PKI CA chain == CA certificate? #2075
Comments
|
Yes -- if you want the full CA chain output, you should upload the root cert along with the signed intermediate CA cert when you use |
|
@jefferai Would this work if I provide a pem bundle (private key + CA chain) when submitting an already-signed intermediate certificate using the POST pki/config/ca path? I would also like the whole ca_chain to be returned, but the difference is that I do not generate the intermediate key with vault, but I generate it and sign it with an outside root, and then submit it into vault. Thanks! |
|
@frlod Yes that works. Just tested it, and vault is able to correctly parse out the issuing_ca from the chain, while also returning the full ca_chain cert that was provided. |
|
hello everyone! I want to learn about PKI and CA. Who has the relevant book recommendation? |
|
@cyberwave If you are looking for some book recommendations, the vault mailing list would be a better resource to ask the community. See https://groups.google.com/forum/#!forum/vault-tool. |
|
@jefferai Is there any way a more detailed step-by-step instructions can be provided? I've been searching Google Groups and internet for examples, but nothing came up as to how to add the Root Public Certificate component to be returned when asking for a |
|
You can get the root certificate from - name: "Enable PKI secret engine."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/sys/mounts/pki_{{ item }}"
method: POST
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
type: pki
config:
max_lease_ttl: "43800h" # 5 years
status_code:
- 200
- 204
- name: "Generate intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki_{{ item }}/intermediate/generate/internal"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
common_name: "{{ vault.ingress.host_path }} Intermediate Authority: {{ item }}"
status_code:
- 200
- 204
register: intermediate_csr_result
- name: "Sign the intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki/root/sign-intermediate"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
csr: "{{ intermediate_csr_result.json.data.csr }}"
format: pem_bundle
ttl: "43800h"
status_code:
- 200
- 204
register: sign_intermediate_result
- name: "Get the root certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki/cert/ca"
method: GET
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
status_code:
- 200
- 204
register: root_certificate_result
- name: "Import the signed intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki_{{ item }}/intermediate/set-signed"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
certificate: "{{ sign_intermediate_result.json.data.certificate }}\n{{ root_certificate_result.json.data.certificate }}"
status_code:
- 200
- 204 |
Hello all!
I built a two-level PKI (root PKI and intermediate PKI signed by root PKI) by instructions found here and here. When I try to get ca_chain from intermediate PKI I can see only a CA certificate from that PKI (but not all other certificates in chain). Is it a normal behaviour?
Vault version is 0.6.2
The text was updated successfully, but these errors were encountered: