Error setting up intermediate CA

nicklunt · November 25, 2020, 12:52pm

I am getting the following error on vault 1.4.4 when trying to set up a vault intermediate CA path.

The root CA is not generated by vault, I have the root certificate and key from another source.

Here is the script I’m running to setup the intermediate CA

# 1. Enable pki for int
vault secrets enable -path=pki_int pki

# 2. Generate intermediate csr
vault write pki_int/intermediate/generate/internal -format=json | jq -r '.data.csr' > intermediate.csr

# 3. Sign the csr with the root CA and key
openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate-cert.pem

# 4. Write the intermediate cert to vault
vault write pki_int/intermediate/set-signed certificate=@intermediate-cert.pem

This is failing at step 4 with

Error writing data to pki_int/intermediate/set-signed: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/pki_int/intermediate/set-signed
Code: 400: Errors:

* The given certificate is not marked for CA use and cannot be used with this backend.

I have followed the Hashicorp docs, but used our own root CA key and cert.

I know I have messed up somewhere, but can’t figure it out.
If you have any ideas I’m all ears

stuart-c · November 25, 2020, 1:19pm

As the error alludes to, the intermediary certificate that you are trying to upload to Vault isn’t being seen as a CA certificate. If you examine the certificate does it show that it is enabled for CA usage? Does the root certificate you are signing it with also show that it is enabled for CA usage?

nicklunt · November 25, 2020, 1:30pm

The root CA has

X509v3 extensions:
  CA:TRUE

However, the intermediate-cert.pem does not.

The intermediate CSR was generated with

vault write pki_int/intermediate/generate/internal -format=json | jq -r '.data.csr' > intermediate.csr

And signed with

openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -CAcreateserial -out intermediate-cert.pem

I guess I may have missed an option of the openssl signing command?

stuart-c · November 25, 2020, 1:40pm

You could use this:

-extfile infile File with X509V3 extensions to add

for your openssl x509 command.

nicklunt · November 25, 2020, 1:42pm

Thanks, I’ll give that a go and report back

nicklunt · November 25, 2020, 1:54pm

That’s fixed it, thank you for the help.

Changing the openssl command to

openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -extfile extfile.cnf -CAcreateserial -out intermediate-cert.pem

And extfile.cnf file has

basicConstraints=CA:TRUE

Thanks again