Hi, I’ve been struggling with creating certificates for my installation of Vault.
How can I create those three certificates with an internal Microsoft ADCS? (Active Directory Certificate Server)
So far I’ve done the following:
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out vault.csr
Created the certificate by presenting the CSR to the Web Enrollment from ADCS.
Downloaded the Chain.p7b from the ADCS.
openssl pkcs7 -print_certs -in chain.p7b -out vault.cer
So now I have two files:
“ca.key” and the converted “vault.cer” In the “vault.cer” it has the completed chain of trust.
Client certificate --> SubCA --> RootCA.
Can anyone give me any suggestions?
What exactly are you struggling with?
Are you getting errors when you install the certs?
Hi, I’ve created new certificates. I’ve used the following:
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out tls.csr
Created the certificate by presenting the CSR to the Web Enrollment from ADCS.
Downloaded the Chain.p7b from the ADCS.
openssl pkcs7 -print_certs -in chain.p7b -out tls.crt
I have two keys: “ca.key” & “tls.crt”
I’m running Vault in K8s with Raft storage. My K8s is running in TKGI with NSX-T.
NSX-T provides a LoadBalancer for Vault.
When I deploy the Helm Chart, the pods are created and running.
When I try to initialize the first “vault-0” It says: "Error initializing: Error making API request. URL: PUT https://vault-test.mydomain.lan:8200/v1/sys/init
Code: 400. Errors:
*Vault is already initialized command terminated with exit code 2
I have the Unseal Keys. So I try to unseal it. It asks me for the Unseal Key(s)
When I enter the third key it giver me an error message: "Error unsealing: Error making API request. URL: PUT https://vault-test.mydomain.lan:8200/v1/sys/unseal
Code: 400. Errors:
- Vault is not initialized
command terminated with exit code 2
I’ve included the yaml file I use with helm. example.txt (23.1 KB)
How many instances does this URL map to? Sounds like its a load balancer endpoint?
https://vault-test.mydomain.lan:8200/v1/sys/unseal
Ok, so I’ve managed to get TLS working. But I think my Loadbalancer has some problems.
I have installed the Vault CLI on my client. Used “export VAULT_ADDR=https://vault.mydomain.com”
If I enter “vault login %$#%454454646466fgfgFG” (as an token example) It sometimes gives me Code: 503 errors Vault is sealed. And after multiple time it says: “Success! You are now authenticated.”
I have a 5 node HA-cluster and for testing I only have one Vault unsealed. So it looks like it goes to different nodes (which are sealed) and finally hits the unsealed node and gives me access.
The LoadBalancer is provided by NSX-T