Vault PKI Intermediate rotation

I set up Vault PKI for consul/nomad like this

What happens when an intermediate certificate expires?

Do we have to repeat this steps?

Will new leaf certificates be automatically signed by new intermediate?

Here is one paragraph, but it isn’t clear for me, how exactly intermediate certificates are rotated.


Just repeating the same steps again would not work, since you’d be trying to set up a new Vault PKI secrets engine, at a path where one already exists.

Unfortunately, that tutorial is written in a way which suffices to get a temporary testing setup working in a development environment, but neglects to address ongoing production operations.

When the 5 year intermediate expires, it is assumes people have enough experience with the Vault PKI secrets engine to be able to figure out the renewal procedure themselves … I reckon it would probably take me at least 30-60 minutes to write a decent document explaining that.

And when the 10 year root CA expires, it’ll be an even more complex procedure, dependent on what else is depending on the Consul HTTPS API.

After your post this paragraph looks kinda confusing

Rotation of intermediate certificates is almost as easy. Assuming a decent operational setup (wherein during end-entity issuance, the full certificate chain is updated in the service’s configuration), this should be as easy as creating a new intermediate CA, signing it against the root CA, and then beginning issuance against the new intermediate certificate. In Vault, if the intermediate is generated in an existing mount path (or is moved into such), the requesting entity shouldn’t care much.

The paragraph isn’t exactly lying, but

involves a multitude of fairly complex Vault API calls, which is what I’m estimating would take at least 30-60 minutes to write a decent explanation of.

Sure, it’s “easy” if you already know how…

1 Like

Just tried to model this case.

After expiring of intermediate CA I created new intermediate CSR, signed it with root, then:

vault write pki-root/root/sign-intermediate csr=@pki_intermediate.csr

➜  ~ vault list -detailed pki/issuers
Keys                                    is_default    issuer_name
----                                    ----------    -----------
a8256011-1112-ed4c-89bf-80654e983722    true          n/a
e8ca77c9-f476-a096-387b-e4b216e3c148    false         n/a

vault write pki/root/replace default=e8ca77c9-f476-a096-387b-e4b216e3c148

After setting new default everything seems work. Correct me if I’m wrong.