Hi there,
Tl;dr:
Using the set-intermediate endpoint from the pki-API to import a vault intermediate cert always imports into the same mount, which holds the root-CA.
I have been working towards setting up a PKI inside of Vault for some time.
The PKI consists of a selfsigned Root, created by the Vault, and several Intermediate Certificates, that should later on sign the leaf certificates.
I am following the Build your own certificate authority (CA) | Vault | HashiCorp Developer article.
All steps have been working quite well except one.
In Step 2 - Generate Intermediate CA - at the import step of the vault-generated ca, i cannot import the ca to the right PKI secret-mount.
Every time the sign-intermediate endpoint is being called, the intermediate certificate gets imported into the mount of the root-CA, even when specifying another mount.
Mounts:
- ‘pki-root’ → Mount for the selfsigned Root-CA ‘example.com’
- ‘namespace_123xyz’ → Mount for the Intermediate-CA
Used Commands:
vault write -format=json namespace_123xyz/intermediate/generate/internal
common_name=“namespace_123xyz.example.com”
issuer_name=“pki-root” \
| jq -r ‘.data.csr’ > pki_intermediate.csr
vault write -format=json pki-root/root/sign-intermediate
issuer_ref=“pki-root” \
csr=@pki_intermediate.csr
format=pem_bundle ttl=“43800h”
| jq -r ‘.data.certificate’ > intermediate.cert.pem
vault write namespace_123xyz/intermediate/set-signed certificate=@intermediate.cert.pem
=> Response:
Key ------------------- Value
imported_issuers [a8c7daf7-2733-98b8-470e-ba5d85295fbe]
imported_keys [nil]
mapping map[a8c7daf7-2733-98b8-470e-ba5d85295fbe:a18d8dc5-3b89-7c9a-0397-193a2f1be9c8 dd5f4aa4-d532-99a8-64a6-e3aff59edec7:]
Now looking at the mounts, the intermediate CA has been imported into the pki-root mount and the namespace_123xyz mount is still empty.
Could there be something that causes this behaviour, like missuse of an endpoint or might it be a bug?
Thanks in Advance