README
¶
certsponge
Utility for splitting Vault's PKI output into one or more files containing the private key, certificate, and CA data.
vault write pki -format=json pki/issue/rolename common_name=web.dom.tld | certsponge
Install
Install latest using go install:
go install github.com/joemiller/certsponge@latest
Pre-built binaries and packages are available for various platforms on the GitHub Releases page.
Docker images are available on ghcr.io.
Usage
certsponge expects to receive the JSON output from vault write pki/issue/...:
vault write pki -format=json pki/issue/rolename common_name=web.dom.tld | certsponge
By default the output is saved into two files in the current directory:
tls.pem: Containsprivate_key,certificate, andca_chain(in that order).ca.crt: Containsca_chain.
This behavior can be changed via flags. Run with -h for usage.
Files containing private_key are always created with mode 0600.
Files containing only non-sensitive data (certificate and ca_chain) are created with mode 0644.
Existing files will not be overwritten unless -f flag is specified.
Motivation
I got tired of writing blocks like this (and many other variations) in scripts:
out=$(vault write -format=json pki/issue/myrole common_name=foo)
key=$(jq -r '.data.private_key' <<<"$out")
cert=$(jq -r '.data.certificate' <<<"$out")
ca=$(jq -r '.data.ca_chain' <<<"$out")
{
echo "$key"
echo "$cert"
echo "$ca"
} >tls.pem
Similar Tools
- vaultbot is an excellent tool that implements the full
end-to-end process of requesting certs from Vault and writing them to files. It also handles
renewals.
certspongeis not trying to do all of that, it's only goal is split the output from thevaultCLI into files.
Documentation
¶
There is no documentation for this package.
Source Files