we will sign server certificates with the certificate of the Intermediate CA in Vault. The certificate of the intermediate CA have to be signed by our department that manages the root CA with a Windows CA. So following this documentation (https://learn.hashicorp.com/tutorials/vault/pki-engine) I run
Step 1, 1-4
Step 2, 1-3
But instead executing Step 4, I gave the windows CA department the csr and got a signed certificate back:
[firstname.lastname@example.org ~]# cat intermediate.cert.pem | openssl x509 -text -noout
Version: 3 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=org, DC=adminroot, CN=ADMINROOT Root CA
Not Before: Dec 9 08:45:32 2020 GMT
Not After : Dec 9 08:55:32 2025 GMT
Subject: CN=fritz.box Intermediate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
But with this signed certificate, Step 2,5 fails:
[email@example.com ~]# vault write pki_int/intermediate/set-signed certificate=@ intermediate.cert.pem
Error writing data to pki_int/intermediate/set-signed: Error making API request.
URL: PUT https://vault.fritz.box:8200/v1/pki_int/intermediate/set-signed Code: 400. Errors: * the given certificate is not marked for CA use and cannot be used with this backend
No surprice: If I sign the csr with the own Root CA in Vault the import works. But this is not what we need. The Root CA should remain with the windows CA department. There CA should sign the Intermediate Certificate in Vault. But how?
Thanks for any hint!