Hello, I found this - PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer
which describes few API endpoints that allow importing CA bundles, I couldn’t find CLI alternatives for these API calls there, but then I found some on other forum related to vault.
Problem I am facing now (possibly bugs in vault) are:
- When I import CA bundle, I can see new issuer at pki/config/issuers, but in vault UI there is nothing visible in Certificates section (when you create your own root CA using vault itself, through
pki/root/generate/internalyou will get a new certificate created in there) - When you import CA bundle, none of the crucial information such as common name, issuer name etc. are imported, this is all I can see:
crl_distribution_points []
issuer_id 30506d96-1d3b-4ecc-5ec3-69aeaffda1f9
issuer_name n/a
issuing_certificates []
key_id c98b312f-4517-a854-a60e-c5b6270d6294
leaf_not_after_behavior err
manual_chain <nil>
ocsp_servers []
revocation_signature_algorithm n/a
revoked false
usage crl-signing,issuing-certificates,ocsp-signing,read-only
Note issuer name: “N/A” - this makes it impossible to reference this certificate in subsequent signing requests. Vault always fail on signing requests with:
- 1 error occurred:
- could not fetch the CA certificate (was one set?): unable to find PKI issuer for reference
I did import the private key + root CA cert bundle via write calls to both pki/config/ca pki/issuers/import/bundle which both succeeded, I can even see it:
vault read pki/config/issuers
Key Value
--- -----
default 30506d96-1d3b-4ecc-5ec3-69aeaffda1f9
default_follows_latest_issuer false
But I can’t use it - because there exists no useable reference to it. Is there any working manual how this can be achieved? I have private key and certificate for root CA and I need to import it to vault so that it can use it to issue intermediate certs.