we need some help regarding pki migration. we have 2 different valult clusters (data is different).
we are currently using vault for pki certs for 2way ssl connection in an application.
is there a way to move the configuration of pki engine so that existing generated certificates are not affected with the change
Is there a way migrate existing pki engine to 2nd vault cluster without any data corruption
could you please help us in this regards …
aram
October 8, 2021, 10:36am
2
I just went through this, and I had a lot of issues. Just last night someone (I think from Hashicorp) posted a full a set of steps on how to do it. Unfortunately, it was too late for me, I had to rebuild the engine and reissue the certs.
Try these out and let us know if worked.
opened 12:11PM - 20 Sep 21 UTC
ui
secret/pki
**Describe the bug**
I'm migrating our PKI infrastructure into Vault, writing t… he root CA into the PKI engine produces no error but the cert is not added.
**To Reproduce**
Steps to reproduce the behavior: (using root token)
CLI:
1. Mount PKI as pki-root-ca
2. prepare payload.json ((includes both parts of the certs)) as a JSON with key: pem_bundle:
```
{ "pem_bundle": "-----BEGIN RSA PRIVATE KEY-----\nMII ...
```
3. curl-v -H "X-Vault-Token: $VAULT_TOKEN" -X POST --data @payload.json $VAULT_ADDR/v1/pki-root-ca/config/ca
4. No output is generated (if you enable verbose mode, you'll see the return is [204 No content].
No cert is listed in the UI
Web:
1. Mount PKI as pki-root-ca
2. Click on Secrets, pki-root-ca
3. Configure (top)
4. Configure > (right side)
5. Replace CA
6. CA Type: root
7. Check "Upload PEM bundle"
8. Add the original .PEM file (includes both parts of the certs) [ PEM format ]
9. You get a green success message
No cert is listed in the UI
**Expected behavior**
Successful import of the cert.
**Environment:**
* Vault Server Version - Version 1.8.2
* Vault CLI Version (1.8.2 -- however tested with CURL
* Server Operating System/Architecture: Ubuntu x86_64
* Curl Version:
```
curl --version
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink
```
Vault server configuration file(s):
```hcl
storage "raft" {
path = "/var/data/vault/raft.oss"
node_id = "node_1"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
listener "tcp" {
address = "192.168.1.80:8200"
tls_cert_file = "/etc/vault.d/certs/vault_cert.pem"
tls_key_file = "/etc/vault.d/certs/vault_key.pem"
}
api_addr = "http://192.168.1.80:8200"
cluster_addr = "https://192.168.1.80:8201"
ui = true
disable_mlock = true
log_level = "debug"
```
**Additional context**
The only messages in the log for vault were related to "Replication" and no entries for PKI, pki, or pki-root-ca
i am still facing issue while trying to upload root certificate
$ curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data "@payload.json" \
"$VAULT_ADDR"/app_dev_onprem/config/ca
{“errors”:[“private key not found in the PEM bundle”]}
dont know what i have missed
aram
October 12, 2021, 7:56pm
4
payload must contain both the key and the cert.
In our current scenario we are using only root certificate and generating certs for our application.
aram
October 18, 2021, 8:45am
6
Sadly no, the only time the key is available is during generation and you have to capture the .data.pem_bundle out of the JSON output. It’s locked away otherwise.