Noob question: bootstrapping Vault. How to provide TLS certificates needed by storage backend

manelio · April 3, 2021, 10:18pm

I’m building a project based on microservices. After playing a bit with openssl and cfssl I have decided to use vault for the system PKI.

I want all my connections secured with TLS. I want to use etcd or consul as my storage backend. For that, I need to provide TLS certificates for etcd or consul. And here’s the cycle: if I want to use vault to create the certificates, but I can’t configure vault backend because I don’t have the certificates for consul, what’s the way to go?

I know this is not a stopper. I have many ways of creating certs. But is there any best practice or common approach for that?

fhemberger · April 4, 2021, 8:41am

Had a similar issue, came up with this idea:

I plan on creating short lived bootstrap certificates (in Ansible) and switch them out with one created by Vault later using consul-template or the vault agent and restart the node.

manelio · April 4, 2021, 11:57am

Thanks a lot! It makes sense and pointed me on a direction I’m comfortable with.

grantorchard1 · April 6, 2021, 1:29pm

Take a look at the integrated storage option, will make things a little simpler for you.

Cheers,
Grant

Topic		Replies	Views
End to end tls for Vault Vault	5	5608	January 17, 2020
Vault and Consul Certificate Chicken and Egg Consul	3	478	April 25, 2022
Vault config with tls-enabled Consul as a storage backend Consul	0	317	July 17, 2020
Flummoxed by Installation TLS Certificates Vault consul-vault	1	406	January 8, 2022
Vault as Consul Connect CA when Vault uses Consul as storage backend Consul connect , vault	8	939	August 26, 2022

Noob question: bootstrapping Vault. How to provide TLS certificates needed by storage backend

Related topics