vault
vault copied to clipboard
hashicorp
Display certificate details in the Web UI
Is your feature request related to a problem? Please describe. It would be great if Vault UI displayed the details of a certificate, such as the output of "openssl x509 -in file.pem -noout -text", instead of just showing it in PEM format.
Example URL where it happens: https://localhost:8200/ui/vault/secrets/user-pki/show/cert/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe the solution you'd like Ideally, I'd like the details of the certificate to show on an alternate page (with a link between both), let's say, for e.g.: https://localhost:8200/ui/vault/secrets/user-pki/show/cert**-details**/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe alternatives you've considered Alternatively, it could show this on the same page, but I fear it would easily become unreadable on any screen.
Explain any additional use-cases My issue here was mainly to determine the issue and expiry dates of certificates, so was forced to dump the PEM and read it with openssl. This could be avoided with more details in the Web UI.
I would recommend implementing a view as here:
https://silvrback.s3.amazonaws.com/uploads/66cc69df-eb09-4821-adbe-2570bfb7536e/Screen%20Shot%202014-07-10%20at%2016.08.04_large.png (from project https://dennis.silvrback.com/openssl-web-front-end)
Use case:
- Easy to lookup certificates by name
- The UI referenced here allow revocation of single or batch certificates (internally, we have a use case for this where user support might need to hand out a new certificate and revoking the old one)
- Quick review of expiration dates (perhaps a filter allowing a view on only the soon-to-expire or expired ones)
Our use case for this is client certificates. We used Vault as the issuing CA for an IKEv2 VPN deployment, so one client cert per VPN user. Currently, we generate them via python's hvac library and essentially output a csv that maps the user's email to the certificate serial number so that it is easy to find the right cert for revocation later on.
Obviously it would be preferable if at least the subject line was available from within the vault GUI!
Agreed. For me, subject in the list of certs is much more useful than serial number. Also, the state of the cert (expired, revoked, etc), is very useful.
+1 It's so confusing which certificate to select if we need to revoke one. We need to practically click each entry
Browsing around in the code, the UI code that selects which attributes are shows appears to be in (https://github.com/hashicorp/vault/blob/master/ui/app/adapters/pki-certificate.js)
https://github.com/hashicorp/vault/blob/0223f597d31a88095b4fd8a042f91b1d6cd92247/ui/app/adapters/pki-certificate.js#L24-L38
I don't have the time at hand now to do something about it but it's already a pointer
Is your feature request related to a problem? Please describe. It would be great if Vault UI displayed the details of a certificate, such as the output of "openssl x509 -in file.pem -noout -text", instead of just showing it in PEM format.
Example URL where it happens: https://localhost:8200/ui/vault/secrets/user-pki/show/cert/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe the solution you'd like Ideally, I'd like the details of the certificate to show on an alternate page (with a link between both), let's say, for e.g.: https://localhost:8200/ui/vault/secrets/user-pki/show/cert**-details**/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe alternatives you've considered Alternatively, it could show this on the same page, but I fear it would easily become unreadable on any screen.
Explain any additional use-cases My issue here was mainly to determine the issue and expiry dates of certificates, so was forced to dump the PEM and read it with openssl. This could be avoided with more details in the Web UI.
Is your feature request related to a problem? Please describe. It would be great if Vault UI displayed the details of a certificate, such as the output of "openssl x509 -in file.pem -noout -text", instead of just showing it in PEM format.
Example URL where it happens: https://localhost:8200/ui/vault/secrets/user-pki/show/cert/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe the solution you'd like Ideally, I'd like the details of the certificate to show on an alternate page (with a link between both), let's say, for e.g.: https://localhost:8200/ui/vault/secrets/user-pki/show/cert**-details**/63-a8-57-b2-40-69-72-61-df-7c-c9-2f-e8-da-4a-5f-3b-d8-1b-f5
Describe alternatives you've considered Alternatively, it could show this on the same page, but I fear it would easily become unreadable on any screen.
Explain any additional use-cases My issue here was mainly to determine the issue and expiry dates of certificates, so was forced to dump the PEM and read it with openssl. This could be avoided with more details in the Web UI.
Just the subject, issuer, validity and SANs would already be very helpful
Just the subject, issuer, validity and SANs would already be very helpful
Looks like resolved in 1.9? https://www.vaultproject.io/docs/release-notes/1.9.0#pki-certificate-metadata
Interestingly, it does — but only after you create a new cert. As in, I just updated my dev tier to 1.9.0, and didn't see any of the additional information about my existing certs listed in the interface. I then created a new cert, and after creating it, I could see the new information in the interface, for the new cert and for all the existing certs.
@delfuego do you have more information on that? Configuration, etc? Is that something you can reproduce? The parsing in the UI is from what's returned from the API, so it should be something that works with both old and new certs.
@hsimon-hashicorp I unfortunately don't — I upgraded my dev tier already, and don't have another tier immediately ready to be upgraded that I could further test this on. It's truly weird, though, I agree!
This seems resolved since 1.9.x - @jwarnier have you retested this since raising this issue and do you agree that it can now be closed?
Hi,
There's confusion between:
- Being able to see details on a certificate by clicking the serial number in the overview (at /ui/vault/secrets/pki_int/show/cert/29:80:69:3a:92:aa:aa:13:c1:dd:90:f9:24:15:51:15:98:55:f8:6c, for example in engine pki_int).
- Having things like the Common name and expiration date of each certificate in the overview screen (at /ui/vault/secrets/pki_int/list?tab=certs for example, for engine pki_int)
I confirm 1) is implemented but 2) is not, as of Vault 1.11.3.
Hope this helps.
Cheers Joris
On Mon, Sep 12, 2022 at 11:43 PM aphorise @.***> wrote:
This seems resolved since 1.9.x - @jwarnier https://github.com/jwarnier have you retested this since raising this issue and do you agree that it can now be closed?
— Reply to this email directly, view it on GitHub https://github.com/hashicorp/vault/issues/4724#issuecomment-1244535566, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATHBKOIMSLLUZAXJ3VR7B3V56PZFANCNFSM4FEAK2UQ . You are receiving this because you commented.Message ID: @.***>
May be related to PR: #17236 - that includes additional certificate details in the Secrets / PKI overview listing.
Hi there! Thank you all for this request! 😄
Here to confirm that parsing certificate data was added to the UI in 1.9 PR here and more certificate details are surfaced in the PKI beta UI released in 1.13 #18737 (see PR for screenshots)
Because there can be millions of certificates, we’re unable to show any certificate details in the LIST view and at this time don’t have a way to parse this data without negatively impacting performance.
