Vault CA with offline root as Consul Connect CA?

I’ve had Vault PKI set up for a little while where Vault operates as an intermediate CA, signed by an offline root. Now I’m looking at Consul Connect and find it wants both a root and intermediate to manage in Vault.

Is it supported to point root_pki_path to the current Vault intermediate pki engine and use a second-level intermediate pki engine for intermediate_pki_path, or is an online root in Vault really required?

Hi @tsarna,

Apologies for the lag in a response, and thank you for posting on the Discuss forums. I’ve moved this topic over to Vault as there maybe someone there who can better answer your question.

If you could, would you mind posting if you found an answer to this question?
If the question is still open, can you provide the following information;

  • What version of Vault are you using?
  • What version of Consul are you using?

Thanks again for your patience, and looking forward to hearing back from you!