1. Vault generated CA.
-
Mount the PKI backend with this command:
vault mount pki
-
Now we set maximum life time for the certificate:
vault mount-tune -max-lease-ttl=87600h pki
-
We generate our root certificate:
vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
-
Configure a role:
vault write pki/roles/example-role allow_any_name="true" \ allow_subdomains="true" allow_ip_sans="true" max_ttl="72h" \ allow_localhost="true" allow_ip_sans="true"
WARNING: When running Vault in "Dev" Server Mode, Vault shutdown will result in CA being deleted.
2. Externally generated CA.
-
Mount the PKI backend with this command:
vault mount pki
-
Now we need to create a certificate bundle. (For basic configuration of CA via openssl follow this guide).
export CA_PATH=/PATH/TO/CA cat $CA_PATH/ca.cert.pem > /path/to/vault/ca_bundle.pem openssl rsa -in $CA_PATH/private/ca.key >> /path/to/vault/ca_bundle.pem
-
Assign CA to vault:
vault write pki/config/ca pem_bundle="@/path/to/vault/ca_bundle.pem" -
Configure a role:
vault write pki/roles/example-role allow_any_name="true" \ allow_subdomains="true" allow_ip_sans="true" max_ttl="72h" \ allow_localhost="true" allow_ip_sans="true"