Vault pki manual_chain examples?

MWinther · March 11, 2023, 4:32pm

I am trying to figure out how to use the manual_chain attribute on a pki secrets engine. After looking through all available documentation, I am pretty stumped. I have tried adding in the actual certificate as a string, as well as trying to add entire or partial paths to the secret engine, but it seems regardless of what I am trying to put in for a path just renders the error:

vault write pki/issuer/default manual_chain=foo
* unable to find PKI issuer for reference: foo

So, my question is: Does anyone know the secret sauce needed to get manual_chain up and running? Any examples out there of working configuration I could look at?

maxb · March 13, 2023, 2:28pm

Judging by the error message, I imagine it wants an issuer reference - i.e. an issuer name or issuer UUID.

MWinther · March 13, 2023, 9:09pm

Oh, I see… So the idea is that every pki engine instance would import all issuers up the chain? I so far have assumed keeping each “level” in their own instance would be the approach to go with. I guess I will give that a try, then. And if anyone finds this thread and is wondering, “default” works instead of name/uuid to reference the current default issuer.

Topic		Replies	Views
Error POST/PATCH /pki/issuer/ manual_chain Vault vault	0	176	March 4, 2023
Custom secret modifier? Vault vault	0	251	August 1, 2021
PKI: Trying to understand lack of returned issuer ref Vault	0	128	March 7, 2024
I need help with PKI templating Vault vault	2	592	June 18, 2023
How is the PKI CA chain generated? Vault	16	1155	January 12, 2024

Vault pki manual_chain examples?

Related topics