Using Vault PKI API to generate certs for Strongswan VPN

I would like to use Vault PKI to generate signed certificates for later use to initiate VPN tunnels using Strongswan. The generated certificates will be stored inside a TPM on each VPN client.

Currently, I’m generating an Attestation Key from the TPM and I’m using the public key of the AK to generate signed certificate using pki tool (from strongswan)

ie.
pki --issue --cacert CaCert.pem --cakey CaKey.pem --type pub --in ak_ecc_pub.der --dn “C=US, O=TNC Demo, OU=AIK ECC, CN=demo.example.com” --san demo.example.com --lifetime 3651 > demo_ak_ecc_Cert.der

Also documented here: https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

I’m wondering if Vault can be used in this situation as I can’t see in the API a way to sign certificates by providing the public key from the client ?

Thanks
Renaud

1 Like