Submit a CSR and ask Vault PKI to use that CSR To generate a Certificate

rrasale · August 9, 2022, 6:56pm

Hello

Issue #1

On my client server to generated private key and CSR File to submit.
openssl req -new -newkey rsa:2048 -nodes -keyout pri.key -out server.csr

Can I able to use the server.csr to issue the cert for this server via Vault PKI. I dont want vault to create my private key. we have scenarios where we want to use client generated private keys and CSR…

a. Are there commands to add .csr file while generting a cert via Vault API ? If so please let me know

Issue #2
I was able to revoke the cert via API, Web UI and also Vault cli.
I was able to see that its revoked on Vault side.

When i check on the Web Server / Client side, I still see that the certificate is showing as valid. It doesnt show its revoked. I tested this in both Firefox and Chrome.

Thanks

ausmartway · August 10, 2022, 6:26am

issue1:
yes, please see this endpoint.

I don’t have a vault to test now but I am guessing something like below:

vault write pki_int/sign/example-dot-com common_name="test.example.com"\
 ttl="24h" csr=@something.csr

issue 2:
when a certificate is revoked, it will be added to the vault’s pki secret engine’s Certificate Revocation List. it is up to the client(chrome/firefox) to reach out to the original CA’s CRL and check if a particular certificate is revoked. different browsers implement this differently. you may find this link useful.

Topic		Replies	Views
Vault PKI supported platforms for issuing , renewing and revoking the Certificates Vault	6	463	August 10, 2022
Generate Signed certificate from Vault root CA with existing CSR Vault	1	390	October 11, 2020
Signing a CSR throws 403 Vault vault	2	30	October 10, 2024
Vault PKI issue Sub.Internediate/Issuer CA certificate Vault	1	1187	September 18, 2020
Can we generated & save CSR with one end point in PKI Vault vault	1	167	September 18, 2022

Submit a CSR and ask Vault PKI to use that CSR To generate a Certificate

Related topics