Signing a signing request?

Moin,

I imported a intermediate CA into my vault installalation. With this, I can generate X.509 certificates.
But my next challence is to sign a csr (it is in PEM format). But how?

Thanks in advanced.

  1. Create a file openssl_intermediate_ext.cnf with the following content: basicConstraints=critical,CA:TRUE (Tells openssl that the resulting certificate is part of a CA chain.)

  2. Sign the CSR:

    openssl x509 -req \
      -in <your intermediate CSR>.csr \
      -CA <CA certificate file>.crt \
      -CAkey <CA certificate key>.key \
      -extfile openssl_intermediate_ext.cnf \
      -CAcreateserial \
      -out <your signed certificate>.crt
    
  3. Import the signed certificate into Vault:

    vault write \
      pki_int/intermediate/set-signed \
      certificate=@<your signed certificate>.crt
    

Hope that helps.

Moin Frederic, thank you for your answer.

I found an other solution, one without a key outside of vault: I created a bundle file (cert and key) and importet that as an intermediate ca. vault knows how to do the trick and this this working like a charm.

Micha