Vault PKI issue Sub.Internediate/Issuer CA certificate

I’m trying to get a three tier PKI up and running but find it hard to get a CA certificate signed by my Vault intermediate CA for my Microsoft CA (issuer).
So this is my test setup right now:
Vault Root CA – Vault Intermediate CA – MS CA Issuer

The Vault part is working, same setup as the example in Vault learning. But when the intermediate should sign a CSR from Issuer I do not see the “basic constraint: CA:true” stuff in the signed cert I get back from Intermediate. I’am using a role on intermediate with basic_constraints_valid_for_non_ca: true. Here is what the signed cert says:

X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Issuer: CN=Intermediate CA

I even tried changeing it to false just to be sure, but no difference.
The path I use, and curl POST, is as follows:
curl -s --request POST --header "X-Vault-Token: testing_stuff" --data @csr_payload > JSONFIL

I can not find any text about Vault issuing a CA cert to an other CA server product like Microsoft or so.
Anyone that have an idea what it could be or if I’m doing it wrong somehow?

As all the text on Vault learning and so on is about Vault running a tier 2 PKI and then issuing server certificates I’m worried that I can’t extend the chain, even when I have path length 4 on the root CA.

1 Like

Hey @megalithSE,

To generate an intermediate CA for external CA authority.
You can follow this link:

This will allow you to sign an externally generated CSR by intermediate/root pki in your vault infrastructure and produce an intermediate CA certificate for external consumption.

Hope that helps.

1 Like