Storing root and intermediate in vault?

I’m new to Vault and trying to understand full workflow for securing server with https.

As per my understanding Vault PKI provide two functionalities

1. Generate Root and Intermediate certificate by vault it self , then generate ssl certificate to use for web server
2. Generate SSL certificate based on imported root certificate.

For first case, are there any production usage ? My website will be access by public and giving certificate which has root certificate as Vault seems to be problem since those outside browsers won’t recognized Vault as valid CA.

For second case i’m not much confident about the workflow. Normally without vault, what we do is, we get the certificates from CA and install them in our server. With vault are we supposed to store all the certificates in vault and use vault api to read relevant certificates configure with web server ? How is the certificate renew happens ? Is there a full tutorial for second use case ?

Re your first case, I’m guessing you’ve seen this tutorial: https://www.vaultproject.io/docs/secrets/pki/index.html

And, yes, you’re right: browsers will throw warnings/errors. To avoid that, I guess you need something like Let’s Encrypt.

Where there is a separate root CA, you make Vault an intermediate CA, as you’ve said. Then Vault can be configured to issue, renew and revoke certificates in your workflow. This tutorial isn’t directly relevant, but raises some of these concepts: https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager

So I don’t think you’re supposed to store all your certificates in Vault; beyond issuance, renewal and revocation, Vault sits outside the web service workflows you’re describing (as I understand it… Pretty new to Vault myself!)

JJ