SSL/TLS CA
Many applications require certificates to communicate between different instances, or between different nodes in a site. Strongbox provides a service for setting up a SSL/TLS certificate authority for issuing certificates in this fashion. The certificates can be issued manually or setup to be automatically generated when an application is started.
Certificates should have a limited lifetime and needs to be renewed at regular intervals, and the same is true for the root certificates used by a certificate authority.
Often a CA needs to have multiple root certificates at the same time. Suppose a CA issues server certificates with a lifetime of 90 days, then when it is time to renew the root certificate it must do so at least 90 days before the old certificate expires (since the root certificate needs to be valid for the issued certificate to be valid).
Certificates that are issued at 89 days before the old root certificate expires must be signed by the new root certificate. A consequence of this is that all parties that must be able to verify certificates issued by the new root certificate must have received the new root certificate before it is used.
If there is a process that distributes valid root certificates every
45 days then the new root certificates must be created at least 90+45
days before the old root certificate expires. We call this threshold
the renew-threshold. The threshold that controls when a new
root certificate should be used for issuing/signing new certificates
from the CA is called the activate-threshold below.
Create a TLS CA
Setup a new TLS CA called consul-ca. The root certificate will
be valid for 2 years and renewed when 145 days remains before
it expires. At 90 days remaining the new certificate will be taken
into production and no new certificates will be signed by the
old root certificate.
supctl create strongbox tls ca <<EOF
name: consul-ca
ttl: 2y
auto-renew:
renew-threshold: 145d
activate-threshold: 90d
distribute:
deployments:
- consul
EOF
note
The examples here assume you will use the consul certificates in
an application with a deployment named consul.
Make sure you update according to your needs.
Show the active CA certificate. This should be distributed
to all parties that must be able to validate certificates
signed by the consul-ca.
supctl do strongbox tls ca consul-ca get-ca-cert
cert: |
-----BEGIN CERTIFICATE-----
MIICBjCCAaugAwIBAgITAIBtDQ/gbHL2R8I6nDp4bRSqPTAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjE4MjEyMTIzWhgPMjAyMzAyMjIxMjU3MjNaMFoxDzANBgNVBAMTBkF2YXNz
YTESMBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZh
c3NhMRUwEwYDVQQLEwxkaXN0cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAQcwPd/YFGTBzonDlV9pfcutLX4nV26x+KZ18pTXKe524lfe7zYao4oEjZW
JqCizuORi6/yEtSRPfdnZ7+3SFjoo0wwSjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T
AQH/BAUwAwEB/zAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8vY3JsLmF2YXNzYS5u
ZXQvMAoGCCqGSM49BAMCA0kAMEYCIQCm15DDDvdMzjelx/fI/b6QPh4SYgsGbH84
U35PeoRjgAIhAMHynRQqphcPcQv945VJdZejy4qlK9FehhdhjJ/8/b+S
-----END CERTIFICATE-----
Setup an intermediate CA
It might be desirable to have an intermediate CA to issue the certificates from. This makes it easier to revoke a class of certificates, and in case the intermediate certificate becomes compromised the damage is localized.
To setup an intermediate CA to use locally at a given site.
The intermediate CA certificate will be issued by the root
CA as indicated by the issuing-ca setting.
supctl create strongbox tls ca <<EOF
name: consul-ca-site-1
issuing-ca: consul-ca
ttl: 90d
auto-renew:
renew-threshold: 20d
activate-threshold: 15d
distribute:
deployments:
- consul
EOF
Issuing a client certificate
To issue a client certificate for host1 from intermediate CA.
