Offload randomly generated PKCS #12 passphrases to Vault
This section covers two examples that invoke Futurex APIs to request an X.509 certificate and associated key pair that is issued as a PKCS #12 file. Then, the KMES Series 3 automatically offloads the passphrase generated for decrypting the PKCS #12 file to Vault.
The first example runs the RAUP Excrypt command while connected to the System/Host API port on the KMES by using OpenSSL.
The second example sends a POST request to the KMES RESTful API by using the Postman application.
Before attempting either of the examples, you must perform setup steps on the KMES Series 3. See the KMES Series 3 user guide for additional information about completing the following required setup steps:
Go to Identity Management > Roles and select [ Add ].
Create a Signing Approval role, set Logins Required to 1, and enable all permissions under Certificate Authority, Keys, and Cryptographic operations. Select [ OK ] to finish creating the role.
Go to Identity Management > Identities and select [ Add ].
Under Assigned Roles, select the Signing Approval role you just created. Under Authentication, set a password for the identity. Select [ OK ] to finish creating the identity.
Go to PKI > Signing Workflow and select [ Add ]. Set a name for the signing approval group and select [ OK ].
Create a CA tree, ensuring that you select the PMK as the major key for all certificates created in this CA Tree.
Add an Issuance Policy to the leaf certificate in the CA tree.
In the X.509 tab of the Issuance Policy window, ensure that you select all of the permission checkboxes and that you select the signing approval group you created in step 5.
Give the created Signing Approval Role the Use permissions on all of the following:
- The Signing Approval Group created in step 5.
- The entire CA tree created in step 6.
- The Cloud Credential that is being used in the Vault API Options menu.
Ensure that the RAUP command is enabled in the Host API Options menu.
Run the following command to connect to the System/Host API port on the KMES by using Slope:
You must configure the System/Host API connection pair on the KMES Series 3 so that this OpenSSL connection works. Instructions for setting this up are outside the scope of this guide. See the KMES Series 3 user guide for more information.
After you connect successfully, run the RKLO Excrypt command twice to log in with the default Admin users, as shown in the following example:
Run the RAUP command to upload a new X.509 PKI request, as shown in the following example:
If the command succeeds, as shown in the preceding example, a new X.509 PKI, issued as a PKCS #12 file, generates on the KMES Series 3, and the passphrase for the PKCS #12 file is stored in Vault.
Log in to the Vault UI and navigate into the secret/ folder.
Select the created secret.
You can see the Key is passphrase, and the Value is the passphrase for the PKCS #12 file you generated on the KMES Series 3.
Before trying this example, you must perform an additional configuration on the KMES Series 3.
Go to Identity Management > Identity Providers.
Right-click and select Add > Provider > JSON Web Token.
On the Info tab, specify a name for the provider.
On the JWT Options tab, set the issuer as futurex.
On the JWT Key tab, select HMAC Key and enter safest123.
Select [ OK ] when finished.
Right-click the Identity Provider you just created and select Add > Mechanism > JSON Web Token. On the Info tab, specify a name for the mechanism, then select [ OK ] to save.
Go to Identity Management > Identities and locate the Signing Approval identity created for the previous example. Right-click it and select Edit.
Navigate to the Authentication tab and select [ Add ]. In the Type drop-down menu, select JSON Web Token and select [ OK ] to return to the Identity editor. Then select [ OK ] to save.
Go to Identity Management > Identity Providers. Right-click the Identity Provider you created and select Permission. Give your Signing Approval role Use permissions and select [ OK ].
To perform the following steps, you must install the Postman application on your local computer. The same concepts apply if you use cURL rather than Postman. However, to use cURL, you must generate the JWT token elsewhere (for example, a website such as https://jwt.io/). With Postman, you can generate a JWT token on the fly when you send the POST request.
Start the Postman application, and select [ New ] on the top-left side of the page.
Select Collection.
Set any name for the collection, go to the Variable tab, and set jwt_token in the Variable field. Select [ Create ]. You don't need to set anything else in this window.
Right-click the three dots in the new collection and select [ Add Request ].
Set any name for the request. The most important part is that the request is associated with the newly created Collection. Save the request.
Expand the Collection Folder and select the request that you just created. Set the request URL to https://10.0.5.125:8081/kmes/v6/certificates/signing-requests and change the request type to POST in the drop-down menu.
Go to the Authorization tab, set the TYPE to Bearer Token, and set the Token value to {{jwt_token}}.
Go to the Body tab, select the Raw bullet, and paste the following JSON code:
In the request body, you specify that you want the KMES Series 3 to create a new X.509 PKI. You define the CA tree that you built on the KMES, along with several other parameters. One of the most important parameters to notice is the randomPassphrase value set to true. The randomPassphrase parameter ensures that the PKI request is issued as PKCS #12. Then, the passphrase for the PKCS #12 file is stored in Vault.
Go to the Pre-Request Script tab and paste the following javascript:
The preceding code generates the JWT Token used for authentication to the KMES, on-the-fly.
After pasting in the Javascript, select the settings icon in the upper-right corner of the page and select Globals.
Add a new variable, jwt_issuer, and enter futurex for both the Initial Value and Current Value.
Add a new variable, jwt_user. Set the Current Value to the username of the Signing Approval Identity you created. Select [ Save ].
Select [ Save ] on your request and select [ Send ].
If the request is successful, the response body contains the message: Successfully created new entry.
if you log back into the Vault UI and go to Secret Engines > Secret, you see a new entry with ID values after CommonName that matches the requested value in the response body in Postman. This confirms that the KMES Series 3 sent the PKCS #12 passphrase successfully to Vault for storage.
You can apply a renewal threshold in Registration Authority Options. When you request an existing key name, one of the following events occurs:
- If the key is under the expiration threshold when you request the key, the system returns a new key and certificate.
- If the key is over the expiration threshold when you request the key, the system returns the same key and certificate.
To apply the renewal threshold, perform the following steps:
Go to Administration > Configuration > Registration Authority Options.
In Registration Authority Options, locate Renewal Threshold.
For the Renewal Threshold option, set a number and use the drop-down list to select Days, Weeks, Months, or years depending on your needs (for example, 90 days).
In this example, a key request with the same name that is over the 90-day threshold returns the same key and certificate. A key request with the same name that is under the 90-day threshold returns a new key and certificate.
Select [ Save ] to finish applying your changes.
To use the Rekey feature, add the renewalCheck: true line to the JSON request, as shown in the following example: