Open in app

Sign in

Write

Sign in

Create A Quick PKI HashicorpVault Dev Server

Valente Vidal
3 min readJul 11, 2023

--

Whether you’re a DevOps engineer or a developer, handling SSL/TLS certificates can be a cumbersome task. Fortunately, HashiCorp Vault provides an elegant solution by offering a PKI (Public Key Infrastructure) secrets engine that allows dynamic generation of X.509 certificates. In this article, we’ll walk through a simple bash script that automates the setup of a Dev PKI, including creating a root Certificate Authority (CA) and an intermediate CA.

The whole script below, the breakdown is after

# https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install


# Window 1
sudo apt update && sudo apt install gpg
vault server -dev


# Window 2
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN="TOKEN"


# Enable the PKI secrets engine at the pki path
vault secrets enable pki

# Tune it to issue certificates with a maximum time-to-live (TTL) of 87600 hours
vault secrets tune -max-lease-ttl=87600h pki

# Generate the root certificate and save the certificate in CA_cert.crt
vault write -field=certificate pki/root/generate/internal common_name="example.com" \
    ttl=87600h > CA_cert.crt

# Configure the CA and CRL URLs
vault write pki/config/urls \
    issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
    crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

# Enable the PKI secrets engine at the pki_int path
vault secrets enable -path=pki_int pki

# Tune it to issue certificates with a maximum time-to-live (TTL) of 43800 hours
vault secrets tune -max-lease-ttl=43800h pki_int

# Execute the command to generate an intermediate and save the CSR as pki_intermediate.csr
vault write -format=json pki_int/intermediate/generate/internal common_name="example.com Intermediate Authority" | jq -r '.data.csr' > pki_intermediate.csr

# Sign the intermediate certificate with the root certificate and save the signed certificate as intermediate.cert.pem
vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr format=pem_bundle \
    ttl="43800h" | jq -r '.data.certificate' > intermediate.cert.pem

# Once the CSR is signed and the root CA returns a certificate, it can be imported back into Vault:
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

# Configure a role named example-dot-com which describes the common names, key usages, TTLs and other properties of the signed certificates.
vault write pki_int/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"

# Now client certificates can be generated
vault write pki_int/issue/example-dot-com common_name="client.example.com"


# Generate some certificates
vault write pki_int/issue/example-dot-com common_name="client.example.com"
vault write pki_int/issue/example-dot-com common_name="server.example.com"
vault write pki_int/issue/example-dot-com common_name="client2.example.com"
vault write pki_int/issue/example-dot-com common_name="client3.example.com"

This generates a Root and Intermediate CA, with a role that generated certificates.

The Breakdown

Setting Up Your Environment

The script starts by setting up the required environment variables for Vault:


export VAULT_TOKEN=’root_token’
export VAULT_ADDR=’http://127.0.0.1:8200'

Remember to replace root_token and http://127.0.0.1:8200 with your actual Vault token and server address.

Enabling PKI Secrets Engine

The PKI secrets engine lets Vault operate as a CA or an intermediate CA. To enable it, the script uses:


vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki

Configuring the Root Certificate

The script generates the root CA certificate and saves it to a local file. It then sets up the Certificate Revocation List (CRL) and URL for issuing certificates:


vault write -field=certificate pki/root/generate/internal common_name=”example.com” \
 ttl=87600h > CA_cert.crt
vault write pki/config/urls \
 issuing_certificates=”$VAULT_ADDR/v1/pki/ca” \
 crl_distribution_points=”$VAULT_ADDR/v1/pki/crl”

Enabling the Intermediate PKI Secrets Engine

The script sets up an intermediate CA by enabling a separate path for the PKI secrets engine:


vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int

Configuring the Intermediate Certificate

The script generates a CSR for the intermediate certificate, signs it with the root CA, and imports the signed certificate back into Vault:


vault write -format=json pki_int/intermediate/generate/internal common_name=”example.com Intermediate Authority” | jq -r ‘.data.csr’ > pki_intermediate.csr
vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr format=pem_bundle \
 ttl=”43800h” | jq -r ‘.data.certificate’ > intermediate.cert.pem
vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

Configuring the Certificate Role

A role specifying the properties of the certificates to be signed is then set up:


vault write pki_int/roles/example-dot-com allowed_domains=”example.com” allow_subdomains=true max_ttl=”720h”

Issuing a Client Certificate

Finally, the script issues a client certificate using the configured role:


vault write pki_int/issue/example-dot-com common_name=”client.example.com”
Vault
DevOps
Hashicorp
Hashicorp Vault

--

--

Valente Vidal
Valente Vidal

Written by Valente Vidal

11 Followers
7 Following

Platform Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams