Skip to content

CLI for generating signed certificates using Vault

License

Notifications You must be signed in to change notification settings

jsirianni/bmcert

Repository files navigation

bmcert

Build Status

CLI for generating signed certificates using Vault.

Overview

bmcert uses the cobra project for parsing command line options. https://github.com/spf13/cobra

bmcert --help

Installation

bmcert should be placed somewhere in your systems path and made executable.

bmcert relies on environment variables

# vault server url
VAULT_ADDR=https://vault.mynet.com:8200

# PKI endpoint
VAULT_PKI_URL=https://vault.mynet.com:8200//v1/<pki endpoint>

# PLI certificate issuer endpoint
VAULT_CERT_URL=https://vault.mynet.com:8200/v1/<pki endpoint>/issue/<domain>

Usage

Authentication

bmcert will check for VAULT_TOKEN and ~/.vault-token respectively. ~/.vault-token can be generated with the Vault CLI by running your preferred vault login command:

vault login -method=github token=$VAULT_GITHUB_TOKEN

Allowing the Vault CLI to handle authentication means bmcert is compatible with all forms of Vault authentication.

Create Certificate

Call the create command to generate a certificate.

Generate x509 PEM

bmcert will generate a single file that contains the full certificate chain

bmcert create --hostname <fqdn>

Generate x509 PEM, cert and key files

If individual certificate and private key files are desired, use the --format flag

bmcert create --hostname <fqdn> --format cert

Generate pkcs12

pkcs12 is supported when passing p12 or pkcs12 for --format. Password (optional) will be used to secure the certificate.

bmcert create --hostname bob.bluemedora.localnet --format p12

bmcert create --hostname bob.bluemedora.localnet --format p12 --password medora

Flags

Global flags

Global flags are used for any command:

-h, --help                help for bmcert
    --tls-skip-verify     Disable certificate verification when communicating with the Vault API (Defaults to false)
    --verbose             Enable verbose output --verbose

Create flags

When calling bmcert create:

    --alt-names string    The requested Subject Alternative Names, in a comma-delimited list
-f, --force               Overwrite if the file already exists
-F, --format string       The keyfile formant to output. [pem, cert, p12] (default "pem")
-h, --help                help for create
-H, --hostname string     The fully qualified hostname.
    --ip-sans string      The requested IP Subject Alternative Names, in a comma-delimited list
-O, --output-dir string   The directory to output to. Defaults to working directory.
-P, --password string     The password to protect pkcs12 (p12) certificates (optional)
    --ttl string          Certificate time to live in seconds, days, or months (600s, 2d, 1m). Uses Vault default ttl if not passed
    --uri-sans string     The requested URI Subject Alternative Names, in a comma-delimited list

Developing

Building from Source

A Makefile and Dockerfile are provided for building bmcert. Docker will compile, run unit tests, and zip binaries for Linux and MacOS as well as generating a sha256 sum file.

Build and place artifacts in the artifacts/ directory:

make
make build       // runs integration tests against a local vault server
make local-vault // deploys the local vault server
make clean       // removes compiled zip files, kills local testing vault instance
make lint        // requires `golint` be installed
make test        // runs go tests

To build outside of docker, ensure your GOPATH is set:

env CGO_ENABLED=0 go test ./...

# macos
env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build

# linux
env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build

Releases

Github actions will build a draft release when new tags are pushed, using goreleaser

About

CLI for generating signed certificates using Vault

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •