1

I am having trouble putting what documentation says into practice. I am trying to authenticate to a vault service using certificates. The documentation says :

Via the API

The endpoint for the login is /login. The client simply connects with their TLS certificate and when the login endpoint is hit, the auth backend will determine if there is a matching trusted certificate to authenticate the client. Optionally, you may specify a single certificate role to authenticate against.

$ curl --cacert ca.pem --cert cert.pem --key key.pem -d name=web \
     $VAULT_ADDR/v1/auth/cert/login -XPOST

Now the node IP:Port that I want to authenticate to is 17.2.24.13:8200

So the following is what I am doing from a remote server.

openssl s_client -showcerts -connect 17.2.24.13:8200

This leads to a gigantic output which contains a section ::

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

Now I believe this is the certificate the Vault needs.

So I write the above output to vault.cer file

Now using vault.cer I am going to authenticate. So Im running the below command.

curl  --cert vault.crt  https://17.2.24.13:8200/v1/auth/cert/login -XPOST

But the ERROR I am getting is :

curl: (60) Certificate key usage inadequate for attempted operation.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

If I add the -k flag, I get the below ERROR.

# curl -k  --cert vault.crt  https://17.2.24.13:8200/v1/auth/cert/login -XPOST
{"errors":["client certificate must be supplied"]}

So Im really confused as to what am I really missing in this scenario.

Community
  • 1
  • 1

2 Answers2

1

The certificate that is shown in the output of openssl s_client -showcerts -connect 17.2.24.13:8200 is the server certificate rather than a client certificate. The former is used to authenticate the server to the client. You are rather seeking to authenticate the client to the server for which you need to present a certificate that is trusted by the server and for which you own both the public and private key.

Which client certificates are trusted by the server and how to get such a certificate is a question you should ask the service owner.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
0

The cert that you obtain via the command below is the public key of the web server.

openssl s_client -showcerts -connect 17.2.24.13:8200

In the quote below "their TLS certificate" is referring to a cert that the client (curl) would present to the server.

The client simply connects with their TLS certificate

What you need is a signed private key. I found this answer by @Paul Kehrer to the question "How to create .pem files for https web server" gives good set of steps on how to generate a self signed cert. If you need to have it signed by a CA you would just send the CSR to a CA to be signed.

Community
  • 1
  • 1
JoshMc
  • 10,239
  • 2
  • 19
  • 38