Build a certificate authority (CA) in Vault with an offline root
This tutorial builds on the Build Your Own Certificate Authority (CA) tutorial. You will learn how to create a CA chain hierarchy that uses an offline root and online intermediate CAs in Vault.
Prerequisites
To perform the tasks described in this tutorial, you need:
- Vault binary.
- Certstrap tool by Square to create a simple offline Root CA.
- Terraform CLI to provision Vault server.
- jq tool to parse JSON output.
- openssl tool which is generally packaged with most OS distributions for inspecting x509 certificates and certificate signing requests that you will create in this tutorial.
- tree tool to view the folder structure.
Scenario introduction
In this tutorial, you will complete the following on your local machine:
- Create an offline Root CA.
- Start Vault server in development mode.
- Create Intermediate Certificate Authority 1 (ICA1) in Vault signed with offline Root CA.
- Create Intermediate Certificate Authority 2 (ICA2) in Vault signed with ICA1.
- Issue a client x509 Certificate rooted in ICA2.
Step 1: Create an offline Root CA
Use the certstrap tool to create the offline Root CA, select a very strong password for protecting the CA key.
Output:
Inspect the offline Root CA certificate with openssl to ensure it has the expected
subject
.Output:
Note
In this tutorial, you created the Root CA in your current local directory. However, you will generate the offline Root CA material with the root user, under a well defined root user owned directory.
The
tree
command outputs theout
folder hierarchy.Output:
Step 2: Start Vault server in dev mode
To proceed with the tutorial, open two terminals on your local machine.
In one terminal, start a Vault dev server with
root
as the root token.The Vault dev server defaults to address
127.0.0.1:8200
. The server is initialized and unsealed.Insecure operation
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and runs in an insecure way.
In a second terminal session, export an environment variable for the
vault
CLI to address the Vault server.Additionally, export an environment variable for the
vault
CLI to authenticate with the Vault server.
For this tutorial, you can use Vault's root token. However, it is recommended that root tokens are only used for enough initial setup or in emergencies. As a best practice, use an authentication method or token that meets the policy requirements.
The Vault server is ready.
Step 3: Generate ICA1 in vault
Next, use Terraform Vault provider to provision and manage intermediate PKI endpoints in Vault by creating below file hierarchy.
In your second terminal, create the necessary terraform files to manage ICA1 resources in Vault.
Create
main.tf
file which definesvault
provider.Create
test_org_ica1.tf
file which enables and configures PKI secrets engine.To ensure the file structure is properly configured, use the
tree
command to view the directory.The
test_org_ica1.tf
file has the necessary code to enable a new PKI endpoint for theICA1
in Vault and to generate a Certificate Signing Request (CSR). The CSR will be signed by the offline Root CA next.First, initialize terraform; this downloads the necessary providers and initializes the backend.
Execute the
apply
command to configure Vault.This displays the actions to be performed by Terraform.
When prompted, enter
yes
to accept the plan and proceed with Vault configuration.Note
The path for the PKI endpoint is set to
test-org/vX/ica1/Y
. TheX
denotes the version of offline Root CA andY
denotes the version of ICA1. This ensures that the future versions of ICA1 past expiry can be added in parallel, and eventually clients of ICA1 can move off the earlier one. It is possible to use the same PKI path and reset ICA1, but it can be a breaking change depending upon your PKI use cases.Create a new
csr
folder.Get the ICA1 CSR from the Terraform state file and store it under a new
csr
folder.Sign ICA1 CSR with the offline Root CA.
Output:
The output displays
out/Intermediate_CA1_v1.csr
but it is a tooling print error asIntermediate_CA1_v1.csr
is passed from under thecsr
and notout
folder.Create the
cacerts
folder to store the CA chain files that will be set on the PKI endpoints in Vault.Append offline Root CA at the end of ICA1 cert to create a CA chain under
cacerts
folder. You will use this to set the signed ICA1 in Vault.Update the Terraform code to set the signed cert for
ICA1
in Vault.Apply the Terraform changes to set the signed ICA1 in Vault.
Output:
Verify that the Terraform output displays the new ICA1 set
Verify the ICA1 cert in Vault.
Output:
Verify the ICA1 CA chain in Vault.
Output:
Your directory structure should now resemble the example output.
Step 4: Generate ICA2 in vault
Next, generate Terraform code to create and manage ICA2 in Vault.
In your second terminal, create a Terraform file named, "test_org_ica2.tf" to manage ICA2 resources in Vault.
Apply Terraform changes for ICA2.
Output:
When prompted, enter
yes
to accept the plan and proceed with Vault configuration.
Verify that the Terraform output displays the new ICA2 set
Verify the ICA2 cert in Vault.
Output:
Verify the ICA2 CA chain in Vault.
Output:
Run ICA2 x509 certificate constraint check.
Output example:
Notice that the
X509v3 Basic Constraints
valuepathlen:1
, ensures that ICA2 can only sign CSR requests, but not create more intermediate certificate authorities.
Congratulations, you successfully established your intermediate CAs in Vault with an offline Root.
Step 5: Issue a client x509 cert rooted in ICA2
Create a new PKI role rooted in ICA2 to issue client x509 certificates for
test.com
subdomains.Apply Terraform changes for ICA2.
Output:
When prompted, enter
yes
to accept the plan and proceed with Vault configuration.Next, create a certificate rooted in ICA2 using Vault CLI.
Output example:
Congratulations, you have successfully created intermediate CAs (ICA1/ICA2) in Vault rooted in an offline Root CA and have issued a client certificate rooted in intermediate CA(ICA2).
Use the
tree
command on your current folder to display the folder hierarchy.
For production workflow, you can decide to not check in the csr
folder as the information under it can be obtained from the Terraform state file.
Clean up
If you wish to clean up your environment after completing the tutorial, follow the steps in this section.
Run Terraform to undo all the changes.
Remove the terraform state files and
.tf
files.Remove the
csr
,cacerts
, andout
directories.Unset the
VAULT_TOKEN
environment variable.Unset the
VAULT_ADDR
environment variable.You can stop the Vault dev server by pressing Ctrl+C where the server is running. Or, execute the following command.