I’m helping a non-profit move their PKI infrastructure from one vault instance to another and running into some issues.
I setup terraform to basically mimic the old setup. pki-root-ca and pki-int-ca have been mounted and configured exactly the same but when I try to import the existing certs and keys I’m doing something wrong.
old instance: 127.0.0.1:8300 – 1.8.0
new instance: 127.0.0.1:8200 – 1.8.2
I have all of the crt and certs and keys, they have issued 56 certs from their int. I would rather not have to replace whatever is in the field.
# vault write pki-root-ca/config/ca pem_bundle="@ca_cert_key_bundle.pem"
Success! Data written to: pki-root-ca/config/ca
# vault write pki-root-ca/config/urls issuing-certificates="https://10.1.1.2/v1/pki-root-ca/ca" crl_distribution_points="https://10.1.1.2/v1/pki-root-ca/crl"
# curl -s http://127.0.0.1:8200/v1/pki-root-ca/ca/pem
-----BEGIN CERTIFICATE-----
MIIGGzCCBAOgAwIBAgIR....
However, the CA cert doesn’t show up in the pki-root-ca on the console. It’s empty.
Also, I can’t seem to import the pki_int cert:
# vault write pki-int-ca/intermediate/set-signed certificate=@int_cert.crt
Error writing data to pki-int-ca/intermediate/set-signed: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/pki-int-ca/intermediate/set-signed
Code: 400. Errors:
* no data found in PEM block
# vault write pki-int-ca/intermediate/set-signed certificate=@int_cert.pem
Error writing data to pki-int-ca/intermediate/set-signed: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/pki-int-ca/intermediate/set-signed
Code: 400. Errors:
* could not find any existing entry with a private key