Import root CA certificate into Vault PKI Engine
This repo shows an example of how to upload a certificate for the root CA in the Vault PKI engine. First, you will create a certificate for your root CA using openssl. Then you will upload the certificate into Vault PKI engine, and create the root CA within Vault. Finally, create a role and issue the certificate.
Generate root CA cert and key. Then format the pem file for upload to Vault.
mkdir opensslca
openssl genrsa -out opensslca/rootCAKey.pem 2048
openssl req -x509 -sha256 -new -nodes -key opensslca/rootCAKey.pem -days 3650 -out opensslca/rootCACert.pem
openssl x509 -in opensslca/rootCACert.pem -text
awk ' NF {sub(/\r/, ""); printf "%s\\n",$0;}' opensslca/rootCAKey.pem > rootCACertpayload.pem
awk ' NF {sub(/\r/, ""); printf "%s\\n",$0;}' opensslca/rootCACert.pem >> rootCACertpayload.pem
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write pki/config/urls \
issuing_certificates=" $VAULT_ADDR /v1/pki/ca" \
crl_distribution_points=" $VAULT_ADDR /v1/pki/crl"
cat << EOF >>payload.json
{
"pem_bundle": "$( cat rootCACertpayload.pem) "
}
EOF
curl \
--header "X-Vault-Token: root" \
--request POST \
--data "@payload.json" \
http://127.0.0.1:8200/v1/pki/config/ca
Generate root CA in Vault
key_ref=$( curl \
--header " X-Vault-Token: root" \
http://127.0.0.1:8200/v1/pki/issuer/default | jq -r .data.key_id)
issuer_ref=$( curl \
--header " X-Vault-Token: root" \
http://127.0.0.1:8200/v1/pki/issuer/default | jq -r .data.issuer_id)
vault list pki/issuers/
vault read pki/issuer/$issuer_ref
vault write pki/root/generate/existing common_name=" rootca.seesquared.local" issuer_name=reissued-root key_ref=$key_ref
Create role and issue cert
vault write pki/roles/myapp \
issuer_ref=" $issuer_ref " \
allowed_domains=" seesquared.local" \
allow_subdomains=true \
max_ttl=" 720h"
vault write -format=json pki/issue/myapp common_name=" myapp.seesquared.local" ttl=" 24h" > cert.json
jq -r .data.certificate cert.json > myappcert.crt
openssl x509 -in myappcert.crt -text