Commercial root CA in Hashicorp vault


I know that external root CAs can be used with Hashicorp vault for issuing dynamic certificates. But is it possible to use a commercial publicly trusted root CA ? Asking this because usually we get commercial certificates with CA constraint set as FALSE. They cannot be used to issue dynamic certificates.

To issue a certificate, regardless of the tool, you need a private key. The certificate that goes with it is public. Everybody has it, it can’t be used to issue another certificate.

Vault can generate its own private key. That’s the preferred approach. You need an authority to sign that key, which can be another certificate authority. Vault can also sign its own private key (generate a self signed certificate).

Finally, you can import the private key of another CA, but they are usually not exportable.

For certificate issued by Vault to trusted, you will have to distribute Vault’s certificate to every client. Nothing to do with Vault, that’s just how PKI works.

Some commercial CAs do allow certificates which grant further certificate creation powers, but they come with very stringent compliance requirements and a very high cost.

A sub-CA could issue as many certificates as it wanted, potentially competing with the CA it was signed with, or at least reducing income they might have had if certificates were requested directly. Additionally any compliance issues (e.g. issuing a certificate without proper checks or authorisation) could easily endanger the CA’s place in the various browser trust roots - companies have disappeared after this has happened to them.

Instead for Vault you would generally create a CA which is then directly added to trust roots, for example within a company using software update & management systems. Mirroring the example of commercial CAs you might create a long-lived CA outside of Vault (say 10+ years) which gets included with browsers. It then is used to sign the CA managed within Vault which has a shorter lifetime. The top level CA is stored totally offline (e.g. in a safe) and only used when new Vault based CAs are needed - this makes disclosure of the top CA private keys much less likely, which would require every client to be updated. If instead the second level CA was compromised (more likely as the private key lives within Vault which is network attached) it would only require a new CA to be signed by the top CA, with no client changes. (In both situations you would need to revoke the compromised CA and re-issue any certificates)

Thanks. Is there a recommendation from Hashicorp to use self signed CAs in the vault? If a client thinks they need to have commercial certificates to be issued by Hashicorp vault pki engine, no other option but to buy a commercial CA with the constraints you mentioned above ? (including high cost)

Ultimately there needs to be a chain of trust that gives a CA its validity. Some applications may trust all CAs (or ignore errors) although that wouldn’t be advisable (as it would negate a lot of the protection TLS provides, as interception would not be possible through man-in-the-middle).

Other applications might have their own list of trusted CAs, use a list provided by the operating system or obtained by another mechanism (e.g. DNS using DNSSEC).

Vault is a tool to allow management of CAs in a fairly secure manner, with features for auditing and access control. How you configure Vault and get applications to trust its certificates is up to you.

In a corporate environment that could be via adding the CA to trust roots via software management tools. For an IoT device the CA might be included as part of the software. You could equally use Vault to run a commercial CA platform with the CA either included with browser/OS roots (e.g. Mozilla or Microsoft trusted CAs) or signed by anther CA which is (agreeing to any payment or compliance requirements for both options).