tr1ck3r
commented
2 years ago Confirming that this represents the expected behavior. The key_password parameter is for optionally specifying a password to encrypt the private key before it is output. An internally generated random password (that meets the TPP and VaaS password complexity requirements) should be used in the API call to retrieve the certificate and private key from Venafi. That password should then be used to decrypt the private key so it is in the proper form to be stored (if store_pkey=true) and so that it can be returned without PBE if no key_password was specified or so that it can be re-encrypted using the specified key_password value before being output. As such the key_password parameter should not be required when service_generated_cert=true (this secrets engine is acting as an abstraction layer which means any restrictions of TPP or VaaS shouldn't automatically apply).
luispresuelVenafi
PROBLEM SUMMARY We upgraded to v0.10.02 to take advantage of the 'service_generated_cert = true'. When using this setting it requires us to include key_password in the JSON with a passphrase. When the plugin retrieves the certificate from Venafi it is storing the private key in the vault encrypted with the passphrase provided. This will create a issue with the pipeline to keep track of these passwords or have a hard set password in the pipeline, which is not desirable.
STEPS TO REPRODUCE Enable configuration for 'service_generated_cert = true'. Request cert using key_password in JSON. When you retrieve the Certificate from vault the private key will be encrypted with passphrase provided
EXPECTED RESULTS Since Venafi requires a password to download the private key, the plugin should generate a random password for service_generated_certs and use that to request the certificate from Venafi. Once it retrieves the certificate it should be stored in the Vault with an unencrypted private key. the key_password should not be required for the certificate request, this should only be needed if the pipeline is requesting a certificate w/encrypted private key.
ACTUAL RESULTS Private key is encrypted in the vault, which requires the password it was originally requested with.
ENVIRONMENT DETAILS plugin Version v0.10.2, Venafi Version 20.3.x
COMMENTS/WORKAROUNDS Only work around would be to have a hard coded password in the pipeline or an extreme amount of code to handle tracking of randomly generated passwords, which would be hard to manage.