Noob question: bootstrapping Vault. How to provide TLS certificates needed by storage backend

I’m building a project based on microservices. After playing a bit with openssl and cfssl I have decided to use vault for the system PKI.

I want all my connections secured with TLS. I want to use etcd or consul as my storage backend. For that, I need to provide TLS certificates for etcd or consul. And here’s the cycle: if I want to use vault to create the certificates, but I can’t configure vault backend because I don’t have the certificates for consul, what’s the way to go?

I know this is not a stopper. I have many ways of creating certs. But is there any best practice or common approach for that?


Had a similar issue, came up with this idea:

I plan on creating short lived bootstrap certificates (in Ansible) and switch them out with one created by Vault later using consul-template or the vault agent and restart the node.

1 Like

Thanks a lot! It makes sense and pointed me on a direction I’m comfortable with.

Take a look at the integrated storage option, will make things a little simpler for you.