Vaultx.Secrets.PKI (Vaultx v0.7.0)

View Source

Comprehensive Public Key Infrastructure (PKI) secrets engine for HashiCorp Vault.

This module provides a unified interface for enterprise PKI operations, including certificate authority management, certificate issuance, role-based access control, and complete certificate lifecycle management. It supports both root and intermediate CA operations with industry-standard compliance.

Enterprise PKI Capabilities

Certificate Authority Management

  • Generate and manage root CA certificates
  • Create and sign intermediate CA certificates
  • Import existing CA certificates and private keys
  • Manage complex CA hierarchies and trust chains
  • Cross-sign certificates between different authorities

API Compliance

Fully implements HashiCorp Vault PKI secrets engine:

Certificate Issuance and Management

  • Issue certificates based on roles
  • Sign certificate signing requests (CSRs)
  • Revoke certificates and manage CRLs
  • Certificate renewal and lifecycle management

Role-Based Certificate Policies

  • Create and manage certificate roles
  • Define domain and naming constraints
  • Configure certificate validity periods
  • Set key usage and extended key usage policies

Advanced PKI Features

  • Multiple issuer support (Vault 1.11+)
  • Certificate transparency integration
  • ACME protocol support for automated certificate management
  • Certificate monitoring and alerting

Usage Examples

# Generate a root CA
{:ok, ca} = PKI.generate_root(%{
  common_name: "Example Root CA",
  ttl: "10y"
})

# Create a certificate role
:ok = PKI.create_role("web-server", %{
  allowed_domains: ["example.com"],
  allow_subdomains: true,
  max_ttl: "90d"
})

# Issue a certificate
{:ok, cert} = PKI.issue_certificate("web-server", %{
  common_name: "www.example.com",
  ttl: "30d"
})

# Revoke a certificate
:ok = PKI.revoke_certificate("39:dd:2e:90:b7:23:1f:8d")

Configuration

PKI operations support various configuration options:

Engine Options

  • :mount_path - PKI engine mount path (default: "pki")
  • :timeout - Request timeout in milliseconds
  • :issuer_ref - Reference to specific issuer (for multi-issuer setups)

Certificate Options

  • :common_name - Certificate common name
  • :alt_names - Subject alternative names
  • :ip_sans - IP address SANs
  • :uri_sans - URI SANs
  • :ttl - Certificate time-to-live
  • :format - Certificate format ("pem", "der", "pem_bundle")

Security Best Practices

CA Security

  • Use offline root CAs when possible
  • Implement proper access controls for CA operations
  • Regular backup and secure storage of CA keys
  • Use hardware security modules (HSMs) for key protection

Certificate Management

  • Implement proper certificate validation
  • Use appropriate certificate validity periods
  • Enable certificate revocation checking
  • Monitor certificate expiration and renewal

Access Control

  • Restrict access to sensitive PKI operations
  • Implement role-based access controls
  • Audit all certificate issuance and revocation
  • Use approval workflows for critical operations