pkiCert like support for other PKI values; CA + Chains and the Private-Key

[voanhduy1512]

Related to #1259

Consul Template version

I run a dev build version: 59fb4dd to have #1559 functionality

Configuration

key.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.private_key }}
{{ end }}

cert.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.certificate }}
{{ end }}

config.hcl

vault {
  address = "http://127.0.0.1:8200"
  renew_token = false
  ssl {
     enabled = false
   }
 }
template {
  source = "key.tmpl"
  destination = "key.pem"
}
template {
  source = "cert.tmpl"
  destination = "cert.pem"
}

Command

consul-template -config config.hcl

Expected behavior

Everytime consul agent reload, a new certificate and key pair is generated.

Actual behavior

From #1559, it looks like there is a way to generate the cert and cache it, but pkiCert doesn't return private key for there is no way to use it.
I tried to add extra template hoping that pkiCert will cache the cert and stop secret template from running but looks like they are independent from each other.

{{ with pkiCert "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.certificate }}
{{ end }}

So how could I archive only renew cert and it need to be renewed, and not when consul-template is reload.

Thanks.

References

Are there any other GitHub issues (open or closed) that should
be linked here? For example:

• add new pkiCert template function #1559

[eikenb]

Hey @voanhduy1512, thanks for taking the time to file an issue.

Handling the Key wasn't in the initial use case. Neither were the CAs. I wasn't sure about other use cases, so I kept it specific.

Could you describe your use case for needing the private key? Are you writing them to the same file or different files? If the same file, are they the only things in that file? Or do they need to fit into a more complex config file?

Problem is the Key must be paired with something as the key itself stores no data about how long it is valid so it must rely on a certificate to provide that information and that must be organized in a way that the pairing is explicit.

Thanks.

[voanhduy1512]

Hi @eikenb,

I have a Vault cluster and try to use it to manage all PKI related tasks, issues server cert and key in this use case. In order to spin up consul servers, nomad servers or any software that requires a TLS cert and key, I use consul template connect to Vault and get cert and key into its own file. The example in the first post is pretty much how i use it.

From the limited set of software that I use, all of them requires key in of file, cert in another file.

One caveat is sometime, I want to bundle the cert with its own issuing ca, so the cert file becomes a cert chain (cert + issuing ca) instead.

[eikenb]

I'm going to change the title of this issue to better reflect the request in light of the pkiCert feature.

[eikenb]

The forces behind that PKI self-caching support have come to the same conclusion, that the use case they have requires the private key. I've since read more about PKI keys and yeah... the certs are completely useless without the Key.

IE. Sorry for the feature tease. I hadn't used PKI certs before and didn't have time to research it so I wasn't aware of the issue.

On the up side I have another reason to get out a quick consul-template release, so I'm fixing this now and will be releasing it once ready.

Thanks!

[eikenb]

Anyone use the PEMs embedded in another config file?

Go's pem.Decode() only handles line-by-line input with the PEM starting on it's own line and ending on its own line with no leading or trailing characters. I was assuming people would want to embed the PEM certs in other config files and am going to pre-scan for the PEMs, but I'm curious if this is really a use case for anyone.

Thanks!