Hi all !!
I tried to find if the question have been asked before, but even on the discuss or web I find something useful about that.
My question is type of “chicken and the egg” about Vault PKI !
We manually created a CA root outside before getting Vault. Then, always outside Vault, we create an intermediate PKI dedicated to vault to set the TLS communication between Consul cluster (3 nodes, v1.6.1) and Vault (2 nodes, 1.2.1) during the setup. It worked great.
Since, we have imported the CA root to Vault and created some new intermediate linked to it, and eveything is working great too since a moment now.
But as the certificate generated by the Vault dedicated intermediate are going to expire in the next weeks, we want to move the certificate mamagement to Vault himself.
We see 2 options:
Import the current Vault dedicated intermediate to Vault. It seems to be the most logical option, but as this intermediate have been created with the CA root before the Vault setup, this intermediate have some missing informations, like issuer certificate, and CRL urls linked to the CA root. (something automatically added when you create a intermediate inside Vault)
Create a new intermediate inside Vault, signed by the CA root. Then the idea could to be deactivate the ssl verification during the migration, create new nodes and make some test.And if its ok, re-enable the ssl verification I don’t know if it can work, and if its a good idea too.
Yes I sayed 2 but the third is your !
Is there any good practices to do that ? Should we do that ? Or should we continue to manage the ssl certificates of Vault’s nodes outside Vault ?
I was in an Hashicorp User Group Montreal once, ask about that a long time ago, and I think the answer was the second one.
What is the appropriate procedure when the vault int CA is about to expire?
Thanks a lot !
See you in the next HUG