Using the set-intermediate endpoint from the pki-API to import a vault intermediate cert always imports into the same mount, which holds the root-CA.
I have been working towards setting up a PKI inside of Vault for some time.
The PKI consists of a selfsigned Root, created by the Vault, and several Intermediate Certificates, that should later on sign the leaf certificates.
I am following the Build Your Own Certificate Authority (CA) | Vault | HashiCorp Developer article.
All steps have been working quite well except one.
In Step 2 - Generate Intermediate CA - at the import step of the vault-generated ca, i cannot import the ca to the right PKI secret-mount.
Every time the sign-intermediate endpoint is being called, the intermediate certificate gets imported into the mount of the root-CA, even when specifying another mount.
- ‘pki-root’ → Mount for the selfsigned Root-CA ‘example.com’
- ‘namespace_123xyz’ → Mount for the Intermediate-CA
vault write -format=json namespace_123xyz/intermediate/generate/internal
| jq -r ‘.data.csr’ > pki_intermediate.csr
vault write -format=json pki-root/root/sign-intermediate
| jq -r ‘.data.certificate’ > intermediate.cert.pem
vault write namespace_123xyz/intermediate/set-signed firstname.lastname@example.org
Key ------------------- Value
mapping map[a8c7daf7-2733-98b8-470e-ba5d85295fbe:a18d8dc5-3b89-7c9a-0397-193a2f1be9c8 dd5f4aa4-d532-99a8-64a6-e3aff59edec7:]
Now looking at the mounts, the intermediate CA has been imported into the pki-root mount and the namespace_123xyz mount is still empty.
Could there be something that causes this behaviour, like missuse of an endpoint or might it be a bug?
Thanks in Advance