Vault PKI Intermediate rotation

allcats · May 1, 2023, 4:49pm

I set up Vault PKI for consul/nomad like this

What happens when an intermediate certificate expires?

Do we have to repeat this steps?

Will new leaf certificates be automatically signed by new intermediate?

Here is one paragraph, but it isn’t clear for me, how exactly intermediate certificates are rotated.

Thanks!

maxb · May 1, 2023, 5:32pm

Just repeating the same steps again would not work, since you’d be trying to set up a new Vault PKI secrets engine, at a path where one already exists.

Unfortunately, that tutorial is written in a way which suffices to get a temporary testing setup working in a development environment, but neglects to address ongoing production operations.

When the 5 year intermediate expires, it is assumes people have enough experience with the Vault PKI secrets engine to be able to figure out the renewal procedure themselves … I reckon it would probably take me at least 30-60 minutes to write a decent document explaining that.

And when the 10 year root CA expires, it’ll be an even more complex procedure, dependent on what else is depending on the Consul HTTPS API.

allcats · May 1, 2023, 5:41pm

After your post this paragraph looks kinda confusing

Rotation of intermediate certificates is almost as easy. Assuming a decent operational setup (wherein during end-entity issuance, the full certificate chain is updated in the service’s configuration), this should be as easy as creating a new intermediate CA, signing it against the root CA, and then beginning issuance against the new intermediate certificate. In Vault, if the intermediate is generated in an existing mount path (or is moved into such), the requesting entity shouldn’t care much.

maxb · May 1, 2023, 5:44pm

The paragraph isn’t exactly lying, but

involves a multitude of fairly complex Vault API calls, which is what I’m estimating would take at least 30-60 minutes to write a decent explanation of.

Sure, it’s “easy” if you already know how…

allcats · May 2, 2023, 2:51am

Just tried to model this case.

After expiring of intermediate CA I created new intermediate CSR, signed it with root, then:

vault write pki-root/root/sign-intermediate csr=@pki_intermediate.csr

➜  ~ vault list -detailed pki/issuers
Keys                                    is_default    issuer_name
----                                    ----------    -----------
a8256011-1112-ed4c-89bf-80654e983722    true          n/a
e8ca77c9-f476-a096-387b-e4b216e3c148    false         n/a

vault write pki/root/replace default=e8ca77c9-f476-a096-387b-e4b216e3c148

After setting new default everything seems work. Correct me if I’m wrong.

Topic		Replies	Views
Vault root CA rotation Vault vault	7	3479	July 8, 2022
What to do about vault pki ca expiring Vault	0	491	February 11, 2021
How to move Vault into his own intermediate? Vault	3	1454	March 11, 2021
Consul Connect Root CA rotation process Consul	4	784	July 23, 2021
Clarification on cross-signing Vault	4	993	July 6, 2024

Vault PKI Intermediate rotation

Related topics