HI,
I have an existing Windows root CA and I want to use Vault to sign as Intermediate.
I don’t understand exactly how configure Vault for this.
I make some tests, my Vault can sign with the intermediate (signed by my Root), but the result certificate has not the full chain with the root CA. I think I must import my root into Vault, right ?
Do you have best practice to work with Windows CA ? Thanks you
Are you confusing signing a certificate and a certificate chain? Those are two different things.
hmm… yes… no… I don’t know 
I generated a new intermediate in Vault and signed with my Windows CA and imported in vault again.
If I ask vault to sign (as intermediate) a csr, the signed certificate does not have the full chain, right ?
Signing a key, just says “I trust this”. It doesn’t create an actual chain of certificates. That’s why you see multiple certificates in a single file “chained” together.
https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm
OK. But can you explain my the best way to configure Vault + Windows CA ?
You’re asking if I can explain how to use Gasoline from Shell vs from BP in your car. The source of the certificate generation doesn’t change anything. Certificate is a certificate, depends on what you want to do with it.
Ok, I’m surprised I don’t find any help about Vault PKI configuration. Bye