Add support for SSL certificate generation
See original GitHub issueAdd support to request SSL certificates from Vault’s PKI backend. Certificates can be issued on demand by using a role.
The generated certificate and the issuing CA certificate need to be stored in a Truststore (Keystore
) and the private key in a Keystore
. Vault should be used as intermediate CA, so the Truststore should contain the Root CA certificate that should be configured along the certificate request properties.
Config parameters for requesting certificates:
- common-name
- alt-names
- ip-sans
Other required parameters:
- Root certificate
Challenges:
- Public key pinning: Preserve the generated certificate/key pair during its validity period. This is to prevent multiple apps running behind a common endpoint address to use different certificates.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:5
- Comments:11 (6 by maintainers)
Top Results From Across the Web
How to Create Your Own SSL Certificate Authority for Local ...
Open the “Microsoft Management Console” by using the Windows + R keyboard combination, typing mmc and clicking Open · Go to File >...
Read more >CSR Creation | Create Certificate Signing Request | DigiCert
Before ordering an SSL certificate, you need to generate a CSR. Find the creation instructions for most web server platforms and software here....
Read more >Example: SSL Certificate - Generate a Key and CSR - Tableau
Important: This example is intended to provide general guidance to IT professionals who are experienced with SSL requirements and configuration.
Read more >Secure Sockets Layer (SSL) - Support Center - WP Engine
Log in to the User Portal · Select the environment name you wish to generate a CSR for · Click SSL · Select...
Read more >How to Install an SSL Certificate - Sucuri
Note · Generate a CSR login to the Plesk admin control panel. · In the Websites and Domains section for the domain name...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Created showcase in mp911de/spring-cloud-vault-config, Branch issue/18-ssl-certificate-generation
For the sake of the argument, what is wrong with having multiple upstreams use multiple certificates as long as they are valid?
If you terminate the TLS connection at the loadbalancer, the client never sees the upstream cert and the load balancer has at least one connection (thus one handshake) per upstream, I don’t see a problem here.
If you don’t terminate the TLS connection, I can see the problem happening if you don’t have sticky connections, if you have sticky connections, clients will be just fine so long as the upstream pool doesn’t change too often.
Is the non TLS-terminating loadbalancer without sticky connection a large enough use case that it should prevent other use cases from being met? Also, considering this, the implementation will be much much simpler (start, request certificate, renew, stop[, revoke]).
Maybe I’m missing something obvious here.