Here is my situation:
- I generated a root CA managed externally from Vault with a PIV device
- I generate an intermediate CA using the Vault API and obtain a CSR for the intermediate
- I sign the intermediate with the root via the PIV (validate everything using openssl)
Now here is the issue… I can hit the set-signed endpoint in my pki with the
certificate=@my_signed_intermediate.pem and that works, but now there is no full CA chain I can fetch from Vault that includes my external root CA.
" Yes – if you want the full CA chain output, you should upload the root cert along with the signed intermediate CA cert when you use
This implies uploading a completely generated external CA chain, where the intermediate is NOT generated from Vault.
When I try to perform the signing ceremony and do
set-signed with the argument
certificate=@full_ca_chain I am met with this error:
`Error writing data to pki/intermediate/set-signed: Error making API request.
URL: PUT https://vault.service.consul:8200/v1/pki/intermediate/set-signed
Code: 400. Errors:
- verification of parsed bundle failed: certificate 1 of certificate chain ca trust path is incorrect (“Vault Intermediate CA”/“Ext ROOT CA”)`
My question: is there a way to tell vault what the full CA chain is for the internally generated CA?