vault-pki-cli
Features
π Issues, signs and revokes x509 certificates
π Reads ACME certs written by acmevault (e.g. issued by LetsEncrypt)
β Reads the CA / CA chain of a PKI
π Reads the CRL of a PKI
π Supports DER and PEM formats
β° Automatically renews certificates based on its lifetime
π Authenticate against Vault using Kubernetes, AppRole, (explicit) token or implicit auth
π Supports multiple sinks: Kubernetes, plain files, in-memory
π» Runs effortlessly both on your workstation's CLI via command line flags or automated via systemd and config files on your server
π Provides metrics to increase observability for robust automation
Why would I need this?
mTLS is a strong and proven authentication mechanism and vault-pki-cli deals with some of its challenges
mTLS challenges |
How vault-pki-cli can help |
Certificate Management |
Dramatically removes complexity for issuing, renewing, and revoking certificates and downloading CRLs |
Key Distribution |
Safely distributes certificates using Vault's API |
Revocation Challenges |
Revocation is easy and can be performed automatically |
Key Storage |
Observability and automation allows for short-lived certificates to limit the blast-radius of compromised certificates |
Certificate Expiration |
Unless Vault is down, certificates are automatically renewed after a user-defined threshold passes |
Installation
Docker / Podman
$ docker run ghcr.io/soerenschneider/vault-pki-cli:main
Binaries
Head over to the prebuilt binaries and download the correct binary for your system.
From Source
As a prerequesite, you need to have Golang SDK installed. After that, you can install vault-pki-cli from source by invoking:
$ go install github.com/soerenschneider/vault-pki-cli@latest
Changelog
The full changelog can be found here