Configuring the plugin
This page describes how to configure the the Sectigo Vault PKI plugin.
To enroll and manage certificates on Vault through SCM, users must first create a config entry in Vault.
This config entry may be used for downloading certificate profiles, and for enrolling and managing multiple certificates that correspond to the same SCM configuration.
Configuring the plugin directory
Vault servers in development mode can use -dev-plugin-dir to specify the path to the plugin.
For example:
vault server -dev -dev-plugin-dir="/etc/vault/plugins"Otherwise, the Vault server must be configured to use a plugin directory with the plugin_directory field pointing to the path of your plugins directory in a configuration file with HCL or JSON format.
For the Sectigo Vault PKI plugin, you must place the custom sectigo-vault-pki_<version> binary in the configured Vault plugins directory (for example, /etc/vault/custom_plugins/).
Make sure the custom plugin binary has the proper execute permissions enabled.
On Linux, this can be done using the following command.
$ chmod +x /etc/vault/custom_plugins/sectigo-vault-pki_<versions>For information on the plugin_directory field, see the Vault documentation.
Setting up environmental variables
Whether you are planning on using the Vault CLI tool or cURL commands, you may want to export the following environment variables to facilitate your interactions with your Vault server. The vault address and token are provided by the vault server on startup.
$ export VAULT_ADDR='http://<vault_ip_address>:<vault_port_number>'
$ export VAULT_API_ADDR='http://<vault_ip_adress>:<vault_port_number>'
$ export VAULT_TOKEN='<vault_token>'
$ export VAULT_CLIENT_TIMEOUT='600'| The address environment variables are shown for HTTP. Make sure to use HTTPS instead of HTTP on your production server. |
Enabling the plugin
You may enable the Sectigo PKI plugin assuming you have a Vault server that is:
-
running and unsealed
-
configured to point to a plugin directory where the
sectigo-vault-pkibinary is located -
accessible through the environment variables that you have exported
Run the following commands to enable the plugin.
$ SHA256=$(shasum -a 256 <path_to_plugin_directory>/sectigo-vault-pki_<version>| cut -d' ' -f1)
$ vault write sys/plugins/catalog/secret/sectigo-vault-pki_<version> sha_256="${SHA256}" command=sectigo-vault-pki_<version>
$ vault secrets enable -path=sectigo-vault-pki -plugin-name=sectigo-vault-pki_<version> sectigo-vault-pki_<version>Configuration parameters
The Sectigo Vault PKI plugin can handle many parameters. The required parameters depend on the specific use case and can be passed to Vault in two principal ways:
-
Bundled together in a JSON file when interacting with Vault through a Vault CLI tool or through cURL commands.
-
Individually as key/value pairs when interacting with Vault through the Vault CLI tool.
The sectigo_cm_user and sectigo_cm_password parameters are now supported in both the config and profile JSON files. If specified in both files, the profile file will override.
|
Config parameters
| Parameter | Type | Description |
|---|---|---|
|
Mandatory |
The user ID to access your URL. This parameter is supported in both the config and profile JSON files. |
|
Mandatory |
The password to access your URL. This parameter is supported in both the config and profile JSON files. |
|
Mandatory |
The configuration type for your Vault-specific |
|
Mandatory |
Your Sectigo URI |
|
Mandatory |
Your organization ID |
|
Mandatory |
The base url of the Sectigo Certificate Authority |
Profile CSR parameters
| Parameter | Type | Description |
|---|---|---|
|
Conditional |
A single value for a domain which is included in the certificate Common Name (CN) field. Required if |
|
Conditional |
The country name which is included in the certificate Country (C) field. Required if |
|
Conditional |
The state/province name which is included in the certificate State (ST) field. Required if |
|
Conditional |
The location name which is included in the certificate Location (L) field. Required if |
|
Conditional |
The organization name which is included in the certificate Organization (O) field. Required if |
|
Conditional |
The organization unit which is included in the certificate Organization Unit (OU) field. Required if |
|
Conditional |
The email address which is included in the certificate emailAddress field. Required if |
|
Conditional |
The private key algorithm used to generate the private key. The possible values are Required if |
|
Conditional |
The size of the SSL/TLS keys to generate. The possible values are:
Required if Required if |
|
Conditional |
The elliptical curve cipher (ECC) of the SSL/TLS keys to generate. The possible values are:
Required if Required if |
|
Conditional |
A certificate signing request in PEM format that users can optionally provide if they don’t want to generate a new one. |
|
Conditional |
A private key in PEM format that users can optionally provide if they want to generate a CSR by using it. |
Profile certificate issuance and collection parameters
| Parameter | Type | Description |
|---|---|---|
Common |
||
|
Optional |
The maximum time in seconds before a certificate download attempt will time out.
The default value is |
|
Optional |
The time in seconds between each attempt to download the issued certificate.
The default value is |
|
Optional |
The period of days prior to expiration that a new certificate enrollment process will be initiated.
The default value is |
|
Optional |
A flag to determine whether certificates that fall within the expiry window should get automatically renewed.
The default value is |
|
Optional |
When this flag is set to If you set this flag to |
SSL certificates |
||
|
Mandatory |
The type of the SSL certificate. This is the ID of the SSL certificate type. |
|
Mandatory |
The certificate validity period in days.
The values available are dependent on the selected |
|
Optional |
A comma-separated list of emails |
|
Optional |
The format type of the SSL certificate. The supported values are:
|
|
Optional |
Comments for certificate enrollment |
|
Conditional |
The number of server licenses |
|
Optional |
The server type ID |
|
Optional |
A comma-separated list of subject alternative names (SAN) |
|
Optional |
The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.
If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using backslash ( |
Client certificates |
||
|
Mandatory |
The type of the client certificate. This is the ID of the client certificate type. |
|
Mandatory |
The certificate validity period in days.
The values available are dependent on the selected |
|
Mandatory |
A valid user email that is less than 256 characters |
|
Conditional |
The user’s first name |
|
Conditional |
The user’s middle name |
|
Conditional |
The user’s last name. The combined length of the first, middle, and last name fields cannot exceed 64 characters. |
|
Optional |
The custom fields to be applied to the requested certificate. The expected format for custom fields is the following.
If you are providing this input in a JSON string, make sure that the internal double quotes are escaped properly using backslash ( |
Other parameters
| Parameter | Type | Description |
|---|---|---|
Common |
||
|
Conditional |
The unique certificate ID is used as the main identifier for certificates that are stored in Vault. For SSL certificates, the unique cert ID is For client certificates, the unique cert ID is |
|
Mandatory |
The reason why an action is being taken.
The possible actions are either |
|
Conditional |
Used in path |
SSL certificates |
||
|
Conditional |
Used in path |
Client certificates |
||
|
Mandatory |
Used in path |