supctl do strongbox tls ca consul-ca-site-1 issue-cert --input - <<EOF
host: host1
ttl: 10d
cert-type: client
alt-name:
- type: IPAddress
value: 192.168.1.1
- type: DNSName
value: consul-db
EOF
cert: |
-----BEGIN CERTIFICATE-----
MIICXDCCAgKgAwIBAgITAJEz4AJoavN23SBaj3F68mBs1DAKBggqhkjOPQQDAjBJ
MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFz
c2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjAiGA8yMDIyMDIyMjExNDEyNVoYDzIw
MjIwMzA0MTQwNTI1WjBZMQ4wDAYDVQQDEwVob3N0MTESMBAGA1UEBxMJU3RvY2to
b2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0
cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqhtD4/ODr+EOJdC0w
lFhTRqRXXkr2tDsBCJY0ZWV0ncvM0z42HRVsSkcQWeeNX5h23Ef4UXPqxyuqb4Aw
FEajo4G0MIGxMH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTESMBAG
A1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUw
EwYDVQQLEwxkaXN0cmlidXRpb26CEwC1UYrktY6WNBjo439pc91nwV4wIQYDVR0R
BBowGIIFaG9zdDGHBMCoAQGCCWNvbnN1bC1kYjAMBgNVHRMBAf8EAjAAMAoGCCqG
SM49BAMCA0gAMEUCIQC8ZV+lwLDp7iJHVrWon40Tf43be/TkVbVs8rJlCQa6SAIg
bozO9LCd/wKW49tF769SKBgwZZVELARYqdmJotXiGLI=
-----END CERTIFICATE-----
private-key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKYIkv6oljiw9e6yzC/UuJR+2Vdl21eEZyXMpbS0b8HSoAoGCCqGSM49
AwEHoUQDQgAEaobQ+Pzg6/hDiXQtMJRYU0akV15K9rQ7AQiWNGVldJ3LzNM+Nh0V
bEpHEFnnjV+YdtxH+FFz6scrqm+AMBRGow==
-----END EC PRIVATE KEY-----
serial: 91:33:e0:02:68:6a:f3:76:dd:20:5a:8f:71:7a:f2:60:6c:d4
created: 2022-02-22T14:05:25.000000Z
expires: 2022-03-04T14:05:25.000000Z
version: 1
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdjCCAhygAwIBAgITALVRiuS1jpY0GOjjf2lz3WfBXjAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDYzMzM4WhgPMjAyMjAzMjQxMzQ1MzhaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGxPWRzyCJHpEqY1m
3LgeNix5Z/Z6zrVL6PaRwjESjikVU5tdHn7Kof+e/FSfbugwZznkjeNsPfvJslCl
qxNvlaOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDSAAwRQIhANOSgte4UYDm
R3wM8zfKkYVsCMIRFjRy62XTbprjPeocAiAVjFHMmPDyL0KFk7QSkSw+n8JOYOA+
PSqWJMmCKhgNuQ==
-----END CERTIFICATE-----
The resulting certificate will have typical client certificate extensions. Using openssl to inspect the certificate:
openssl x509 -text -noout -in - <<EOF
-----BEGIN CERTIFICATE-----
MIICXDCCAgKgAwIBAgITAJEz4AJoavN23SBaj3F68mBs1DAKBggqhkjOPQQDAjBJ
MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFz
c2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjAiGA8yMDIyMDIyMjExNDEyNVoYDzIw
MjIwMzA0MTQwNTI1WjBZMQ4wDAYDVQQDEwVob3N0MTESMBAGA1UEBxMJU3RvY2to
b2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0
cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARqhtD4/ODr+EOJdC0w
lFhTRqRXXkr2tDsBCJY0ZWV0ncvM0z42HRVsSkcQWeeNX5h23Ef4UXPqxyuqb4Aw
FEajo4G0MIGxMH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTESMBAG
A1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUw
EwYDVQQLEwxkaXN0cmlidXRpb26CEwC1UYrktY6WNBjo439pc91nwV4wIQYDVR0R
BBowGIIFaG9zdDGHBMCoAQGCCWNvbnN1bC1kYjAMBgNVHRMBAf8EAjAAMAoGCCqG
SM49BAMCA0gAMEUCIQC8ZV+lwLDp7iJHVrWon40Tf43be/TkVbVs8rJlCQa6SAIg
bozO9LCd/wKW49tF769SKBgwZZVELARYqdmJotXiGLI=
-----END CERTIFICATE-----
EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:33:e0:02:68:6a:f3:76:dd:20:5a:8f:71:7a:f2:60:6c:d4
Signature Algorithm: ecdsa-with-SHA256
Issuer: L = Stockholm, C = SE, O = Avassa, OU = distribution
Validity
Not Before: Feb 22 11:41:25 2022 GMT
Not After : Mar 4 14:05:25 2022 GMT
Subject: CN = host1, L = Stockholm, C = SE, O = Avassa, OU = distribution
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:6a:86:d0:f8:fc:e0:eb:f8:43:89:74:2d:30:94:
58:53:46:a4:57:5e:4a:f6:b4:3b:01:08:96:34:65:
65:74:9d:cb:cc:d3:3e:36:1d:15:6c:4a:47:10:59:
e7:8d:5f:98:76:dc:47:f8:51:73:ea:c7:2b:aa:6f:
80:30:14:46:a3
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
DirName:/CN=Avassa/L=Stockholm/C=SE/O=Avassa/OU=distribution
serial:B5:51:8A:E4:B5:8E:96:34:18:E8:E3:7F:69:73:DD:67:C1:5E
X509v3 Subject Alternative Name:
DNS:host1, IP Address:192.168.1.1, DNS:consul-db
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:bc:65:5f:a5:c0:b0:e9:ee:22:47:56:b5:a8:
9f:8d:13:7f:8d:db:7b:f4:e4:55:b5:6c:f2:b2:65:09:06:ba:
48:02:20:6e:8c:ce:f4:b0:9d:ff:02:96:e3:db:45:ef:af:52:
28:18:30:65:95:44:2c:04:58:a9:d9:89:a2:d5:e2:18:b2
Issuing a server certificate
To issue a server certificate for server consul-1 from intermediate
CA.
supctl do strongbox tls ca consul-ca-site-1 issue-cert --input - <<EOF
host: consul-1
ttl: 10d
cert-type: server
alt-name:
- type: DNSName
value: consult-db-server-1
EOF
cert: |
-----BEGIN CERTIFICATE-----
MIICczCCAhmgAwIBAgITAPK5A+M3MSU6d6o2/YIhsIHl7DAKBggqhkjOPQQDAjBJ
MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFz
c2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjAiGA8yMDIyMDIyMjExNDUyOFoYDzIw
MjIwMzA0MTQwOTI4WjBcMREwDwYDVQQDEwhjb25zdWwtMTESMBAGA1UEBxMJU3Rv
Y2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxk
aXN0cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQwq+NFCGCQzeWH
+4aJzMEOY/8BPJ5SDffiV1CQacPkNc/ciETykjx8pIBJcsyiEvsQNR1AGTDsso/o
qoLJMD4go4HIMIHFMH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTES
MBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3Nh
MRUwEwYDVQQLEwxkaXN0cmlidXRpb26CEwC1UYrktY6WNBjo439pc91nwV4wKAYD
VR0RBCEwH4IIY29uc3VsLTGCE2NvbnN1bHQtZGItc2VydmVyLTEwCwYDVR0PBAQD
AgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgHNJbszTc/Am0lXuS
yeNZADZlVA8eg7+7A03KMqR6Oq8CIQCgtfP1qg7H5BHhwBIz+RTnYfYENzaVXcll
Y0v8J5uhPg==
-----END CERTIFICATE-----
private-key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGNIS6dZwQgCn8KWVvT9U8NyfOIzFHUK7JPP5osLEk3uoAoGCCqGSM49
AwEHoUQDQgAEMKvjRQhgkM3lh/uGiczBDmP/ATyeUg334ldQkGnD5DXP3IhE8pI8
fKSASXLMohL7EDUdQBkw7LKP6KqCyTA+IA==
-----END EC PRIVATE KEY-----
serial: f2:b9:03:e3:37:31:25:3a:77:aa:36:fd:82:21:b0:81:e5:ec
created: 2022-02-22T14:09:28.000000Z
expires: 2022-03-04T14:09:28.000000Z
version: 1
