How to move Vault into his own intermediate?

Hi all !!

I tried to find if the question have been asked before, but even on the discuss or web I find something useful about that.

My question is type of “chicken and the egg” about Vault PKI !

We manually created a CA root outside before getting Vault. Then, always outside Vault, we create an intermediate PKI dedicated to vault to set the TLS communication between Consul cluster (3 nodes, v1.6.1) and Vault (2 nodes, 1.2.1) during the setup. It worked great.
Since, we have imported the CA root to Vault and created some new intermediate linked to it, and eveything is working great too since a moment now.

But as the certificate generated by the Vault dedicated intermediate are going to expire in the next weeks, we want to move the certificate mamagement to Vault himself.

We see 2 options:

  1. Import the current Vault dedicated intermediate to Vault. It seems to be the most logical option, but as this intermediate have been created with the CA root before the Vault setup, this intermediate have some missing informations, like issuer certificate, and CRL urls linked to the CA root. (something automatically added when you create a intermediate inside Vault)

  2. Create a new intermediate inside Vault, signed by the CA root. Then the idea could to be deactivate the ssl verification during the migration, create new nodes and make some test.And if its ok, re-enable the ssl verification I don’t know if it can work, and if its a good idea too.

  3. Yes I sayed 2 but the third is your !
    Is there any good practices to do that ? Should we do that ? Or should we continue to manage the ssl certificates of Vault’s nodes outside Vault ?

I was in an Hashicorp User Group Montreal once, ask about that a long time ago, and I think the answer was the second one.

What is the appropriate procedure when the vault int CA is about to expire?

Thanks a lot !
See you in the next HUG :wink:
Mouglou

Hi Mouglou,

It seems problematic to me to use a Vault cluster’s PKI to manage the certificates that secure that very same Vault cluster. What if there’s a problem that results in the certificates securing Vault becoming expired? How would you talk to Vault to remedy the situation? Beyond that, ideally your deployment process should be automated and repeatable, and it’s harder to write reliable automation that first sets up Vault without TLS (or with outside TLS), then configures Vault PKI, then restarts the Vault cluster with PKI-sourced certificates.

So I’m leaning towards #3: continue to manage Vault’s TLS certificates outside Vault. And if you’re using Consul as your storage backend, the same applies to Consul.

1 Like

Hi @ncabatoff !

Thanks for your feedback !

Yes we know that could be difficult for troubleshooting and other maintenance actions on Vault.

We think that keep the SSL certificates of each Vault nodes outside is the right options but we would like the feedback of users about that.

Any others users experiences about how to manage Vault nodes certificates ?

Hi @mouglou,

I hope you are still reading this, since I just came up with a similar idea. :joy:

  1. Setup a three-node Vault cluster with internal storage (thus circumventing the Consul setup).
  2. Generate some short-lived “bootstrap” certificates for each node using Ansible.
  3. Create Vault intermediate CA, importing the root certificate.
  4. Use consul-template to request a new certificate for each node, write them to disk and restart/SIGHUP vault.

I’m still not sure if this is “clever” or incredibly stupid. In the worst case, I still could use Ansible to replace all certificates of the Vault nodes.

2 Likes