Vault PKI with AWS PCA

Hi there!

Due to some limitations around some AWS managed services, in my case AWS MSK, I’m pushed to rely on AWS PCA to manage client-broker mTLS… since we are heavily relying on Vault for secrets management I was looking to use Vault PKI to generate dynamically client certificates.

What I did at this point is:

  1. Created my root CA in AWS PCA
  2. Create a private ACM certificate associated to the above root CA
  3. Export my ACM Certificate (certificate, chain and private key)
  4. Set up an intermediate certificate in Vault by issuing a CSR:
vault write -field=csr example_pki/intermediate/generate/internal common_name="Demo" > demo.csr
  1. Sign the CSR returned in step 4 with the ACM private key with openssl
  2. Build the chain up to the root cert (vault.crt → acm.crt → root_ca.crt)
  3. Submit the signed CA certificate along with the chain to example_pki/intermediate/set-signed certificate=@demo-certificate-chain.crt

At step 7 I do get the following error from Vault PKI:

Certificate 1 of certificate chain is not a certificate authority

Additional checks performed:

openssl verify -CAfile root_ca.crt acm.crt OK
openssl verify -CAfile (acm.crt + root_ca.crt) demo.crt ERR: Unable to get local issuer certificate

First of all I’m not sure if what i’m trying to do is actually achievable so any advice would be awesome, thanks!!