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdjCCAhygAwIBAgITALVRiuS1jpY0GOjjf2lz3WfBXjAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDYzMzM4WhgPMjAyMjAzMjQxMzQ1MzhaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGxPWRzyCJHpEqY1m
3LgeNix5Z/Z6zrVL6PaRwjESjikVU5tdHn7Kof+e/FSfbugwZznkjeNsPfvJslCl
qxNvlaOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDSAAwRQIhANOSgte4UYDm
R3wM8zfKkYVsCMIRFjRy62XTbprjPeocAiAVjFHMmPDyL0KFk7QSkSw+n8JOYOA+
PSqWJMmCKhgNuQ==
-----END CERTIFICATE-----
Inspecting the server certificate using openssl gives:
openssl x509 -text -noout -in - <<EOF
-----BEGIN CERTIFICATE-----
MIICczCCAhmgAwIBAgITAPK5A+M3MSU6d6o2/YIhsIHl7DAKBggqhkjOPQQDAjBJ
MRIwEAYDVQQHEwlTdG9ja2hvbG0xCzAJBgNVBAYTAlNFMQ8wDQYDVQQKEwZBdmFz
c2ExFTATBgNVBAsTDGRpc3RyaWJ1dGlvbjAiGA8yMDIyMDIyMjExNDUyOFoYDzIw
MjIwMzA0MTQwOTI4WjBcMREwDwYDVQQDEwhjb25zdWwtMTESMBAGA1UEBxMJU3Rv
Y2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxk
aXN0cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQwq+NFCGCQzeWH
+4aJzMEOY/8BPJ5SDffiV1CQacPkNc/ciETykjx8pIBJcsyiEvsQNR1AGTDsso/o
qoLJMD4go4HIMIHFMH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTES
MBAGA1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3Nh
MRUwEwYDVQQLEwxkaXN0cmlidXRpb26CEwC1UYrktY6WNBjo439pc91nwV4wKAYD
VR0RBCEwH4IIY29uc3VsLTGCE2NvbnN1bHQtZGItc2VydmVyLTEwCwYDVR0PBAQD
AgOIMAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgHNJbszTc/Am0lXuS
yeNZADZlVA8eg7+7A03KMqR6Oq8CIQCgtfP1qg7H5BHhwBIz+RTnYfYENzaVXcll
Y0v8J5uhPg==
-----END CERTIFICATE-----
EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f2:b9:03:e3:37:31:25:3a:77:aa:36:fd:82:21:b0:81:e5:ec
Signature Algorithm: ecdsa-with-SHA256
Issuer: L = Stockholm, C = SE, O = Avassa, OU = distribution
Validity
Not Before: Feb 22 11:45:28 2022 GMT
Not After : Mar 4 14:09:28 2022 GMT
Subject: CN = consul-1, L = Stockholm, C = SE, O = Avassa, OU = distribution
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:30:ab:e3:45:08:60:90:cd:e5:87:fb:86:89:cc:
c1:0e:63:ff:01:3c:9e:52:0d:f7:e2:57:50:90:69:
c3:e4:35:cf:dc:88:44:f2:92:3c:7c:a4:80:49:72:
cc:a2:12:fb:10:35:1d:40:19:30:ec:b2:8f:e8:aa:
82:c9:30:3e:20
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
DirName:/CN=Avassa/L=Stockholm/C=SE/O=Avassa/OU=distribution
serial:B5:51:8A:E4:B5:8E:96:34:18:E8:E3:7F:69:73:DD:67:C1:5E
X509v3 Subject Alternative Name:
DNS:consul-1, DNS:consult-db-server-1
X509v3 Key Usage:
Digital Signature, Key Agreement
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:1c:d2:5b:b3:34:dc:fc:09:b4:95:7b:92:c9:e3:
59:00:36:65:54:0f:1e:83:bf:bb:03:4d:ca:32:a4:7a:3a:af:
02:21:00:a0:b5:f3:f5:aa:0e:c7:e4:11:e1:c0:12:33:f9:14:
e7:61:f6:04:37:36:95:5d:c9:65:63:4b:fc:27:9b:a1:3e
Manually rotating the CA certificate
If a CA has been configured to perform auto-renew it will
rotate when the threshold is reached. It is also possible
to force a certificate renewal using the rotate-ca action.
