moving existing CA into Hashicorp Vault

Vault is much more then a simple key/value store for user credentials

In my last post I setup up a HashiCorp Vault to store credentials like Google API-keys, username/password combinations and also my private and public key for my SSL certification authority.

The SSL certificates are stored in vault so that they can be used within the CI/CD pipeline. They were stored as simple strings in the kv backend, which is in no way optimal.

Importing an existing CA

Fortunately Vault is able to import an existing CA together with creating its own CA. To import key and certificate these need to be exported to PEM format. With these a json file containing both as value for the key “pem_bundle” must be created. The file payload.json should look like this:
{ "pem_bundle": "-----BEGIN CERTIFICATE-----.....-----END CERTIFICATE-----\n-----BEGIN PRIVATE KEY-----.....-----END PRIVATE KEY-----" }

For the import we will use curl like below: curl -X POST --data @payload.json --header "X-Vault-Token:" ${VAULT_ADDR}/v1/pki/config/ca

To see if the import was successful you can simple retrieve the public key like: curl ${VAULT_ADDR}/v1/pki/ca/pem

Creating more then one CAs

With vault you are able to manage several different certification authorities. In the example above the CA pki is created. To create another CA simply replace it with the desired name.

In order to use this CA an role must be configured in vault

The role name used in the further steps is my-role.

Generating SSL certificates

New certificates signed with our CA can either be created via UI or API. A json to request a new SSL certifate for www.example.com could look like this: { "common_name": "www.example.com", "alt_names": "nix.example.com", "uri_sans" : "*.example.com", "ttl": "3000" }

To actually generate the certificate: curl -X POST --data @cert.json --header "X-VAult-Token:" ${VAULT_ADDR}/v1/pki/issue/my-role