How to move Vault into his own intermediate?

fhemberger · March 11, 2021, 8:49am

I hope you are still reading this, since I just came up with a similar idea.

Setup a three-node Vault cluster with internal storage (thus circumventing the Consul setup).
Generate some short-lived “bootstrap” certificates for each node using Ansible.
Create Vault intermediate CA, importing the root certificate.
Use consul-template to request a new certificate for each node, write them to disk and restart/SIGHUP vault.

I’m still not sure if this is “clever” or incredibly stupid. In the worst case, I still could use Ansible to replace all certificates of the Vault nodes.

Topic		Replies	Views
Vault PKI Intermediate Cert import Vault	5	4109	February 16, 2020
Vault PKI Intermediate rotation Vault vault , consul-vault	4	932	May 2, 2023
Vault CA with offline root as Consul Connect CA? Vault	1	688	March 11, 2020
Storing root and intermediate in vault? Vault	1	656	November 17, 2020
Generating Certificates for Consul using 3rd party intermediate certificate Vault consul-vault	2	1023	October 13, 2020

How to move Vault into his own intermediate?

Related topics