2

Right now, if I want to use a TLS certificate to authenticate to Vault, I need to have a file with the certificate, and a file with the private key, on my client's filesystem.

On Windows, I'm able to use the OS to store certificates and private keys securely. I know on MacOS there's the Keychain, and I presume Linux has one or more similar systems.

I asked support, and they said there isn't currently a way to do this. Does anyone know of any workarounds or other ways to use an OS-installed cert on Windows?

This is for the vault client, vault.exe, from the vendor. Our use case is for using the vendor-provided EXE in agent mode for autoauth - please don't try to educate me on coding my own solution using the API. If that were my use case, I would just do that, and questions about that would be directed to StackOverflow.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • That's interesting. I've only used Vault at one place, had the certificate installed in the System My/Personal store, with permissions granted to the users/groups that needed to use it. I used a modified VaultSharp with C#. How are you accessing this? – Greg Askew Aug 08 '22 at 20:15
  • The vault client, the EXE, some scenarios using it in agent mode for auto-auth. Sure, if you're using your own code, your stuff can access the OS. – mfinni Aug 08 '22 at 21:35
  • The answer depends on *what* exactly authenticates to Vault : stock `vault.exe` client, your custom code or something else? – ixe013 Aug 09 '22 at 01:01
  • The vault client - i thought I was clear in the title (and also stated so in the comment above) but I'll add some clarifying words to the question. If it were my own code, I'd be posting this question to StackOverflow – mfinni Aug 09 '22 at 15:04

1 Answers1

1

Hashicorp says about the Vault REST API:

All of Vault's capabilities are accessible via the HTTP API in addition to the CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some cases, Vault features are not available via the CLI and can only be accessed via the HTTP API

So, from Windows you could use the PowerShell Cmdlet InvokeRestMethod that knows how to use local installed certificates through the option CertificateThumbPrint

-CertificateThumbprint

Specifies the digital public key certificate (X509) of a user account that has permission to send the request. Enter the certificate thumbprint of the certificate.

Certificates are used in client certificate-based authentication. They can be mapped only to local user accounts; they do not work with domain accounts.

To get a certificate thumbprint, use the Get-Item or Get-ChildItem command in the PowerShell Cert: drive.

J.M. Robles
  • 865
  • 6
  • 9
  • And how, using vault.exe, would I specify this certificate? The -certficatethumprint argument is for using Powershell's Invoke-RestMethod cmdlet, not a valid argument for vault.exe. I think you're running down the wrong path, but I'd love for you to show me I'm wrong. – mfinni Aug 13 '22 at 02:10
  • 1
    vault.exe is a command that,as is stated in the Hashicorp documentation, makes use of the REST API interface. The idea is not to use vault.exe but directly the REST API. You can do it with curl if this tool is present or, as I have suggested, with PowerShell. There is no loss of functionality, but in the contrary, you could access to the complete API – J.M. Robles Aug 13 '22 at 02:42
  • I didn't ask about vault as a technology. I'm specifically asking about the Vault executable, because I want to use it in agent mode. Not calling into the API directly. I'd already clarified that I'm specifically asking about the Vault executable, so you're not providing me any helpful info at all. – mfinni Aug 14 '22 at 04:26