Flummoxed by Installation TLS Certificates


I’m installing and configuring Vault using Consul storage. In the Prepare TLS Certificates section of the deployment guide, it says:

You must have three files to configure TLS for Vault: … /opt/vault/tls/vault-[key|cert|ca].pem

And yet, those files don’t exist upon installation. Instead, you get two files in that directory: tls.crt and tls.key. Those work to get things up and running, but there’s no CA signing file to use with them.

What is the recommended way forward? Can I use the consul keygen facility and rename the files? I could be missing something in the docs, but it’s unclear what to do.


cert = server certificate for your machine – 1/2 of which you’re thinking of
key = server key cert for your machine – 2/2 of which you’re thinking of

CA == if you’re self-signing or using a cert from a CA that isn’t in the default list you have to provide this, so that the connection can be trusted.