DevOps Daily

/home

/articles

/topics

Home > Articles > Requesting a Certificate from HashiCorp Vault CA using Bash Script

Requesting a Certificate from HashiCorp Vault CA using Bash Script

  ·   3 min read

#devops #bash #hashicorp #vault #certificate #security #automation #scripting

In today’s rapidly evolving IT landscape, securing communication channels is paramount. One effective way to achieve this is through the use of certificates. HashiCorp Vault, a powerful tool for secrets management, offers a Certificate Authority (CA) feature that can be leveraged to issue certificates. In this article, we’ll explore how to automate the process of requesting a certificate from HashiCorp Vault CA using a Bash script.

Prerequisites

Before diving into the script, ensure you have the following prerequisites in place:

  1. HashiCorp Vault: Installed and configured. You can follow the official installation guide if you haven’t set it up yet.
  2. Vault CLI: Installed on your local machine. This is necessary to interact with Vault from the command line.
  3. Access to Vault: Ensure you have the necessary permissions to access the PKI secrets engine and request certificates.
  4. Bash: A Unix shell and command language, typically available on most Unix-like operating systems.

Setting Up the PKI Secrets Engine

Before you can request a certificate, you need to set up the PKI secrets engine in Vault. Here’s a quick setup guide:

  1. Enable the PKI secrets engine:

    vault secrets enable pki

  2. Configure a root certificate:

    vault write pki/root/generate/internal \
    common_name="example.com" \
    ttl=8760h

  3. Configure a role:

    vault write pki/roles/example-dot-com \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl="72h"

Bash Script for Requesting a Certificate

Below is a Bash script that automates the process of requesting a certificate from Vault:

#!/bin/bash

# Variables
VAULT_ADDR="http://127.0.0.1:8200"
VAULT_TOKEN="your-vault-token"
ROLE_NAME="example-dot-com"
COMMON_NAME="myapp.example.com"

# Export Vault address and token
export VAULT_ADDR
export VAULT_TOKEN

# Request a certificate
response=$(vault write -format=json pki/issue/$ROLE_NAME \
    common_name=$COMMON_NAME \
    ttl="24h")

# Extract certificate and key
certificate=$(echo $response | jq -r .data.certificate)
private_key=$(echo $response | jq -r .data.private_key)
issuing_ca=$(echo $response | jq -r .data.issuing_ca)

# Save the certificate and key to files
echo "$certificate" > myapp.crt
echo "$private_key" > myapp.key
echo "$issuing_ca" > ca.crt

echo "Certificate and key have been saved to myapp.crt and myapp.key"

Explanation

  • Variables: Set the Vault address, token, role name, and common name for the certificate.
  • Export Environment Variables: The script exports the Vault address and token to authenticate requests.
  • Request Certificate: The vault write command requests a certificate from the specified role. The response is formatted as JSON.
  • Extract and Save: The script uses jq to parse the JSON response and extract the certificate, private key, and issuing CA. These are saved to respective files.

Conclusion

Automating certificate requests with a Bash script simplifies the process and integrates seamlessly into CI/CD pipelines, enhancing security and efficiency. By leveraging HashiCorp Vault’s PKI secrets engine, you can ensure secure communication across your infrastructure.

For further reading and resources, consider the following:

By following this guide, you can streamline your certificate management process, ensuring your applications remain secure and compliant with industry standards.

Using OpenSSL CLI to Check Information from Certificates in PEM Format
Creating a Simple Certification Authority Using Bash Script and OpenSSL
back to top