How to use set_signed correctly with terraform

queglay · December 19, 2020, 3:30am

I’m new to vault and all the lingo around pki certificates. I wanted to check in here to see if I’m doing anything that could be better or if theres anything in this workflow that is wrong or even dangerous…

I’m trying to determine if I should be providing the certificate (vault_pki_secret_backend_root_cert.root.certificate) or the issuing_ca (vault_pki_secret_backend_root_cert.root.issuing_ca ) here in a self signed terraform / vault workflow:

resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { 
  backend = vault_mount.pki_int.path 
  
  certificate = "${vault_pki_secret_backend_root_sign_intermediate.root.certificate}\n${vault_pki_secret_backend_root_cert.root.certificate}"
}

This was based on an example at Creating a Certificate Authority With Hashicorp Vault and Terraform | by Steve Dillon | Medium

This is the full example of how I am generating my self signed root and intermediate certs via terraform. Im not exactly clear what set_signed is doing and why it must be done for an intermediate to generate certificates.


resource "vault_mount" "pki" {
  path        = "pki"
  type        = "pki"
  description = "PKI for the ROOT CA"
  default_lease_ttl_seconds = 315360000 # 10 years
  max_lease_ttl_seconds = 315360000 # 10 years
}

resource "vault_pki_secret_backend_root_cert" "root" {
  depends_on = [ vault_mount.pki ]

  backend = vault_mount.pki.path

  type = "internal"
  common_name = "Root CA"
  ttl = "315360000"
  format = "pem"
  private_key_format = "der"
  key_type = "rsa"
  key_bits = 4096
}

resource "vault_mount" "pki_int" {
  path        = "pki_int"
  type        = "pki"
  description = "PKI for the ROOT CA"
  default_lease_ttl_seconds = 315360000 # 10 years
  max_lease_ttl_seconds = 315360000 # 10 years
}

resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" {
  depends_on = [ vault_mount.pki, vault_mount.pki_int ]

  backend = vault_mount.pki_int.path

  type = "internal"
  common_name = "pki-ca-int"
  format = "pem"
  private_key_format = "der"
  key_type = "rsa"
  key_bits = "4096"
}

resource "vault_pki_secret_backend_root_sign_intermediate" "root" {
  depends_on = [ vault_pki_secret_backend_intermediate_cert_request.intermediate ]

  backend = vault_mount.pki.path

  csr = vault_pki_secret_backend_intermediate_cert_request.intermediate.csr
  common_name = "pki-ca-int"
  exclude_cn_from_sans = true
  organization = "firehawkvfx.com"
  ttl = 252288000 # 8 years
}

resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" { 
  backend = vault_mount.pki_int.path 
  
  certificate = "${vault_pki_secret_backend_root_sign_intermediate.root.certificate}\n${vault_pki_secret_backend_root_cert.root.certificate}"
}

resource "vault_pki_secret_backend_role" "firehawkvfx-dot-com" {
  backend = vault_mount.pki_int.path
  name    = "firehawkvfx-dot-com"
  generate_lease = true
  allow_any_name = true
  ttl = 157680000 # 5 years
  max_ttl = 157680000 # 5 years
}

arul2arul · September 15, 2021, 5:01pm

@queglay ,
Have a same question , did you found the exact working syntax for “vault_pki_secret_backend_intermediate_set_signed”?

arul2arul · September 16, 2021, 5:26am

certificate = ${vault_pki_secret_backend_root_sign_intermediate.root.certificate}\n ${vault_pki_secret_backend_root_cert.root.certificate}"
This worked as expected.

Topic		Replies	Views
Vault terraform provider and pki v4.2 Terraform Providers	1	158	May 21, 2024
Trouble adding signed certificates to CA Terraform Providers vault	0	1781	September 29, 2021
What to do about vault pki ca expiring Vault	0	485	February 11, 2021
Create an independent copy of the root certificate authority Vault vault	6	743	November 20, 2022
Vault pki-API 'set-signed' endpoint unexpected behaviour Vault vault	0	258	January 10, 2023

How to use set_signed correctly with terraform

Related topics