What is the process of renewing a Vault PKI CA?
We are creating a Vault Intermediary CA and a CSR. The CSR is being signed by an external Intermediary CA.
We are using Terraform to setup the Vault Intermediary:
resource "vault_mount" "pki_int" {
type = "pki"
path = "pki-int-ca"
description = "Intermediate Authority"
}
resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" {
depends_on = [ vault_mount.pki_int ]
backend = vault_mount.pki_int.path
type = "internal"
}
The output of the vault_pki_secret_backend_intermediate_cert_request is submitted to the external CA. One we get the signed certificate, we do the following:
resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" {
backend = vault_mount.pki_int.path
certificate = <<insert signed Vault Intermediate CA cert + Root CA cert>>
}
We plan to deploy the full-chain to all internal machine’s trust stores where we are using consul-template to issue/renew leaf certificates by using the Vault PKI we setup.
I am wondering what are the steps to rotate the Vault Intermediate Cert. (AKA do we need to create a new PKI backend? Do we need a new CSR/or can we use the existing one? Do we need to deploy the new Vault Intermediary CA cert to all our machines)