Implement mTLS Using Vault’s PKI Secrets Engine

Mutual TLS (mTLS) is a security protocol where both the client and server authenticate each other using certificates. Unlike one-way Transport Layer Security (TLS), where only the server is authenticated, mTLS ensures that both sides of the communication are verified, enhancing the security of the connection. Vault’s PKI secrets engine simplifies the process of issuing and managing certificates, allowing for dynamic certificate generation, rotation, and revocation.

In this Shortcut, you will learn how to configure Vault’s PKI secrets engine to issue certificates for mTLS and use those certificates with your NGINX server.

Prerequisites

You need a running Vault cluster. Refer to the Shortcut “Run HashiCorp Vault with Helm” for a refresher on running Vault.

Issue mTLS Certificates from Vault

  1. Enable pki secrets engine:

    vault secrets enable pki
Success! Enabled the pki secrets engine at: pki/

  2. Tune the pki secrets engine:

    vault secrets tune -max-lease-ttl=8760h pki
Success! Tuned the secrets engine at: pki/

  3. Generate a root certificate:

    vault write pki/root/generate/internal common_name="shortcut.com" ttl=8760h

    You should receive an output like the following:

    A screenshot of a computer code Description automatically generated

  4. Configure Certificate Revocation List (CRL) and issuing certificates:

    vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" ...

Get Implement mTLS Using Vault's PKI Secrets Engine now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial