How to import existing intermediate+key and CA chain into vault.
4,036 views
Skip to first unread message
Pedro Reis
Aug 5, 2019, 4:51:39 AM8/5/19
to Vault
Hi
I have an existing intermediate certificate that I want to import into vaut.
Tha chain is as follows:
RootCA->Intermediate1->vault_intermediate
I'm building the pki bundle as follows:
cat
/opt/pki/certificate-authority/intermediate/root.ca.cer
/opt/pki/certificate-authority/intermediate/intermediate.pem
/opt/pki/certificate-authority/Trupki_Vault/Trupki_Vault.pem
/opt/pki/certificate-authority/Trupki_Vault/Trupki_Vault-key.pem > /opt/vault/subca.pem
then:
vault write pki/config/ca pem_bundle=@/opt/vault/subca.pem
Im getting the following:
* verification of parsed bundle failed: public key of certificate does not match private key
stderr_lines:
- 'Error writing data to pki/config/ca: Error making API request.'
- ''
- 'URL: PUT http://127.0.0.1:8200/v1/pki/config/ca'
- 'Code: 400. Errors:'
- ''
- '* verification of parsed bundle failed: public key of certificate does not match private key'
Any help on this? i double checked that the key is correct.
Thanks
Lowe Schmidt
Aug 5, 2019, 5:22:38 AM8/5/19
to Vault
So if I understand correctly you have.
A root CA that has signed an intermediate key (intermediate1) and then you have signed the vault intermediate with intermediate1's key.
Then you you have created a certificate / key pair signed by the vault intermediate.
That should mean that you need. Root cert -> Intermediate1 cert -> Vault Intermediate cert -> Vault cert -> Vault key to complete the chain.
It looks like your missing the Vault intermediate in your chain.
--
Lowe Schmidt | +46 723 867 157
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9d8a0359-abf4-4381-b526-94fe8b1cba2d%40googlegroups.com.
Pedro Reis
Aug 5, 2019, 5:43:04 AM8/5/19
to Vault
Hi Lowe, almost that, just minus a level, let me explain better:
I have 3 certificates:
"RootCa"
"Intermediate1" cert, signed by RootCA
"Vault" cert, signed by intermediate1
What I want to do is to import "Vault" certificate and all the chain into vault in order to issue leaf certificates from it.
On Monday, 5 August 2019 10:22:38 UTC+1, Lowe Schmidt wrote:
So if I understand correctly you have.A root CA that has signed an intermediate key (intermediate1) and then you have signed the vault intermediate with intermediate1's key.Then you you have created a certificate / key pair signed by the vault intermediate.That should mean that you need. Root cert -> Intermediate1 cert -> Vault Intermediate cert -> Vault cert -> Vault key to complete the chain.It looks like your missing the Vault intermediate in your chain.--Lowe Schmidt | +46 723 867 157
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Lowe Schmidt
Aug 5, 2019, 5:56:40 AM8/5/19
to Vault
Right, my bad I was confusing the TLS setup for Vault itself and the PKI part...
--
Lowe Schmidt | +46 723 867 157
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ac2e7aea-86c1-46f1-8e0e-21eb236b46d4%40googlegroups.com.
Pedro Reis
Aug 5, 2019, 6:54:55 AM8/5/19
to Vault
Further tests, If I omit the "rootCA" from the bundle, it works..
So we can only add one additional certificate to the chain bundle?
But in the manual it states:
"May optionally append additional CA certificates. Useful when creating an intermediate CA to ensure a full chain is returned when signing or generating certificates." in https://www.vaultproject.io/api/secret/pki/index.html#submit-ca-information
So I was under the impression that I could send the hole chain in the bundle....
What I'm I getting wrong?
On Monday, 5 August 2019 10:56:40 UTC+1, Lowe Schmidt wrote:
Right, my bad I was confusing the TLS setup for Vault itself and the PKI part...
--Lowe Schmidt | +46 723 867 157
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ac2e7aea-86c1-46f1-8e0e-21eb236b46d4%40googlegroups.com.
Pedro Reis
Aug 5, 2019, 7:18:41 AM8/5/19
to Vault
OK, nailed it....
How did it worked for me:
Creating the bundle:
cat vault_cert.pem vault_cert.key intermediate1.pem rootca.pem > buldle.pem
Then there was a problem with the rootca.pem, it had a trailing newline at the end of the file. That was creating the error.... As soon as I removed it all went ok, and working as expected...
Thanks.
Richard Jacobs
Aug 14, 2019, 9:01:13 AM8/14/19
to Vault
Created the bundle as recommended
cat intermediate.cert.pem intermediate.key.pem ca.cert.pem > bundle.pem
Executed the following
vault write intca/config/ca pem_bundle=@bundle.pem
Error: * private key not found in the PEM bundle
- Verified that the private key is in the PEM bundle
- Verified that there are no trailing newlines
? Is there any special formating that has to be applied to the pem_bundle so that it can be processed? Thanks
Richard Jacobs
Aug 14, 2019, 1:21:36 PM8/14/19
to Vault
After additional research, there is a format issue with regard to the private key.
The private key needs to be converted from pkcs8 to pkcs1
openssl rsa -in pkcs8.key -out pkcs1.key -outform pem
Once the private key was updated to pkcs1 and the bundle recreated, the following was successful
vault write intca/config/ca pem_bundle=@bundle.pem
Reply all
Reply to author
Forward
0 new messages