Setup:
- Venafi secret engine plugin installed and configured in Vault.
- Generate a intermediate CSR + private key for the secret engine of the team that requests a new certificate in Vault : /pki/intermediate/generate/exported
- Sign the CSR by writing to the /sign endpoint Venafi to obtain a signed certificate.
vault write venafi-pki/sign/tpp csr=@example.req - The signed certificate is in venafi-pki-backend secret engine.
- Import the signed certificate to the secret engine of the team where the private key is stored.
vault write Vault/MQ/PSF/intermediate/set-signed certificate=@example.pem
*** Error parsing issuer 0: Refusing to import non-CA certificate**
We are blocked in step 5. with PKI/certificate concepts. We don’t pretend to import intermediate CA certificate but a intermediate certificate singed by a external CA.
The signed certificate to import does not contain CA:TRUE attribute in X.509 extensions. The CA certificates root + intermediate do contain CA:TRUE attribute and we can import the CA certificates to the secret engine issuers:
vault write /Vault/MQ/PSF/issuers/import/cert pem_bundle=example_CA.pem
If the signed certificate is considered end-entity (leaf) certificate, then please confirm us whether we can use the intermediate CSR + private key generation for requesting/signing this type of certificate and whether a end-entity (leaf) certificate can be imported into a secret engine in Vault different to venafi-pki-backend secret engine.
Thank you,
xxxxx