How to import existing CA and use it as a CA?

Hello, I found this - PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer

which describes few API endpoints that allow importing CA bundles, I couldn’t find CLI alternatives for these API calls there, but then I found some on other forum related to vault.

Problem I am facing now (possibly bugs in vault) are:

  • When I import CA bundle, I can see new issuer at pki/config/issuers, but in vault UI there is nothing visible in Certificates section (when you create your own root CA using vault itself, through pki/root/generate/internal you will get a new certificate created in there)
  • When you import CA bundle, none of the crucial information such as common name, issuer name etc. are imported, this is all I can see:
crl_distribution_points           []
issuer_id                         30506d96-1d3b-4ecc-5ec3-69aeaffda1f9
issuer_name                       n/a
issuing_certificates              []
key_id                            c98b312f-4517-a854-a60e-c5b6270d6294
leaf_not_after_behavior           err
manual_chain                      <nil>
ocsp_servers                      []
revocation_signature_algorithm    n/a
revoked                           false
usage                             crl-signing,issuing-certificates,ocsp-signing,read-only

Note issuer name: “N/A” - this makes it impossible to reference this certificate in subsequent signing requests. Vault always fail on signing requests with:

  • 1 error occurred:
    • could not fetch the CA certificate (was one set?): unable to find PKI issuer for reference

I did import the private key + root CA cert bundle via write calls to both pki/config/ca pki/issuers/import/bundle which both succeeded, I can even see it:

vault read pki/config/issuers
Key                              Value
---                              -----
default                          30506d96-1d3b-4ecc-5ec3-69aeaffda1f9
default_follows_latest_issuer    false

But I can’t use it - because there exists no useable reference to it. Is there any working manual how this can be achieved? I have private key and certificate for root CA and I need to import it to vault so that it can use it to issue intermediate certs.

ok I figured this out, you can just issuer ID as reference instead of name