Commonly manage certificates in both Venafi and Vault.
Vault-Venafi is a CLI tool (vv) that helps manage keys & certificates, also known as machine identities, located in Venafi Trust Protection Platform and Hashicorp Vault. This provides the user with a single, convenient interface to manage two separate systems with a few commands.
When creating machine identities in Venafi TPP and copying to Vault, the KV Secrets Engine is used. This is because the Vault PKI Secrets Engine does not allow certificates to be imported from external sources.
On the other hand, certificates created in Vault use the PKI Secrets Engine and are then copied to TPP. The Vault KV Secrets Engine is also used here to store additional metadata.
go build -o vvgo test ./...Configuration is read at runtime from the .vault-venafi.conf file in calling user's home directory. Use the appropriate configuration file for your setup.
apikey: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
zone: zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz
connector_type: cloud
vault_token: token
vault_base_url: http://127.0.0.1:8200
vault_role: vault
vault_kv_path: secret/kv/path
vault_pki_path: secret/pki/path
log_level: status
vcert_username: tppadmin
vcert_password: topsecret
vcert_zone: \Certificates
vcert_base_url: https://yourvenafiinstall.com/vedsdk/
connector_type: tpp
vault_token: token
vault_base_url: http://127.0.0.1:8200
vault_role: vault
vault_kv_path: secret/kv/path
vault_pki_path: secret/pki/path
log_level: status
Path used to manage certificates when using Vault KV Secrets Engine.
Path used to store additional metadata for certificates when using Vault PKI Secrets Engine.
This is required for managing certificates between TPP and Vault PKI. For example, Vault PKI stores certificates with a random serial number while TPP stores a human-friendly name. A map in Vault KV stores a mapping of the human-friendly name to the serial number.
Role used when creating certificates with Vault PKI Secrets Engine.
Adding the -h or -help flag to command reveals the help associated with that command.
i.e.
Usage:
vv [command]
Available commands:
create Generate a certificate and upload to Venafi
revoke Revoke a credential
list List certificates in each system
login Login to Vault with token, userpass or cert auth
- login
- create
- revoke
- list
- Authenticates to vault and retrieves an access token
- TPP authentication happens with each command.
vv login -method "userpass" -username "foo" -password "bar"
export VAULT_CLIENT_CERT=server.crt
export VAULT_CLIENT_KEY=server.key
vv login -method "cert" -certificate "foo"
Normally the access token is printed to stdout, but can be saved to the config file by passing a "-save" flag.
vv login -method "userpass" -username "foo" -password "bar" -save
Create a certificate in Venafi and upload to Vault using KV Secrets Engine.
vv create -cn "test.local" -name "test-local"
Create a certificate in Vault using PKI Secrets Engine and upload to Venafi.
vv create -cn "test.local" -name "test-local" -vault
Uses -vault flag.
Lists certificates in Venafi and Vault KV Secrets Engine
vv list
This mode takes the provided thumbprint on the Venafi side and on the Vault side it lists and then pulls and computes the thumbprint for each credential because Vault does not provide the thumbprint.
Lists certificates in Venafi and Vault PKI Secrets Engine
vv list -vault
vv revoke -name "test-local"
Revokes a certificate in Venafi and deletes in Vault KV Secrets Engines.
vv revoke -name "test-local" -vault
Revokes a certificate in Venafi and Vault PKI Secrets Engines.
Vault-Venafi is maintained and funded by New Context, which provides "security first" automation to mission critical infrastructure. Founded in 2013, we were doing DevSecOps before it became a buzzword. You can hire us to improve your time-to-market, reduce risk, and boost your security/compliance posture.
We're always looking to hire seasoned engineers, with a mixed background across development, IT infrastructure, automation, and/or security.