supctl do strongbox tls ca consul-ca-site-1 rotate-ca
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdTCCAhygAwIBAgITAJQdYaiN0USXxf1akYxlpKuj6jAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDcwMDUzWhgPMjAyMjAzMjQxNDEyNTNaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5bsRuev3bLvkBuJS
sad/tSKVR76USK9/aMYoBrws/hkoRAPhmrgl+Y5sfpT8QpAAr3Qbz3YKptsfgg67
GKqKcqOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgZrKPmJwGAibQ
DHRsuGpeVqWosA5w92ypB3RKGoSW4rYCIA7aEGhNCzm/+4taMkto5VX3jIGeaMbi
MfuvIp1aYfvn
-----END CERTIFICATE-----
expires: 2022-03-24T14:12:53.000000Z
version: 2
The CA will now have two root certificates: version 1 and version 2.
supctl show strongbox tls ca consul-ca-site-1
name: consul-ca-site-1
ttl: 30d
cert-key-type: ecdsa
cert-key-curve: secp256r1
digest: sha256
auto-renew:
renew-threshold: 20d
activate-threshold: 15d
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdTCCAhygAwIBAgITAJQdYaiN0USXxf1akYxlpKuj6jAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDcwMDUzWhgPMjAyMjAzMjQxNDEyNTNaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5bsRuev3bLvkBuJS
sad/tSKVR76USK9/aMYoBrws/hkoRAPhmrgl+Y5sfpT8QpAAr3Qbz3YKptsfgg67
GKqKcqOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgZrKPmJwGAibQ
DHRsuGpeVqWosA5w92ypB3RKGoSW4rYCIA7aEGhNCzm/+4taMkto5VX3jIGeaMbi
MfuvIp1aYfvn
-----END CERTIFICATE-----
expires: 2022-03-24T14:12:53.000000Z
revocations: []
distribute:
to: inherit
distribution-status:
to: none
version: 2
active-version: 1
oldest-version: 1
latest-version: 2
versions:
- version: 1
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdjCCAhygAwIBAgITALVRiuS1jpY0GOjjf2lz3WfBXjAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDYzMzM4WhgPMjAyMjAzMjQxMzQ1MzhaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGxPWRzyCJHpEqY1m
3LgeNix5Z/Z6zrVL6PaRwjESjikVU5tdHn7Kof+e/FSfbugwZznkjeNsPfvJslCl
qxNvlaOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDSAAwRQIhANOSgte4UYDm
R3wM8zfKkYVsCMIRFjRy62XTbprjPeocAiAVjFHMmPDyL0KFk7QSkSw+n8JOYOA+
PSqWJMmCKhgNuQ==
-----END CERTIFICATE-----
expires: 2022-03-24T13:45:38.000000Z
revocations: []
- version: 2
ca-cert: |
-----BEGIN CERTIFICATE-----
MIICdTCCAhygAwIBAgITAJQdYaiN0USXxf1akYxlpKuj6jAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDcwMDUzWhgPMjAyMjAzMjQxNDEyNTNaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5bsRuev3bLvkBuJS
sad/tSKVR76USK9/aMYoBrws/hkoRAPhmrgl+Y5sfpT8QpAAr3Qbz3YKptsfgg67
GKqKcqOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgZrKPmJwGAibQ
DHRsuGpeVqWosA5w92ypB3RKGoSW4rYCIA7aEGhNCzm/+4taMkto5VX3jIGeaMbi
MfuvIp1aYfvn
-----END CERTIFICATE-----
expires: 2022-03-24T14:12:53.000000Z
revocations: []
To activate the new version:
supctl merge strongbox tls ca consul-ca-site-1 <<EOF
active-version: 2
EOF
New certificates issued by the CA will be signed using the version 2 root certificate.
