DevOps Daily

/home

/articles

/topics

Home > Articles > Using HashiCorp Vault as a Certificate Authority

Using HashiCorp Vault as a Certificate Authority

  ·   3 min read

#devops #security #PKI #tls #encryption

In today’s digital landscape, securing communications and data is paramount. One of the foundational elements of secure communication is the use of certificates, which are often issued by a Certificate Authority (CA). HashiCorp Vault, a popular open-source tool for managing secrets, offers a robust solution for acting as a CA. This article will guide you through the process of using HashiCorp Vault as a Certificate Authority, highlighting its benefits and providing a step-by-step setup guide.

Why Use HashiCorp Vault as a CA?

  1. Centralized Management: Vault provides a centralized system for managing certificates, making it easier to enforce security policies and streamline operations.

  2. Dynamic Secrets: Vault can generate dynamic secrets, including short-lived certificates, reducing the risk of credential leakage.

  3. Access Control: With Vault’s robust access control mechanisms, you can ensure that only authorized entities can request and retrieve certificates.

  4. Audit Logging: Vault’s built-in audit logging capabilities allow you to track certificate issuance and usage, enhancing security and compliance.

Setting Up HashiCorp Vault as a CA

Prerequisites

  • A running instance of HashiCorp Vault. You can run it locally or use a managed service.
  • Vault CLI installed on your machine.
  • Basic understanding of Public Key Infrastructure (PKI) concepts.

Step-by-Step Guide

Step 1: Enable the PKI Secrets Engine

First, you need to enable the PKI secrets engine in Vault. This engine will handle certificate issuance and management.

vault secrets enable pki

Step 2: Configure the CA Certificate and Key

Generate a root certificate and private key for your CA. You can do this using OpenSSL or any other tool of your choice. Once you have the certificate and key, upload them to Vault.

vault write pki/config/ca pem_bundle=@ca_bundle.pem

Alternatively, you can have Vault generate a self-signed root certificate:

vault write pki/root/generate/internal common_name="example.com" ttl=8760h

Step 3: Set the Certificate Issuance and Revocation Configuration

Define the default and maximum time-to-live (TTL) for issued certificates.

vault write pki/config/urls \
    issuing_certificates="http://vault.example.com/v1/pki/ca" \
    crl_distribution_points="http://vault.example.com/v1/pki/crl"

vault write pki/config/ttl ttl=72h max_ttl=8760h

Step 4: Create a Role for Certificate Issuance

Roles define the parameters for issuing certificates, such as allowed domains and TTL.

vault write pki/roles/example-dot-com \
    allowed_domains="example.com" \
    allow_subdomains=true \
    max_ttl="72h"

Step 5: Issue a Certificate

Now, you can issue a certificate using the role you created.

vault write pki/issue/example-dot-com common_name="test.example.com"

This command will return a certificate, private key, and CA chain.

Conclusion

Using HashiCorp Vault as a Certificate Authority provides a secure, flexible, and centralized way to manage your certificates. Its integration with other Vault features, such as dynamic secrets and access control, makes it an excellent choice for modern DevOps environments. By following the steps outlined in this article, you can set up Vault as a CA and start issuing certificates with ease.

Further Reading

By leveraging the power of HashiCorp Vault, you can enhance your organization’s security posture and streamline certificate management processes.

Understanding Nomad Clusters: Architecture, Configuration, and the Raft Algorithm
Setting Up a Prometheus Cluster with Two Nodes
back to top