Vault PKI Intermediate Cert import


Is there more explanation about the PKI Intermediate Cert generation and signing?
I have a root CA outside of Vault that I will be using to sign an Intermediate certificate. I will then inject the signed intermediate certificate into my PKI setup. I’m having trouble understanding the certificate generation process.

Is there a “best-practice” method of generating an intermediate certificate that can be signed, and imported into any vault server or do I have to generate a new intermediate for each vault server in my environment.

For example, if I generate an intermediate certificate on vault_server_01, and then sign that certificate with my Root CA, will I be able to import the signed intermediate certificate into vault_server_02?

The essence of my query is to find out if we can have a set of signed intermediate certificates that we can just upload into a PKI setup, without generating a new certificate each time.

Is vault_server_01 and vault_server_02 on the same cluster (i.e. they are nodes within the same HA cluster), or are they different clusters entirely? If it’s the former, you would just have to do it once, as all nodes share the same underlying storage.

They would be different clusters in this instance, or another scenario I’m thinking of is disaster recovery and the vault server has to be rebuilt.

Just to clarify, are you referring to the intermediate CA that you generated/signed externally and submitted to Vault via pki/config/ca? In the case of replication, including DR replication, that particular CA certificate that you submit into Vault is stored and replicated across all clusters so you won’t need to generate a new one per cluster.

1 Like

Yes the intermediate that is signed externally and submitted to pki/config/ca. I ask because I attempted the setup in a lab. I generated the intermediate cert request, signed it(externally) and then upon importing the signed cert, I received errors about not having a matching private key.
I will assume I ran into that error because technically the VM I was using was rebuilt (using vagrant) and not apart of a cluster setup.

There are two main approaches in configuring PKI in Vault

  1. Where CA private-key doesn’t leave PKI backend (private-key remains encrypted inside the Vault storage backend, and then cross-signed)
  2. Where CA private-key comes into PKI backend from outside (private-key generated outside, and then imported)

With the first one you’re getting CSR to sign, signing it with external PKI CA, then importing back signed certificates by using pki/intermediate/set-signed API.
With the second one you just generating private-key somewhere else, then importing back both private & public parts by using pki/config/ca API.