I am getting the following error on vault 1.4.4 when trying to set up a vault intermediate CA path.
The root CA is not generated by vault, I have the root certificate and key from another source.
Here is the script I’m running to setup the intermediate CA
# 1. Enable pki for int vault secrets enable -path=pki_int pki # 2. Generate intermediate csr vault write pki_int/intermediate/generate/internal -format=json | jq -r '.data.csr' > intermediate.csr # 3. Sign the csr with the root CA and key openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate-cert.pem # 4. Write the intermediate cert to vault vault write pki_int/intermediate/set-signed firstname.lastname@example.org
This is failing at step 4 with
Error writing data to pki_int/intermediate/set-signed: Error making API request. URL: PUT http://127.0.0.1:8200/v1/pki_int/intermediate/set-signed Code: 400: Errors: * The given certificate is not marked for CA use and cannot be used with this backend.
I have followed the Hashicorp docs, but used our own root CA key and cert.
I know I have messed up somewhere, but can’t figure it out.
If you have any ideas I’m all ears