Vault private PKI#

Goals#

  • Create a PKI engine for Vault-signed certificate creation.

  • Make hosts trust the PKI root certificate ancestor.

  • Delegate to a host the capability to issue cetificates.

Prerequisites#

  • Follow the Install Vault tutorial.

  • Name your PKI engine. (‘alpha’ in our code sample).

  • Choose the domain managed. (‘alpha.internal’ in our code sample).

Steps#

Create the PKI engine in Vault#
ansible-playbook wescale.hashistack.vault_pki_bootstrap \
    -e hs_vault_pki_name=alpha                          \
    -e hs_vault_pki_domain=alpha.internal
Distribute trust of the root certificate#
ansible-playbook wescale.hashistack.vault_pki_trust     \
    -e hs_vault_pki_name=alpha                          \
    -e scope=<group_form_inventory>
Give a host the capability to issue certificates#
ansible-playbook wescale.hashistack.vault_pki_enroll \
    -e hs_vault_pki_name=alpha                       \
    -e scope=epic-sre
  • From the target host, as root, you now can run:

Create a valid cetificate at /etc/ssl/private/.alpha.internal.*#
ssh -F ssh.cfg epic-sre
ansible-refresh-alpha-cert -e cert_domain=<any subdomain>.alpha.internal

Achievement Unlocked

You have created a private PKI and made a host capable of issuing certificates.