Due to some limitations around some AWS managed services, in my case AWS MSK, I’m pushed to rely on AWS PCA to manage client-broker mTLS… since we are heavily relying on Vault for secrets management I was looking to use Vault PKI to generate dynamically client certificates.
What I did at this point is:
- Created my root CA in AWS PCA
- Create a private ACM certificate associated to the above root CA
- Export my ACM Certificate (certificate, chain and private key)
- Set up an intermediate certificate in Vault by issuing a CSR:
vault write -field=csr example_pki/intermediate/generate/internal common_name="Demo" > demo.csr
- Sign the CSR returned in step 4 with the ACM private key with openssl
- Build the chain up to the root cert (vault.crt → acm.crt → root_ca.crt)
- Submit the signed CA certificate along with the chain to
At step 7 I do get the following error from Vault PKI:
Certificate 1 of certificate chain is not a certificate authority
Additional checks performed:
openssl verify -CAfile root_ca.crt acm.crt OK openssl verify -CAfile (acm.crt + root_ca.crt) demo.crt ERR: Unable to get local issuer certificate
First of all I’m not sure if what i’m trying to do is actually achievable so any advice would be awesome, thanks!!