Init Vault using tls with openssl

I am trying init vault using TLS but i´m having troubles producing tls files with openssl , i constantly have these errors when i am trying init Vault.

Error initializing: Put https://127.0.0.1:8200/v1/sys/init: x509: cannot validate certificate for 127.0.0.1 because it doesn’t contain any IP SANs

or other errors…

anyone can help me with the openssl commands and configuration to do this ?

Maybe you can take a look here and use the process for your Vault deployment:


There are some openssl commands mentioned. The guide assumes that you have an existing CA.

If you want to use Vault as a PKI yourself, you can follow this guide:

1 Like

EXTFILE for IP SANS !!! when signing CSR to CRT

openssl x509 -req -in server.csr -CA selfca.crt -CAkey selfca.key -CAcreateserial --extensions v3_req -extfile server.req -out server.crt


Hashicorp docs are poor when it comes to production-grade details or best practices, you need to figure things out yourself…

I did not find any example of certificate requests with commands you should run… (there is example for k8s, where k8s is CA so no openssl extensions issue)

Don’t get me wrong, but if you need openssl you should learn how to use it. Or you can use Vault’s internal CA. For this I see HashiCorp’s responsibility to keep the documentation up to date. Not for openssl.

1 Like