Request certificates in vault secrets
Configure a vault secret to contain a certificate issued by a CA.
supctl create strongbox vaults <<EOF
name: consul
distribute:
deployments:
- consul
EOF
supctl create strongbox vaults consul secrets <<EOF
name: cert-host-1
auto-cert:
issuing-ca: consul-ca-site-1
refresh-threshold: 10d
ttl: 15d
host: site-1
cert-type: server
alt-name:
- type: DNSName
value: consul-api
EOF
supctl show strongbox vaults consul secrets cert-host-1
name: cert-host-1
auto-cert:
issuing-ca: consul-ca-site-1
refresh-threshold: 10d
ttl: 15d
truncate-ttl: false
host: site-1
cert-type: server
alt-name:
- type: DNSName
value: consul-api
cert:
cert.pem: |
-----BEGIN CERTIFICATE-----
MIICZjCCAgugAwIBAgISWpgjaSMfHoeyyEl11FPbtCXnMAoGCCqGSM49BAMCMEkx
EjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNz
YTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIwMjIwMjIyMTEwNjU5WhgPMjAy
MjAzMDkxNDQyNTlaMFoxDzANBgNVBAMTBnNpdGUtMTESMBAGA1UEBxMJU3RvY2to
b2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0
cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT0mzHSOS051s4nL6ja
GrtC4MbUghbNCOsLlV5O67HaJLr9hUxCTem/C8ivHv22j/Yl0ZzAlycNif80qefO
zrbxo4G9MIG6MH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTESMBAG
A1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUw
EwYDVQQLEwxkaXN0cmlidXRpb26CEwCUHWGojdFEl8X9WpGMZaSro+owHQYDVR0R
BBYwFIIGc2l0ZS0xggpjb25zdWwtYXBpMAsGA1UdDwQEAwIDiDAMBgNVHRMBAf8E
AjAAMAoGCCqGSM49BAMCA0kAMEYCIQCvse4QYTtsl62/qhOaVmhPY8qrn/BG0Jrb
dKE7kUCtbwIhAOiXHwjKknqWe7sPfcXORbGGCVnn/nKro4AUPLc5WeL5
-----END CERTIFICATE-----
cert.key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINF5JXUoJK012vyWs+jXLf2Xy83xJnDO3reI9hYdjDzaoAoGCCqGSM49
AwEHoUQDQgAE9Jsx0jktOdbOJy+o2hq7QuDG1IIWzQjrC5VeTuux2iS6/YVMQk3p
vwvIrx79to/2JdGcwJcnDYn/NKnnzs628Q==
-----END EC PRIVATE KEY-----
ca-cert.pem: |
-----BEGIN CERTIFICATE-----
MIICdTCCAhygAwIBAgITAJQdYaiN0USXxf1akYxlpKuj6jAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDcwMDUzWhgPMjAyMjAzMjQxNDEyNTNaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5bsRuev3bLvkBuJS
sad/tSKVR76USK9/aMYoBrws/hkoRAPhmrgl+Y5sfpT8QpAAr3Qbz3YKptsfgg67
GKqKcqOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgZrKPmJwGAibQ
DHRsuGpeVqWosA5w92ypB3RKGoSW4rYCIA7aEGhNCzm/+4taMkto5VX3jIGeaMbi
MfuvIp1aYfvn
-----END CERTIFICATE-----
dict:
ca-cert.pem: |
-----BEGIN CERTIFICATE-----
MIICdTCCAhygAwIBAgITAJQdYaiN0USXxf1akYxlpKuj6jAKBggqhkjOPQQDAjBa
MQ8wDQYDVQQDEwZBdmFzc2ExEjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMC
U0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIw
MjIwMjIyMDcwMDUzWhgPMjAyMjAzMjQxNDEyNTNaMEkxEjAQBgNVBAcTCVN0b2Nr
