7

Hashicorp Vault has facility to auto generate server/client cert for authentication. https://vaultproject.io/docs/secrets/pki/index.html

While it makes sense from certificate management point of view, I am having difficulty seeing the actual use case for it? E.g. IPSec/L2tp uses certificate for authentication, but that's so much fluffing around. (Auth against vault, download cert, set up vpn. For every single time.)

I can see that being useful in a custom developed application, but don't see its usefulness outside of that. Are there use-cases that I'm missing?

Mike Ounsworth
  • 59,005
  • 21
  • 158
  • 212
Sleeper Smith
  • 242
  • 1
  • 7

1 Answers1

2

Conceptually, Vault is similar to Netflix's Lemur. They both simplify the the process of obtaining a certificate by having the server-side (i.e. Vault) generate key-pair, generate CSR, sign certificate - returning both the certificate and associated private key.

Use case: many companies mandate their developers and testers configure their test or development servers with HTTPS, which require certificates. Here the reason for requiring HTTPS is not for security, but to ensure development and testing more accurately reflects how their products are configured in production. In such cases, the convenience of being able to quickly obtain a certificate outweighs the security concerns of private keys transmitted over the network.

The aforementioned Lemur blog post nicely illustrates the complexity of obtaining a certificate via the regular CSR procedure: Getting a certificate manually is a multi-step process

Whereas Lemur (and Vault) simplifies the process at the expense of some security: Lemur (and Vault) simplifies obtaining a certificate at the expense of some security

HTKLee
  • 1,852
  • 16
  • 30