Skip to main content

Hashicorp Vault - Certificate Authority

Shen Zhen, China

Generating CA certificates through Hashicorp Vault user interface.

Generate root CA

I already activated and configured the PKI engine in a previous setup:

vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki

vault write -field=certificate pki/root/generate/internal \
        common_name="consul.consul" \
        ttl=87600h > CA_cert.crt


vault write pki/config/urls \
        issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
        crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

But let's build a new one using the UI now. Select Enable new engine and select PKI Certificates from the list, and then click Next:

Hashicorp Vault - Certificate Authority

Expand Method Options, enable Max Lease TTL and set the value to 87600 hours and click Enable Engine to complete. This sets the path to be pki:

Hashicorp Vault - Certificate Authority

Select the Configuration tab and then Configure:

Hashicorp Vault - Certificate Authority

Click Configure CA:

Hashicorp Vault - Certificate Authority

Ensure that the CA Type is set to root, that the Type is set to internal and enter consul.consul in the Common name field:

Hashicorp Vault - Certificate Authority

Expand Options and enable TTL and set the value to 87600 hours:

Hashicorp Vault - Certificate Authority

Click Copy Certificate and save it in a file named root_2023_ca.crt:

Hashicorp Vault - Certificate Authority

Click the URLs tab and:

  • Enter http://127.0.0.1:8200/v1/pki/ca in the Issuing certificates field.
  • Enter http://127.0.0.1:8200/v1/pki/crl in the CRL Distribution Points field.

Hashicorp Vault - Certificate Authority

Back to the PKI overview page create a role to the root CA:

Hashicorp Vault - Certificate Authority

With an extended list of options:

Hashicorp Vault - Certificate Authority

And set the TTL according to your needs:

Hashicorp Vault - Certificate Authority

Hashicorp Vault - Certificate Authority

Generate Intermediate CA

We can now create an intermediate CA using the root CA regenerated in the previous step. From Secrets, select Enable new engine and select the PKI certificate radio button:

Hashicorp Vault - Certificate Authority

Add the path pki_int, click More options to expand and set the Maximum lease TTL to 43800 hours and click Enable Engine:

Hashicorp Vault - Certificate Authority

Select the Configuration tab and then Configure:

Hashicorp Vault - Certificate Authority

Click Add CA and select intermediate from CA Type drop-down list and add consul.consul Intermediate Authority in the Common name field:

Hashicorp Vault - Certificate Authority

Click Copy CSR and save it in a file, consul_intermediate.csr.

Hashicorp Vault - Certificate Authority

Return to the pki in the Secrets tab which is the root CA. Select the Configuration tab and then Configure. Click Sign intermediate:

Hashicorp Vault - Certificate Authority

Paste in the CSR you just copied into the Certificate Signing Request (CSR) field and enter consul.consul in the Common Name. Select pem_bundle from the Format drop-down list, and then click Save.:

Hashicorp Vault - Certificate Authority

Click Copy Certificate and save the generated certificate in a file, intermediate.cert.pem:

Hashicorp Vault - Certificate Authority

Select pki_int from the Secrets tab to return to the intermediate CA. Select the Configuration tab and then Configure. Click Set signed intermediate:

Hashicorp Vault - Certificate Authority

Paste in the certificate in the Signed Intermediate Certificate field and then click Save:

Hashicorp Vault - Certificate Authority

Create a Role

A role is a logical name that maps to a policy used to generate those credentials. It allows configuration parameters to control certificate common names, alternate names, the key uses that they are valid for, and more.

ParamDescription
allowed_domainsSpecifies the domains of the role (used with allow_bare_domains and allow-subdomains options)
allow_bare_domainsSpecifies if clients can request certificates matching the value of the actual domains themselves
allow_subdomainsSpecifies if clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options (NOTE: This includes wildcard subdomains.)
allow_glob_domainsAllows names specified in allowed_domains to contain glob patterns (e.g. ftp*.example.com)

Click the terminal icon and use the following command to list issuers:

read -field=default pki_int/config/issuers

Hashicorp Vault - Certificate Authority

Copy the value from the above command. Click pki_int and then select Create role:

Hashicorp Vault - Certificate Authority

Enter consul-dot-consul in the Role name field and paste the value you copied in step 3 into the Issuer ref field:

Hashicorp Vault - Certificate Authority

Expand Options and then set the Max TTL to 43800 hours (5 years):

Hashicorp Vault - Certificate Authority

Expand Domain Handling and then select the Allow subdomains check-box. Enter consul.consul in the Allowed domains field:

Hashicorp Vault - Certificate Authority

Hashicorp Vault - Certificate Authority

Request Certificates

Keep certificate lifetimes short to align with Vault's philosophy of short-lived secrets.

Select Secrets, pki_int from the Secrets Engines list and elect consul-dot-consul under Roles and enter vault.consul.consul in the Common name field. Expand Options and then set the TTL to 24 hours:

Hashicorp Vault - Certificate Authority

Click Copy credentials and save it to a file:

Hashicorp Vault - Certificate Authority