TLS certificates auth method : can this be used With certificates issued by Microsoft CA platform?

Hello,

We have Vault 1.15.5 installed and would like to use TLS certificates auth method.
Internally our CA platform is Microsoft AD. Can this be used With certificates issued by Microsoft CA platform without having the Vault to be configured as an Intermediate CA of Microsoft AD
The documentation is a little confusing: TLS Certificates - Auth Methods | Vault | HashiCorp Developer
It states : This engine can use external X.509 certificates as part of TLS or signature validation
A couple of lines bellow, it says : This method cannot read trusted certificates from an external source.

How can this work if it can’t read trusted certificates from an external source? In my case, Microsoft CA is external to Vault. Or is it meant for external source to the organisation?

How should we implement such a solution?

Best regards,

David

Yes, you can. The “@web-cert.pem” in the document is the certificate to validate client certificates. the “@” means “read the file web-cert.pem on my localhost”

The line “This method cannot read trusted certificates from an external source.” is confusing yes. It tells that you must inject the “@web-cert.pem” in Vault: you can’t passe an url or somethings external.

If “@web-cert.pem” change, you must update with an API call (or CLI …)

Thank you Joffrey for your update

best regards,

David