Chained Intermediate CAs

[Steve Dillon]

I'm trying to import certs generated outside of Vault into vault.

CA -> Intermediate1 -> Intermediate2 -> Final Certs

I'd like to just import Intermediate1 and down, but can't figure out how to create a bundle that has the whole cert chain.  In Vault 6.2 they added Chained Intermediates, but I can't find much doc how to do it.

This is what I'm attempting.  

rm tmp.pem

cat certca/root.PublicCert.pem > tmp.pem

cat certca/intermediate.PublicCert.pem >> tmp.pem

openssl rsa -in certca/private/intermediate.key.pem -passin file:certca/private/intermediate.pw >> tmp.pem

vault write "$mountpoint/config/ca" pem_bundle="@tmp.pem"

Vault says: * verification of parsed bundle failed: Public key of certificate does not match private key

If I remove the root.PublicCert.pem from the bundle, vault will accept it, but then it would never have a way to return a full chain to the user.  I've tried them in different order.

Anybody have any Hints?

Thanks,

Steve Dillon

[Michael Fischer]

You can't currently add externally-generated leaf certificates to Vault's PKI engine -- the best you can do is store them as secrets in the generic backend.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7433dee5-ddb3-4307-9958-9fa6d304939a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeff Mitchell]

The OP isn't trying to add a leaf certificate; he's trying to add an intermediate CA cert.

--Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CABHxtY4D%3DTUPZUjCziqaNDMUfFap8sJ2yeqdMrq_a%2BsCg7sEcg%40mail.gmail.com.

[Michael Fischer]

My reading is that he's trying to do both ("Intermediate1 and down"); I can only speak to the leaf part.  Maybe you know more about the intermediates?

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GF5Tkj7Ub3QsA3e7LP8wt%3Dir7LD5JMsxgQtXPmjxTivmA%40mail.gmail.com.

[Chris Hoffman]

When providing your pem bundle to the config endpoint, the expectation is the certificate issuing certificates is the first certificate and the chain is provided in order after that certificate.  If you reverse the order of your intermediate certificates it should work.

Try this:

rm tmp.pem

cat certca/intermediate.PublicCert.pem > tmp.pem

cat certca/root.PublicCert.pem >> tmp.pem

openssl rsa -in certca/private/intermediate.key.pem -passin file:certca/private/intermediate.pw >> tmp.pem

vault write "$mountpoint/config/ca" pem_bundle="@tmp.pem"

Michael is correct that the pki backend is only used to issue certificates and not store them.  There is currently no way to import he certificates already issued by a CA into vault.

[Steve Dillon]

Thanks Chris that works!  I was following the pattern for how Docker wanted the certs in the other order.  I thought I had tried both directions.  

Thanks for an early victory this morning.

I'm not trying to import the leaf certs, just trying to get the intermediates in Vault.  Vault make Cert Mgmt so much easier than OpenSSL.

Steve Dillon