I need to upload the leaf ICA provided by a user using the set-signed command. Then this Leaf ICA is used to sign other Certificate requests. Vault doesn’t know about the root and ICA cert of this Leaf ICA. How do I add those details to the vault? or is it (ca chain) not required?
A correct CA chain does not matter to Vault itself, but it can matter a lot to clients of Vault obtaining certificates.
Vault serves the configured CA chain to clients in the response when it provides a certificate, and a well-behaved client will store it and use it - this avoids many problems when you later need to make a change to the chain and have clients pick up the change as they get new certificates.
My knowledge of the Vault PKI secrets engine is a bit out of date - I haven’t really used it for much since the big changes in Vault 1.11. In older versions, chain CAs could be handled by simply concatenating the additional chain certificates after the CA’s own certificate in the set-signed operation. I suggest trying that first, to see if it still works.
Funny, I ´m sitting with the exact same question.
I did try and import the CA, ICA + ICA key in a bundle and it seems to work.
I got the full chain (CA+ICA) when creating new certificates, which is what I wanted.
However they both show as issuers, and not sure if this is a problem.
According to the documentation:https://developer.hashicorp.com/vault/api-docs/secret/pki#notice-about-new-multi-issuer-functionality
It is strongly encouraged to limit the scope of CAs within a mount and not to mix different types of CAs (roots and intermediates).
Not sure how important that is when the root certificate is imported without a key. Hence it wont be used to issue certificates through Vault.
But I would like to know what the best practice is.
Vault Version 1.13.0