How can i generate a certificate in vault and use the same to enable tls on vault server ?
Read those documentation. But my answer is not there. How do I get the tls_key_file and tls_cert_file which I want to generate using vault.
I created scripts to use easyrsa to create pki ca’s and certificates for server auth + TLS as well as vault agent’s auth + TLS. It is a complicated spiderweb of startup and runtime scripts.
Vault should solve this “chicken-egg” problem since their certs are easily picked up on a SIGHUP.
You can use the openssl to generate a Self-Signed SSL certificate.
The guy asks help for something which is crystal clear but irrelevant links are sent.
Sometimes I suppose some answers are hided intentionally.
There is no any procedure, receipt, blog, article which explains how to create TLS certificates for Vault.
I think that’s a bit harsh. I would say that it’s a non-trivial deployment challenge. And it’s certainly an issue that many folks are likely to run up against, all the same.
The best resource I’ve found (to date, anyway) for getting through this is the actual Terraform code for building the Vault reference architecture (e.g., this repo for building the OSS reference architecture in AWS, and the tls.tf code, in particular).
Note that, as of fairly recently (I believe), all these related repos have been archived. I’m not sure why, but it may be that problems have been found in them / big changes are coming. Use at your own risk, as it were!
I think it is fair to say that the chicken-and-egg problem of using Vault to sign TLS certificates for its own API is not solved. Or, rather, it’s not solved in the way the question askers want.
There’s a really simple solution: You deploy your initial Vault using an ad-hoc self-signed certificate, initialise your PKI secrets engines, issue a new certificate from them, and swap it in to the Vault configuration.
If anyone can think of a better way, do let me know
I see what you’re saying, and while I do agree broadly, I wouldn’t say that it’s “really simple,” in many (if not most) production scenarios. Take, as an example, Lev Andelman’s talk from earlier this year on getting it all working correctly with a load balancer.