Issue new intermediate CA and download its private key


We are considering using vault as PKI engine and root CA. So far everything works great, but our kubernetes team currently works in a way that they have their own intermediate CA that was signed with our old CA and k8s is generating certs itself using this intermediate CA.

They would like to retain their current workflow and for that they need again intermediate CA that is signed with vault’s root CA.

However I couldn’t find any way to get vault to generate intermediate CA and give me its private key (like it does when you issue regular non-CA cert).

Can this be done? Is it even supported by vault?

You can do this, but not quite as directly as getting a regular non-CA cert. You’d have to make several API calls, passing data back and forth between them.

Historically, Vault has required a strict correspondence of 1 CA to 1 PKI secrets engine mount. In very recent versions, support for multiple “issuers” within a single mount now exists, but I’m only familiar with the older way, so that’s what I’ll be describing here. Additionally, I believe multiple PKI secrets engine mounts would still be recommended even with newer Vault versions, when working with logically distinct CAs, like a root and its intermediate (rather than different versions of the same logical CA).

Step 1, then, is to create a new PKI secrets engine specifically for the Kubernetes intermediate.

Step 2, using the intermediate/generate/exported API you can have Vault generate a CSR and private key. This is the only time Vault will ever return this private key to you, short of using raw storage access (sys/raw/) to bypass usual controls.

Step 3, use the root/sign-intermediate API of your actual root PKI secrets engine to get the CSR signed, producing the new intermediate CA certificate.

At this point, the necessary steps are broadly complete, but you still have an extra PKI secrets engine in Vault, holding on to a copy of the private key in Vault’s internal storage. You can just delete it.

ok, BTW if k8s team generated their own intermedia CA using openssl and just gave me CSR, would I be able to sign it, using vault’s root CA? That should also work IMHO

Yes, that would correspond to just step 3 on its own.

It’s arguably more how CAs are supposed to work, but you seemed to really want to use Vault so I didn’t mention it :slight_smile: