Breadcrumbs

Configure PKI Secrets Engine

  1. Enable the PKI secrets engine at the PKI path.

›_ Console

# vault secrets enable pki

tmp3e25qjvg.jpg

Enable PKI secrets

  1. Tune the secrets engine to use managed keys.

›_ Console

# vault secrets tune -allowed-managed-keys=learn-managed-key pki

You configured the managed key with any_mount=false in the previous step. This command grants access to the learn-managed-key to the PKI secrets engine's mount.

tmpft3h_qqc.jpg

Vault secrets tune

  1. Generate the root certificate.

›_ Console

# vault write -field=certificate pki/root/generate/kms managed_key_name=learnmanaged-key common_name=root.myco.com ttl=8760h

  1. Configure the CA and CRL URLs.

›_ Console

# vault write pki/config/urls issuing_certificates="$VAULT_ADDR/v1/pki/ca" crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

tmpopsyf5wk.jpg

Configure CA & CRL

  1. Test that you can issue a certificate with your managed key backed root CA by configuring and using a role.

›_ Console

# vault write pki/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"

tmp6468o6sc.jpg
tmpryudsdkd.jpg

Issue certificate with managed key

  1. Request a new certificate for the test.example.com domain based on the exampledot-com role.

›_ Console

# vault write -format=json pki/issue/example-dot-com common_name="test.example.com" ttl="24h"

tmpqbo_u0u7.jpg
tmpq3lyexw8.jpg
tmp9cvk61yh.jpg
tmpuk0p205q.jpg

Generate a new certificate

In a similar way you can issue more certificates signed by CA according to your requirement.

This completes the integration of HashiCorp Vault PKI with Utimaco SecurityServer.