I am trying to deploy Vault cluster using the steps mentioned here
Vault with integrated storage deployment guide | Vault | HashiCorp Developer.
As mentioned here, a CA certificate is a must but I don’t see this certificate being generated. Only two files are generated i.e. tls.crt and tls.key.
Is CA certificate is necessary? If yes, how to get it?
It doesn’t say the CA certificate is a must:
The installation package generates a self-signed TLS certificate for use by the Vault service to secure intra-cluster communication. While these certificates are usable for experimenting with getting Vault up and running…
That is, you can use them to deploy the cluster and complete the tutorial.
As for generating a CA certificate, there are many products that can help you build a Public Key Infrastructure and generate one of those, but why not create a root CA using Vault, or create an intermediate CA with it, in a production-grade set-up?
@jlj7 It’s not a production-grade set-up but I don’t want to use Vault in dev mode. In the article, it is mentioned that You must have three files to configure TLS for Vault.
I tried to complete the tutorial without a CA certificate but was unsuccessful.
If the certificate is self-signed, you don’t have a CA root.
In my environment, the CA root is installed on the OS directly, so I don’t use a CA root in my vault configuration.
@ akashgs
I tried to complete the tutorial without a CA certificate but was unsuccessful.
I use the following configuration for running a local development Vault server without TLS. This is an option if you are okay with not running TLS for testing/development purposes.
ui = true
disable_mlock = true
api_addr = "http://{{ GetPrivateIP }}:8200"
cluster_addr = "http://{{ GetPrivateIP }}:8201"
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = "true"
}
storage "file" {
path = "/opt/vault/data"
}
$ vault server -config=/path/to/config.hcl