vault-pki-engine's People

Contributors

fiddlermikey avatar m8rmclaren avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

karolinhem carteralbrecht

ejbca-vault-pki-engine's Issues

ejbca-pki/revoke endpoint ignores private key

The revoke endpoint for EJBCA will merrily revoke any cert for which you have the Serial Number. Vault 'PKI', on the other hand, requires the private key to be presented to revoke.

We consider this desired functionality: without accepting and validating the private key it would allow anyone with access to the endpoint and knowledge of a cert's serial number to revoke that cert. This is a problem as we expose multiple roles to generate certs and expect that we can only revoke for certificates in our possession.

Add role option for how username is created in EJBCA

Currently the plugin generates a random username in EJBCA. This should be configurable to assert the CN value as the username that way if the CA has enforce unique DN enabled the same certificate can be requested for renewal and would be done against the entity in EJBCA with that same username matching the CN.

One cannot renew a certificate with this plugin unless Enforce Unique DN is disabled on the CA.

Post Quantum Readiness

Creating an issue to begin discussing post-quantum (PQ) readiness for the EJBCA Vault PKI Engine

Path `issue` requires CN in `data` regardless of `require_cn` in role

Log from @svenska-primekey

2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: panic: interface conversion: interface {} is nil, not string
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: goroutine 128 [running]:
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignHelper).getSubject(_)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:504 +0x268
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignHelper).CreateCsr(0xc000409b30)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:626 +0x58
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignResponseBuilder).IssueCertificate(0xc00024f6a8)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:115 +0x33
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*ejbcaBackend).pathIssue(0xc000125590, {0xce3730?, 0xc0004094d0}, 0xc0005d8380, 0xc000116c10)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/path_issue_sign.go:412 +0x1cc
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc0003b8000, {0xce3730, 0xc0004094d0}, 0xc0005d8380)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/[email protected]/framework/backend.go:300 +0xa88
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/plugin.(*backendGRPCPluginServer).HandleRequest(0xb654c0?, {0xce3730, 0xc0004094d0}, 0xc00043a580)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/[email protected]/plugin/grpc_backend_server.go:145 +0x16e
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/plugin/pb._Backend_HandleRequest_Handler({0xb990c0?, 0xc000280cd0}, {0xce3730, 0xc0004094d0}, 0xc000135ce0, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/[email protected]/plugin/pb/backend_grpc.pb.go:227 +0x169
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).processUnaryRPC(0xc0002696c0, {0xce7540, 0xc00047c000}, 0xc00043c240, 0xc00031f770, 0x11a3780, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/[email protected]/server.go:1279 +0xcd5
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).handleStream(0xc0002696c0, {0xce7540, 0xc00047c000}, 0xc00043c240, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/[email protected]/server.go:1608 +0x9e7
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).serveStreams.func1.2()
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/[email protected]/server.go:923 +0x8d
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 52
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/[email protected]/server.go:921 +0x246
2023-08-31T20:00:09.804Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T20:00:09.804Z [ERROR] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine: plugin process exited: path=/usr/local/libexec/vault/ejbca-vault-pki-engine pid=27422 error="exit status 2"
2023-08-31T20:00:32.000Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39: plugin: reloading plugin backend: plugin=ejbca-vault-pki-engine
2023-08-31T20:00:32.000Z [DEBUG] core.ejbca-vault-pki-engine: reload external plugin process

Encountered when using the following path:

Error writing data to ejbca100/issue/client-auth-5d: Error making API request.

URL: PUT https://api.vault/v1/ejbca100/issue/client-auth-5d
Code: 500. Errors:

* 1 error occurred:
    * rpc error: code = Unavailable desc = error reading from server: EOF

[SECURITY] Do not advertise as a drop in replacement for the PKI secrets engine

First of, thank you for creating this plugin for Hashicorp Vault, it is highly useful.
I'm also happy to see that there is ongoing development.

To quote the README.
The EJBCA PKI Secrets Engine is a Vault plugin that replicates the built-in Vault PKI secrets engine, but processes requests through EJBCA instead of through Vault. The plugin was designed to be swapped for the built-in Vault PKI secrets engine with minimal changes to existing Vault configurations.
This implies to me that the core functionality of the existing vault PKI engine is implemented in this plugin.
I was surprised when I read the code and found out that name validation is not performed, even if allowed_domains is set on a Vault role.
Which vault role options that are actually used should be advertised up front. My opinion is that the API should not accept options that are ignored at all.

Cannot Revoke Ephemeral Certificates

We are using EJBCA in Ephemeral CA mode

We have enabled Accept Revocations for Non-Existing Entries on the CA in order to be able to revoke ephemeral certificates.

However, when using this plugin, any attempts to revoke Ephemeral Certificates are met with

Error writing data to <EJBCA_MOUNT>/revoke: Error making API request.

URL: PUT https://<OUR_VAULT_ADDRESS>/v1/<EJBCA_MOUNT>/revoke
Code: 403. Errors:

* 1 error occurred:
	* permission denied

I have also tried

  • using /revoke-with-key and supplying the private key too
  • using the serial_number param instead of the certificate param

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.