Hello all!
I built a two-level PKI (root PKI and intermediate PKI signed by root PKI) by instructions found here and here. When I try to get ca_chain from intermediate PKI I can see only a CA certificate from that PKI (but not all other certificates in chain). Is it a normal behaviour?
Vault version is 0.6.2
prudnitskiy
All 7 comments
Yes -- if you want the full CA chain output, you should upload the root cert along with the signed intermediate CA cert when you use set-signed .
jefferai
on 8 Nov 2016
@jefferai Would this work if I provide a pem bundle (private key + CA chain) when submitting an already-signed intermediate certificate using the POST pki/config/ca path?
I would also like the whole ca_chain to be returned, but the difference is that I do not generate the intermediate key with vault, but I generate it and sign it with an outside root, and then submit it into vault.
Thanks!
frlod
on 18 Dec 2017
@frlod Yes that works. Just tested it, and vault is able to correctly parse out the issuing_ca from the chain, while also returning the full ca_chain cert that was provided.
bhperry
on 13 Feb 2018
hello everyone! I want to learn about PKI and CA. Who has the relevant book recommendation?
cyberwave
on 30 May 2018
@cyberwave If you are looking for some book recommendations, the vault mailing list would be a better resource to ask the community. See https://groups.google.com/forum/#!forum/vault-tool.
chrishoffman
on 30 May 2018
@jefferai Is there any way a more detailed step-by-step instructions can be provided? I've been searching Google Groups and internet for examples, but nothing came up as to how to add the Root Public Certificate component to be returned when asking for a ca_chain! :(
aantono
on 9 Jul 2019
You can get the root certificate from /v1/pki/cert/ca and append it to the signed intermediate certificate with a new line.
I use the following Ansible script:
- name: "Enable PKI secret engine."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/sys/mounts/pki_{{ item }}"
method: POST
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
type: pki
config:
max_lease_ttl: "43800h" # 5 years
status_code:
- 200
- 204
- name: "Generate intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki_{{ item }}/intermediate/generate/internal"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
common_name: "{{ vault.ingress.host_path }} Intermediate Authority: {{ item }}"
status_code:
- 200
- 204
register: intermediate_csr_result
- name: "Sign the intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki/root/sign-intermediate"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
csr: "{{ intermediate_csr_result.json.data.csr }}"
format: pem_bundle
ttl: "43800h"
status_code:
- 200
- 204
register: sign_intermediate_result
- name: "Get the root certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki/cert/ca"
method: GET
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
status_code:
- 200
- 204
register: root_certificate_result
- name: "Import the signed intermediate certificate."
uri:
url: "https://{{ vault.ingress.host_path }}/v1/pki_{{ item }}/intermediate/set-signed"
method: POST
return_content: yes
headers:
X-Vault-Token: "{{ vault_root_token }}"
body_format: json
body:
certificate: "{{ sign_intermediate_result.json.data.certificate }}\n{{ root_certificate_result.json.data.certificate }}"
status_code:
- 200
- 204
notanaverageman
on 17 Apr 2020
Related issues
adamroddick
路
3Comments
frntn
路
3Comments
ngunia
路
3Comments
passwordleak
路
3Comments
jasonmcintosh
路
3Comments
Most helpful comment
Yes -- if you want the full CA chain output, you should upload the root cert along with the signed intermediate CA cert when you use
set-signed.