aG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEVMBMGA1UECxMMZGlz
dHJpYnV0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5bsRuev3bLvkBuJS
sad/tSKVR76USK9/aMYoBrws/hkoRAPhmrgl+Y5sfpT8QpAAr3Qbz3YKptsfgg67
GKqKcqOBzTCByjB+BgNVHSMEdzB1oV6kXDBaMQ8wDQYDVQQDEwZBdmFzc2ExEjAQ
BgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNzYTEV
MBMGA1UECxMMZGlzdHJpYnV0aW9ughMAgG0ND+BscvZHwjqcOnhtFKo9MA4GA1Ud
DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MCcGA1UdHwQgMB4wHKAaoBiGFmh0
dHA6Ly9jcmwuYXZhc3NhLm5ldC8wCgYIKoZIzj0EAwIDRwAwRAIgZrKPmJwGAibQ
DHRsuGpeVqWosA5w92ypB3RKGoSW4rYCIA7aEGhNCzm/+4taMkto5VX3jIGeaMbi
MfuvIp1aYfvn
-----END CERTIFICATE-----
cert.key: |
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINF5JXUoJK012vyWs+jXLf2Xy83xJnDO3reI9hYdjDzaoAoGCCqGSM49
AwEHoUQDQgAE9Jsx0jktOdbOJy+o2hq7QuDG1IIWzQjrC5VeTuux2iS6/YVMQk3p
vwvIrx79to/2JdGcwJcnDYn/NKnnzs628Q==
-----END EC PRIVATE KEY-----
cert.pem: |
-----BEGIN CERTIFICATE-----
MIICZjCCAgugAwIBAgISWpgjaSMfHoeyyEl11FPbtCXnMAoGCCqGSM49BAMCMEkx
EjAQBgNVBAcTCVN0b2NraG9sbTELMAkGA1UEBhMCU0UxDzANBgNVBAoTBkF2YXNz
YTEVMBMGA1UECxMMZGlzdHJpYnV0aW9uMCIYDzIwMjIwMjIyMTEwNjU5WhgPMjAy
MjAzMDkxNDQyNTlaMFoxDzANBgNVBAMTBnNpdGUtMTESMBAGA1UEBxMJU3RvY2to
b2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUwEwYDVQQLEwxkaXN0
cmlidXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT0mzHSOS051s4nL6ja
GrtC4MbUghbNCOsLlV5O67HaJLr9hUxCTem/C8ivHv22j/Yl0ZzAlycNif80qefO
zrbxo4G9MIG6MH4GA1UdIwR3MHWhXqRcMFoxDzANBgNVBAMTBkF2YXNzYTESMBAG
A1UEBxMJU3RvY2tob2xtMQswCQYDVQQGEwJTRTEPMA0GA1UEChMGQXZhc3NhMRUw
EwYDVQQLEwxkaXN0cmlidXRpb26CEwCUHWGojdFEl8X9WpGMZaSro+owHQYDVR0R
BBYwFIIGc2l0ZS0xggpjb25zdWwtYXBpMAsGA1UdDwQEAwIDiDAMBgNVHRMBAf8E
AjAAMAoGCCqGSM49BAMCA0kAMEYCIQCvse4QYTtsl62/qhOaVmhPY8qrn/BG0Jrb
dKE7kUCtbwIhAOiXHwjKknqWe7sPfcXORbGGCVnn/nKro4AUPLc5WeL5
-----END CERTIFICATE-----
modified-time: 2022-02-22T14:35:44.970795Z
Request certificates in application specifications
The vault secret can then be used in an application specification
to automatically create a certificate for the application. Each
application instance will get a unique certificate that will be
automatically renewed when the refresh-threshold is reached.
The generated certificate will have the application instance IP addresses as SAN (Subject Alternate Name), both the IP address on the internal application network, and the ingress IP (if there is one), as well as the DNS name.
Roles
The use of ssh CA roles is to limit which certificates can be issued. This is useful if, for example, a user or application should only be allowed to issue certificates for a certain domain or of a certain type.