Hello, I found this - PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer
which describes few API endpoints that allow importing CA bundles, I couldn’t find CLI alternatives for these API calls there, but then I found some on other forum related to vault.
Problem I am facing now (possibly bugs in vault) are:
- When I import CA bundle, I can see new issuer at pki/config/issuers, but in vault UI there is nothing visible in Certificates section (when you create your own root CA using vault itself, through
pki/root/generate/internalyou will get a new certificate created in there)
- When you import CA bundle, none of the crucial information such as common name, issuer name etc. are imported, this is all I can see:
crl_distribution_points  issuer_id 30506d96-1d3b-4ecc-5ec3-69aeaffda1f9 issuer_name n/a issuing_certificates  key_id c98b312f-4517-a854-a60e-c5b6270d6294 leaf_not_after_behavior err manual_chain <nil> ocsp_servers  revocation_signature_algorithm n/a revoked false usage crl-signing,issuing-certificates,ocsp-signing,read-only
Note issuer name: “N/A” - this makes it impossible to reference this certificate in subsequent signing requests. Vault always fail on signing requests with:
- 1 error occurred:
- could not fetch the CA certificate (was one set?): unable to find PKI issuer for reference
I did import the private key + root CA cert bundle via write calls to both pki/config/ca pki/issuers/import/bundle which both succeeded, I can even see it:
vault read pki/config/issuers Key Value --- ----- default 30506d96-1d3b-4ecc-5ec3-69aeaffda1f9 default_follows_latest_issuer false
But I can’t use it - because there exists no useable reference to it. Is there any working manual how this can be achieved? I have private key and certificate for root CA and I need to import it to vault so that it can use it to issue intermediate certs.