Linux X.509-Certificate deployment helper for Azure Key Vault
keyvault-certdeploy is a tool used to facilitate X.509 certificate deployment to Linux systems with Azure Key Vault, supporting RSA and ECDSA certificates, local deployment and update hooks. Originally built to work around shortcomings in the Azure certificiate provisioning via VM secrets, it’s possible to provision systems outside of Azure as well, provided they have access to the corresponding vault. It can be used to push certificates to Key Vault from a Let’s Encrypt deployment hook and to refresh VM certificates on boot or to periodically poll for updates via cronjob.
To support importing ECC keys and ECDSA certificates, it does not use Key Vault’s internal mechanism for key and certificate management and stores key and certificate in a single PEM-encoded secret. Thus, it cannot be used with HSM-backed keys or Key Vault’s automatic certificate renewal.
keyvault-certdeploy uses the automatic environment authentication from the Azure Golang SDK to authenticate itself to Key Vault. Credentials can be either provided through environment variables or, if running in a Azure VM, through Managed Service Identity (MSI). No environment variables need to be set when using MSI.
Required access policies to vault:
Either download a compiled release, use the emgag/keyvault-certdeploy docker image or see build instructions in this README.
Also checkout example ansible role for deploying keyvault-certdeploy and individual certificates or the systemd unit files for running keyvault-certdeploy as an onboot- and/or periodic service.
See keyvault-certdeploy.yml.dist for a sample configuration.
X.509-Certificate deployment helper for Azure Key VaultUsage:keyvault-certdeploy [command]Available Commands:delete Deletes certificate from vaultdump Dump certificate and key from vault to current directory or dir, if suppliedhelp Help about any commandlist List certificates in vaultprune Remove expired certificates from vaultpush Push a certificate to the vaultsync Sync configured certificates from vault to systemFlags:-c, --config string Config file (default locations are $HOME/.config/keyvault-certdeploy.yml, /etc/keyvault-certdeploy/keyvault-certdeploy.yml, $PWD/keyvault-certdeploy.yml)-h, --help help for keyvault-certdeploy-q, --quiet Be quiet-v, --verbose Be more verbose--version version for keyvault-certdeployUse "keyvault-certdeploy [command] --help" for more information about a command.
Deletes certificate from vaultUsage:keyvault-certdeploy delete <subject> <keyalgo> [flags]Flags:-h, --help help for delete-y, --yes Don't confirm before deleting
This command removes a single certificate from vault.
Dump certificate and key from vault to current directory or dir, if suppliedUsage:keyvault-certdeploy dump <subject> <keyalgo> [flags]Flags:--cert string Name of the leaf certificate file (default "cert.pem")--chain string Name of the certificate chain file (default "chain.pem")-d, --dir string Directory to save files to (default ".")--fullchain string Name of the full certificate chain file (default "fullchain.pem")--fullchainprivkey string Name of the full certificate chain + private key file (default "fullchain.privkey.pem")-h, --help help for dump--key string Name of the private key file (default "privkey.pem")
The files generated by this command follow the same convention as common Let’s Encrypt utilities like certbot or dehydrated:
privkey.pem : the private key for the certificate.fullchain.pem: the certificate file containing all CA certificates as well as the leaf certificates. That’s usually the one to use in TLS configurations of the services (e.g. in nginx’s ssl_certificate)chain.pem : the CA certificates only, e.g. for OCSP stapling.cert.pem : just the leaf certificate. See certbot’s documentation about this for more info.
Additionally, following files will be generated as well:
fullchain.privkey.pem : the concatenation of fullchain and privkey.
List certificates in vaultUsage:keyvault-certdeploy list [flags]
This command will list all certificates in configured vault.
Remove expired certificates from vaultUsage:keyvault-certdeploy prune [flags]Flags:-d, --days int Delete certificates after this many days of being expired (default 7)-h, --help help for prune-n, --noop Just list expired certificates, don't actually remove the certs-y, --yes Don't confirm before pruning
Automatically remove all certificates which expired -d days ago from vault.
Push a certificate to the vaultUsage:keyvault-certdeploy push <privkey.pem> <fullchain.pem> [flags]
To push a certificate to the vault, the push command requires a key- and a certificates file. It’s designed to work with the PEM files generated by Let’s Encrypt utilities (privkey.pem & fullchain.pem).
Sync configured certificates from vault to systemUsage:keyvault-certdeploy sync [flags]Flags:-f, --force Force update even if version on disk matches the one in vault-h, --help help for sync--nohooks Disable running hooks after cert update
This command will fetch all certificates configured in the certs list in the config file and run hooks if a certificate was updated. Hooks will only run once per sync run, after all certificates are processed. Duplicate hooks are ignored.
Certificates are pushed to the vault as an unencrypted, single PEM-formated file containing the ECC or RSA private key, the chain certificates and the leaf certificate. The secret is named SubjectCN-PublicKeyAlgo (all lowercase, e.g. example.org-rsa), its content type is set to application/x-pem-file and following tags are defined:
$ git clone github.com/emgag/keyvault-certdeploy$ cd keyvault-certdeploy$ make snapshot
will download the source and build binary called keyvault-certdeploy in ./dist directory and a locally tagged docker image.
keyvault-certdeploy is licensed under the MIT License.