Signing a signing request?

MichaelRenner · April 21, 2021, 3:11pm

Moin,

I imported a intermediate CA into my vault installalation. With this, I can generate X.509 certificates.
But my next challence is to sign a csr (it is in PEM format). But how?

Thanks in advanced.

fhemberger · April 21, 2021, 4:56pm

Create a file openssl_intermediate_ext.cnf with the following content: basicConstraints=critical,CA:TRUE (Tells openssl that the resulting certificate is part of a CA chain.)

Sign the CSR:

openssl x509 -req \
  -in <your intermediate CSR>.csr \
  -CA <CA certificate file>.crt \
  -CAkey <CA certificate key>.key \
  -extfile openssl_intermediate_ext.cnf \
  -CAcreateserial \
  -out <your signed certificate>.crt

Import the signed certificate into Vault:

vault write \
  pki_int/intermediate/set-signed \
  certificate=@<your signed certificate>.crt

Hope that helps.

MichaelRenner · May 26, 2021, 9:14am

Moin Frederic, thank you for your answer.

I found an other solution, one without a key outside of vault: I created a bundle file (cert and key) and importet that as an intermediate ca. vault knows how to do the trick and this this working like a charm.

Micha

Topic		Replies	Views
Signing my intermediate CA Vault	2	1741	December 22, 2020
Unable to upload intermediate CA certificate Vault	6	205	July 9, 2024
Vault PKI issue Sub.Internediate/Issuer CA certificate Vault	1	1187	September 18, 2020
Error setting up intermediate CA Vault	5	3661	November 25, 2020
Vault PKI Intermediate Cert import Vault	5	4068	February 16, 2020

Signing a signing request?

Related topics