Vault as intermediate PKI with Windows CA


I have an existing Windows root CA and I want to use Vault to sign as Intermediate.
I don’t understand exactly how configure Vault for this.
I make some tests, my Vault can sign with the intermediate (signed by my Root), but the result certificate has not the full chain with the root CA. I think I must import my root into Vault, right ?

Do you have best practice to work with Windows CA ? Thanks you

Are you confusing signing a certificate and a certificate chain? Those are two different things.

hmm… yes… no… I don’t know :wink:

I generated a new intermediate in Vault and signed with my Windows CA and imported in vault again.
If I ask vault to sign (as intermediate) a csr, the signed certificate does not have the full chain, right ?

Signing a key, just says “I trust this”. It doesn’t create an actual chain of certificates. That’s why you see multiple certificates in a single file “chained” together.

OK. But can you explain my the best way to configure Vault + Windows CA ?

You’re asking if I can explain how to use Gasoline from Shell vs from BP in your car. The source of the certificate generation doesn’t change anything. Certificate is a certificate, depends on what you want to do with it.

Ok, I’m surprised I don’t find any help about Vault PKI configuration. Bye