2

Right now, if I want to use a TLS certificate to authenticate to Vault, I need to have a file with the certificate, and a file with the private key, on my client's filesystem.

On Windows, I'm able to use the OS to store certificates and private keys securely. I know on MacOS there's the Keychain, and I presume Linux has one or more similar systems.

I asked support, and they said there isn't currently a way to do this. Does anyone know of any workarounds or other ways to use an OS-installed cert on Windows?

This is for the vault client, vault.exe, from the vendor. Our use case is for using the vendor-provided EXE in agent mode for autoauth - please don't try to educate me on coding my own solution using the API. If that were my use case, I would just do that, and questions about that would be directed to StackOverflow.

mfinni
  • 36,892

1 Answers1

1

Hashicorp says about the Vault REST API:

All of Vault's capabilities are accessible via the HTTP API in addition to the CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some cases, Vault features are not available via the CLI and can only be accessed via the HTTP API

So, from Windows you could use the PowerShell Cmdlet InvokeRestMethod that knows how to use local installed certificates through the option CertificateThumbPrint

-CertificateThumbprint

Specifies the digital public key certificate (X509) of a user account that has permission to send the request. Enter the certificate thumbprint of the certificate.

Certificates are used in client certificate-based authentication. They can be mapped only to local user accounts; they do not work with domain accounts.

To get a certificate thumbprint, use the Get-Item or Get-ChildItem command in the PowerShell Cert: drive.

J.M. Robles
  • 1,140