Merge pull request #894 from smallstep/ahmet2mir-feat/vault

Vault CAS
smallstep · Apr 19, 2022 · d61cd98 · d61cd98
2 parents b99692f + fe9c3cf
commit d61cd98
Show file tree

Hide file tree

Showing 10 changed files with 1,152 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - Added support for certificate renewals after expiry using the claim `allowRenewalAfterExpiry`.
 - Added support for `extraNames` in X.509 templates.
+- Added RA support using a Vault instance as the CA.
 - Added support for automatic configuration of linked RAs.
 ### Changed
 - Made SCEP CA URL paths dynamic

diff --git a/authority/config/config.go b/authority/config/config.go
@@ -68,6 +68,7 @@ type Config struct {
 	TLS              *TLSOptions          `json:"tls,omitempty"`
 	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
+	CommonName       string               `json:"commonName,omitempty"`
 }
 
 // ASN1DN contains ASN1.DN attributes that are used in Subject and Issuer
@@ -173,6 +174,9 @@ func (c *Config) Init() {
 	if c.AuthorityConfig == nil {
 		c.AuthorityConfig = &AuthConfig{}
 	}
+	if c.CommonName == "" {
+		c.CommonName = "Step Online CA"
+	}
 	c.AuthorityConfig.init()
 }
 

diff --git a/authority/tls.go b/authority/tls.go
@@ -548,7 +548,7 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	}
 
 	// Create initial certificate request.
-	cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
+	cr, err := x509util.CreateCertificateRequest(a.config.CommonName, sans, signer)
 	if err != nil {
 		return fatal(err)
 	}

diff --git a/cas/apiv1/options.go b/cas/apiv1/options.go
@@ -3,6 +3,7 @@ package apiv1
 import (
 	"crypto"
 	"crypto/x509"
+	"encoding/json"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/kms"
@@ -15,8 +16,9 @@ type Options struct {
 	Type string `json:"type"`
 
 	// CertificateAuthority reference:
-	// In StepCAS the value is the CA url, e.g. "https://ca.smallstep.com:9000".
+	// In StepCAS the value is the CA url, e.g., "https://ca.smallstep.com:9000".
 	// In CloudCAS the format is "projects/*/locations/*/certificateAuthorities/*".
+	// In VaultCAS the value is the url, e.g., "https://vault.smallstep.com".
 	CertificateAuthority string `json:"certificateAuthority,omitempty"`
 
 	// CertificateAuthorityFingerprint is the root fingerprint used to
@@ -69,6 +71,9 @@ type Options struct {
 	CaPool     string `json:"-"`
 	CaPoolTier string `json:"-"`
 	GCSBucket  string `json:"-"`
+
+	// Generic structure to configure any CAS
+	Config json.RawMessage `json:"config,omitempty"`
 }
 
 // CertificateIssuer contains the properties used to use the StepCAS certificate

diff --git a/cas/apiv1/services.go b/cas/apiv1/services.go
@@ -45,6 +45,8 @@ const (
 	CloudCAS = "cloudcas"
 	// StepCAS is a CertificateAuthorityService using another step-ca instance.
 	StepCAS = "stepcas"
+	// VaultCAS is a CertificateAuthorityService using Hasicorp Vault PKI.
+	VaultCAS = "vaultcas"
 )
 
 // String returns a string from the type. It will always return the lower case