Using cert auth to retrieve tokens to then do certificate request

I’m new to Vault but have done extensive work on other PKI systems. I’m not finding a lot of good documentation and examples on the following. Hope someone can point me to some gem in the midst of the noise.

I have engine PKI running, working very well to generate certs and is enabled to require a vault certificate to authenticate at least via vault:8200. I want to mix token and cert auth to different paths with in the PKI engine.

I’m trying to make sense of the other objects/config/policies needed and a better understanding through example how they tie together. Here’s the scenario.

A client already having a certificate with a specific EKU OID be allowed to connect via vert auth to retrieve a token. Your OID will permit a cert req for a cert with specific attributes.

After obtaining a token it then connects to a prescribed pki path to send a cert req and obtain a certificate stamped with a specific OID. I do not want the private key to be created or send by Vault.

Here’s what I have so far but after combing through old and new documentation and google. I haven’t found anything complete and cohesive.

vault write /auth/cert/certs/ name=IoTs certificate=@vaultsubca.crt required_extensions= display_name=IoTs

curl --header “X-Vault-Token: 30WbXXXXXXXXXXXXL7dz” |json_pp

“auth” : null,
“data” : {
“allowed_names” : ,
“allowed_organizational_units” : ,
“allowed_common_names” : ,
“display_name” : “IoTs”,
“allowed_dns_sans” : ,
“policies” : ,
“certificate” : “-----BEGIN CERTIFICATE-----\nMIIEUzCCAzugAwIBAgIRALs1/+2S0d7k+9D7QrcVTZEwDQYJKKfNVva3M92HIjVU\nH82ahBh+lA==\n-----END CERTIFICATE-----”,
“max_ttl” : 0,
“allowed_email_sans” : ,
“ttl” : 0,
“period” : 0,
“allowed_uri_sans” : ,
“required_extensions” : [
“lease_id” : “”,
“wrap_info” : null,
“request_id” : "a71cdf61-2a8d-90f6-5c47-xxxxxxxxxxxxx”,
“lease_duration” : 0,
“warnings” : null,
“renewable” : false

vault login method=cert client-cert=bhorsemen.crt client-key=bhorsemen.key
Token (will be hidden):

Error authenticating: a token must be passed to auth, please view the help for more information

Ok nailed it. I failed to inject the proper chain assuming that since the all CAs were already imported/created that chain would be assumed.

All that was needed was a properly working PKI engine that generates certs, make sure the client flag is set and what ever OID in the EKU you want.

vault auth enable cert

vault write auth/cert/certs/robots display_name=IoTs policies=IoTs,prod certificate=@cachain.pem ttl=3600

curl --request POST --cert bhorsemen.crt --key bhorsemen.key --data ‘{“name”:“IoTs”}"’ |json_pp

Now I could use some help to understand how to configure polices a bit better.

I want to have a client certs get valid token and then use the token only for cert request role allowed based on that token. client1 can get token to request certificate for IoT2 but not IoT1 for example.