Generate certificates with HSM or KMS managed keys
Challenge
While using Vault's PKI secrets engine to generate dynamic X.509 certificates, an organization may require their private keys to be created or stored within PKCS#11 hardware security modules (HSMs) to meet regulatory requirements.
Solution
Vault version 1.10 introduced the managed keys system to allow operators to configure access to a key stored in an external KMS. This feature also adds support to the PKI secrets engine for using a configured managed key as the backing private key for an intermediate or root certificate authority (CA).
Managed keys offload some PKI operations to the HSM or cloud KMS.
- Key generation: Generate new PKI key pairs and certificates from external HSM or cloud KMS.
- Certificate signing: Verify and sign some certificate workflows within external HSM or cloud KMS.
When Vault is configured with managed keys, all operations related to the private key, including generation, happen within the secure boundary of the HSM or cloud KMS external to Vault.
Prerequisites
To perform the tasks described in this tutorial, you need:
- Vault Enterprise version 1.10 or later
- HSM or AWS KMS environment
Note
PKCS#11 HSM-backed managed keys requires Vault Enterprise license.
Policy requirements
Note
For the purpose of this tutorial, you can use a root
token to
work with Vault. However, it is recommended that root tokens are only used for
just enough initial setup or in emergencies. As a best practice, use tokens
with appropriate set of policies based on your role in the organization.
To perform all tasks demonstrated in this tutorial, your policy must include the following capabilities:
If you are not familiar with policies, complete the policies tutorial.
In your organization, the configuration of a managed key and the configuration of a secrets engine may be performed by different people, in which case you might choose to segment the Vault policies accordingly.
Start Vault
For convenience and simplicity in the tutorial, you will operate a single Vault server with a minimal configuration using the default Shamir's Secret Sharing seal with one key share.
Open a terminal and create the initial Vault server configuration.
Note
Be sure to set the
license_path
to where your Vault license key is located.Create the Vault server data directory.
Start the Vault server.
The Vault dev server defaults to running at
127.0.0.1:8200
. It is uninitialized and not yet ready for use.Open a new terminal session and export an environment variable for the
vault
CLI to address the Vault server.Initialize the Vault server and capture the output to the file
/tmp/.vault-init
Export the
VAULT_UNSEAL_KEY
environment variable with the unseal key from the file as its value.Export the
VAULT_ROOT_TOKEN
environment variable with the initial root token from the file as its value.Unseal Vault.
The Vault server is ready.
Configure a Managed Key
Choose either PKCS#11 HSM or AWS KMS, and follow the steps for your KMS choice.
This tutorial uses the SoftHSM2 software (refer to its documentation for setup instructions). The path to the SoftHSM library varies by platform. These instructions apply to an installation of Ubuntu Linux, but other platforms will also work.
Initialize a new PKCS#11 token.
SoftHSM example response:
Note
The slot number is returned. In this example, the slot number is
1601102058
.A PKCS#11 HSM requires a shared library to configure Vault to communication with the HSM. To declare this library, edit the Vault server configuration at
/tmp/vault-server.hcl/
to add akms_library
stanza.config-vault.hclRestart or reload Vault's configuration with
SIGHUP
.Each managed key requires type-specific configuration. You must identify the location of a key and PIN to access the HSM. This is very similar to Vault's PKCS#11 auto-unseal mechanism. Configure the managed key.
The PKCS#11 specific parameters are
library
, referring to the previously configuredkms_library
stanza,slot
,pin
,key_label
, andmechanism
, which identifies the object in the HSM which will hold the key, and that it's mechanism is CKM_RSA_PKCS (RSA with PKCS#1 v1.5 signatures), and that we will require a 4096 bit key. Theallow_generate_key
flag indicates that Vault is allowed to request that the HSM generate a key, andallow_store_key
indicates that a new key may be stored in the backend. Without this flag, you may configure the key yourself in the HSM and just point Vault at the result. Finally,any_mount
means any mount in the namespace may access the managed key. For this example, it is set to false so that you can demonstrate how to lock managed key access down to a specific mount.Vault output:
Read the key back.
Test endpoint to validate that we can access the managed key.
The key has been generated in the HSM and used to sign and verify a dummy value.
Configure PKI Secrets Engine
Enable the
pki
secrets engine at thepki
path.Tune the secrets engine to use managed keys.
You configured the managed key with
any_mount=false
in the previous step. This command grants access to thelearn-managed-key
to the PKI secrets engine's mount.Generate the root certificate.
Note
Notice that the path is
pki/root/generate/kms
(instead ofpki/root/generate/internal
orpki/root/generate/exported
). This indicates that a managed key will be used. The name of the managed key is specified (learn-managed-key
).Configure the CA and CRL URLs.
Successful output:
In a production environment, you may configure an additional mount or mounts for intermediate CAs, and have those intermediates signed by the root. Refer to the Build Your Own Certificate Authority (CA) tutorial.
Test that you can issue a certificate with your managed key-backed root by configuring and using a role.
Successful output:
Request a new certificate for the
test.example.com
domain based on theexample-dot-com
role.Example output:
Next steps
Leveraging managed keys, operators can run a highly secure CA backed by an HSM or cloud KMS, while preserving the simplicity and flexibility of Vault's PKI secrets engine.
To learn more about the PKI secrets engine, see the following tutorials:
- Build Your Own Certificate Authority (CA)
- Build Certificate Authority (CA) in Vault with an offline Root
- Generate mTLS Certificates for Consul with Vault
- Generate mTLS Certificates for Nomad using Vault