Create an independent copy of the root certificate authority


Is it possible to upload the CA certificate to vault and use it afterwards like a normal internal CA to sign intermediate certificates and such?
What I’d like to achieve is to have vault manage the certificates, including the root CA, but I’d also like to have a backup copy of it without having to rely on vault, in case anything happens.

If I generate an internal root CA certificate, I know that vault won’t output the private key, so I won’t have access to the CA independently.

You can use the following to upload an existing certificate and key:

If you want to go the other way, generate in vault and export - there is the exported field in PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer and PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer . The key is ONLY available when you first generate it though.

Note that in all these cases, you must store the key in a safe space.

1 Like

Thanks for the answer. This is really helpful.
I’m guessing there’s no possibility of downloading the key through terraform, right?
I was looking at the pki_secret_backend_root_cert resource, but there’s no possibility here and, yes, the risk would be that the private key would be kept in the terraform state, I suppose :slight_smile:

Ok, I think I’ve found something. So it seems that one solution would be to create a self-signed certificate (tls_self_signed_cert) with terraform and then use someting like:

resource "vault_pki_secret_backend_config_ca" "ca_config" {
  depends_on = [ vault_mount.root, tls_private_key.ca_key]  
  backend  = vault_mount.root.path
  pem_bundle = local_file.ca_pem_bundle.sensitive_content

I’ll have to figure out that pem_bundle part exactly to get it directly from the tls_self_signed_cert resource.

I wouldn’t suggest using Terraform for this, as you will be storing the root CA cert within the state file. Really you want to generate it manually to ensure it is highly controlled and not available to anyone after creation (other than in a secure backup storage location)

Well, yeah, that’s what I myself mentioned in this thread. The problem is that there are simply too many manual steps that I’m supposed to take in deploying a whole self-hosted infrastructure and hashicorp simply doesn’t seem to offer the right tools to automate everything to a reasonable degree while also strictly/correctly observing all the security standards (which I’m otherwise very interested in). Not that I’m not grateful for the hashicorp tools, don’t get me wrong.

So if I wanted to have vault manage the CA root while also having a copy myself (which is quit normal, I’d argue), then I simply have to do it through other scripts outside terraform and directly access the vault (through curl for example), although I provision vault in the first place using terraform. That entails a sort of pause in the terraform provisioning, running the script, and the running terraform again or some shitty hack like that. So yeah, under these circumstances having the certificate in the terraform state and protecting the state doesn’t seem terribly unreasonable, to be honest.

You are right - set things up in terraform, do things in another language, and get back to terraform. You are already doing this, but in other ways - terraform to build a machine, then something else to finalize the config, create a database - something else to modify the data.

Personally, I try and define clear boundaries - static (pki) vs dynamic (certs), setup (pki) vs ongoing (cert+renewals), config (pki) vs data (contents of pki).