What to do with ./secrets/ after generation? #6
Description
The setup.sh script creates a fresh ./secrets/ directory in the root of the repository.
Someone familiar with cryptography probably knows the importance of every file in there, but it's not clear to me which files are necessary for getting back into consul/vault, if any, and how should those files be backed up securely if so.
I guess I'm looking for this information personally, but it might also be helpful added to the README.
Here is the output of all the files in ./secrets/ after running the setup.sh demo:
$ tree secrets
secrets
├── CA
│ ├── ca_cert.pem
│ ├── ca_cert.srl
│ └── ca_key.pem
├── consul-vault.cert.pem
├── consul-vault.csr.pem
├── consul-vault.key.pem
├── example.asc
├── example.asc.key
├── gossip.key
├── openssl-ext.cnf
├── openssl.cnf
└── vault.keys
1 directory, 12 filesI've annotated the _cert() function to better understand the files involved:
_cert() {
tls_key="${tls_key:-./secrets/consul-vault.key.pem}"
tls_cert="${tls_cert:-./secrets/consul-vault.cert.pem}"
[ -f "${tls_key}" ] && echo 'TLS certificate exists!' && return
# ---------------------------------------------------------------------------
# -f "${tls_key}" [read] ./secrets/consul-vault.key.pem
# ---------------------------------------------------------------------------
[ -f "${tls_cert}" ] && echo 'TLS certificate exists!' && return
# ---------------------------------------------------------------------------
# -f "${tls_cert}" [read] ./secrets/consul-vault.cert.pem
# ---------------------------------------------------------------------------
echo
bold '* Creating a private key for Consul and Vault...'
openssl genrsa -out "${tls_key}" 2048
# ---------------------------------------------------------------------------
# -out "${tls_key}" [write] ./secrets/consul-vault.key.pem
# ---------------------------------------------------------------------------
echo
bold '* Generating a Certificate Signing Request for Consul and Vault...'
cp "${openssl_config}" './secrets/openssl.cnf'
# ---------------------------------------------------------------------------
# cp "${openssl_config}" [read] /usr/local/etc/openssl/openssl.cnf
# cp [write] ./secrets/openssl.cnf
# ---------------------------------------------------------------------------
# The cert generation doesn't take the -config argument, so we need to create
# the -extfile part and then cat it together with the regular config.
echo '[ SAN ]' > 'secrets/openssl-ext.cnf'
echo 'subjectAltName = DNS:vault,DNS:consul,IP:127.0.0.1' \
>> './secrets/openssl-ext.cnf'
# ---------------------------------------------------------------------------
# echo [write] ./secrets/openssl-ext.cnf
# ---------------------------------------------------------------------------
cat './secrets/openssl-ext.cnf' >> './secrets/openssl.cnf'
# ---------------------------------------------------------------------------
# cat [write] ./secrets/openssl.cnf
# ---------------------------------------------------------------------------
openssl req \
-config './secrets/openssl.cnf' \
-reqexts 'SAN' \
-extensions 'SAN' \
-key "${tls_key}" \
-new -sha256 \
-out './secrets/consul-vault.csr.pem' \
-subj "/C=US/ST=California/L=San Francisco/O=Example/OU=Example/CN=vault/emailAddress=example@example.com"
# ---------------------------------------------------------------------------
# -config [read] ./secrets/openssl.cnf
# -key "${tls_key}" [read] ./secrets/consul-vault.key.pem
# -out [write] ./secrets/consul-vault.csr.pem
# ---------------------------------------------------------------------------
echo
bold '* Generating a TLS certificate for Consul and Vault...'
openssl x509 -req -days 365 -sha256 \
-CA "${ca_cert}" \
-CAkey "${ca}/ca_key.pem" \
-extensions 'SAN' \
-extfile './secrets/openssl-ext.cnf' \
-in './secrets/consul-vault.csr.pem' \
-CAcreateserial \
-out "${tls_cert}"
# ---------------------------------------------------------------------------
# -CA "${ca_cert}" [read] ./secrets/CA/ca_cert.pem
# -CAkey "${ca}/ca_key.pem" [read] ./secrets/CA/ca_key.pem
# -extfile [read] ./secrets/openssl-ext.cnf
# -in [read] ./secrets/consul-vault.csr.pem
# -CAcreateserial [write] ./secrets/CA/ca_cert.srl
# -out [write] ./secrets/consul-vault.cert.pem
# ---------------------------------------------------------------------------
echo
bold '* Verifying certificate...'
openssl x509 -noout -text -in "${tls_cert}"
# ---------------------------------------------------------------------------
# -in "${tls_cert}" [read] ./secrets/consul-vault.cert.pem
# ---------------------------------------------------------------------------
}
I also see that the consul and vault HCL configs end up looking like (respectively):
ca_file = "/usr/local/share/ca-certificates/ca_cert.pem"
cert_file = "/etc/ssl/certs/consul-vault.cert.pem"
key_file = "/etc/ssl/private/consul-vault.key.pem"listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/ssl/certs/consul-vault.cert.pem"
tls_key_file = "/etc/ssl/private/consul-vault.key.pem"
}So I'm just wondering which of these files I need to keep and if/how to keep them under lock and key.