Vault private PKI

Goals

• Create a PKI engine for Vault-signed certificate creation.

• Make hosts trust the PKI root certificate ancestor.

• Delegate to a host the capability to issue cetificates.

Prerequisites

• Follow the Install Vault tutorial.

• Name your PKI engine. (‘alpha’ in our code sample).

• Choose the domain managed. (‘alpha.internal’ in our code sample).

Steps

Create the PKI engine in Vault

ansible-playbook wescale.hashistack.vault_pki_bootstrap \
    -e hs_vault_pki_name=alpha                          \
    -e hs_vault_pki_domain=alpha.internal

Distribute trust of the root certificate

ansible-playbook wescale.hashistack.vault_pki_trust     \
    -e hs_vault_pki_name=alpha                          \
    -e scope=<group_form_inventory>

Give a host the capability to issue certificates

ansible-playbook wescale.hashistack.vault_pki_enroll \
    -e hs_vault_pki_name=alpha                       \
    -e scope=epic-sre

• From the target host, as root, you now can run:

Create a valid cetificate at /etc/ssl/private/.alpha.internal.*

ssh -F ssh.cfg epic-sre
ansible-refresh-alpha-cert -e cert_domain=<any subdomain>.alpha.internal

Achievement Unlocked

You have created a private PKI and made a host capable of issuing certificates.