Subordinate HashiCorp Vault CA to EJBCA Root
The following describes how to create a subordinate CA in Vault getting it signed by a Root CA in EJBCA.
Introduction
Today there is a need for PKI across many use cases in an organization and across many organizational boundaries. A wide range of products and tools may be best suited for a specific use case, while a very diverse spread of PKI makes it difficult to control and uphold encryption and signing policies, key management and trust, etc. A common best practice in PKI is to use a hierarchy of certificate authorities (CAs) to both control and efficiently utilize trust.
Many organizations use HashiCorp Vault to manage secrets and Keyfactor EJBCA for centralized PKI management. It is possible to use both products together in several different ways and the following describes how to set up a Vault CA to be a subordinate (sub) CA or a Root CA in EJBCA. Having a single trust anchor, in the form of a Root CA, is common practice in many organizations and can be achieved by subordinating HashiCorp Vault to EJBCA.
Prerequisites
The following presents a command line driven approach, which is suitable for scripting and automation. Note that you could perform the same tasks with administrative Web UIs.
The following prerequisites are required to complete the subordination:
- EJBCA
- EJBCA deployed with a Root CA
- A certificate profile in EJBCA for the HashiCorp Vault Subordinate CA
- An end entity profile in EJBCA for the HashiCorp Vault Subordinate CA that is configured to use the HashiCorp Vault Sub CA certificate profile
- RA credential that has access to create the HashiCorp Vault Subordinate CA end entity in EJBCA
- A workstation with the EJBCA Client Toolbox utility configured to use EJBCA
- HashiCorp Vault
- HashiCorp Vault installed, initialized, and unsealed
- JSON processor jq installed on the HashiCorp Vault server
- Vault command line interface v1.3.4
- Vault version 1.4.0 Docker container
Subordinate HashiCorp Vault CA to EJBCA Root
To complete a subordination of a Vault CA, follow the steps outlined in the sections below.
Step 1 - HashiCorp Vault Configuration
Perform the following on the Vault server using the Vault command line utility. Access the Vault server using SSH.
Enable the Vault PKI.
CODEvault secrets enable pki
Create the Vault Subordinate CA.
CODEvault secrets enable -path=subca01 pki
Create the Subordinate CA Certificate Signing Request (CSR).
CODEvault write -format=json subca01/intermediate/generate/internal common_name="Vault Intermediate Authority G1" key_bits="2048" | jq -r '.data.csr' > subca01.csr
The CA DN for the Vault Sub CA is created and enforced on EJBCA. Select the values appropriate for your organization.
Copy the
subca01.csr
file to the workstation that has the EJBCA Client Toolbox utility configured for performing actions on the EJBCA CA.
Setp 2 - ClientToolBox Workstation Configuration
The following describes interacting with EJBCA using the EJBCA Client Toolbox Web Service CLI tool, which can be run remotely from any workstation with mutual TLS authentication. Note that the same actions can also be performed in the EJBCA CA or RA UIs or with other protocols and APIs. For more information on the EJBCA Web Service CLI, see Using the Web Services CLI and for using the EJBCA user interface in general, refer to the CA Operations Guide.
Perform the following to sign the Sub CA CSR using the EJBCA Web Service CLI tool. Note the following location directory of the CSR file subca01.csr
in the steps below: /var/tmp
.
- Open a terminal window and change directories to the clientToolBox utility.
Create the end entity in EJBCA.
CODE./ejbcaClientToolBox.sh EjbcaWsRaCli edituser vault-subca01 foo123 false 'cn=Vault Intermediate Authority G1,ou=Certification Authorities,o=PrimeKey,c=SE' NULL NULL PrimeKey-Root-G1 1 USERGENERATED NEW Hashicorp-SubCAEE Hashicorp-SubCACP
Submit the CSR to be signed.
CODE./ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req vault-subca01 foo123 /var/tmp/subca01.csr PEM NONE /var/tmp/
Obtain the Root CA certificate.
CODEcurl -o /var/tmp/root.crt "https://enrollprimekey.primekey.se/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3DPrimeKey+Root+CA+G1%2COU%3DCertification+Authorities%2CO%3DPrimeKey%2CC%3DSE&level=0"
Add the Root CA certificate to the
subca01.crt
file.CODEcat /var/tmp/root.crt >> /var/tmp/subca01.pem
- Copy the
subca01.pem
file to the Vault server.
Step 3 - Finalize HashiCorp Vault Sub CA Configuration
The following describes how to import the signed certificate to complete the subordination and configure a domain to issue the certificates against. The PEM file should be located in /var/tmp
to complete the following steps.
Import the Sub CA certificate into Vault.
CODEvault write subca01/intermediate/set-signed certificate=@/var/tmp/subca01.pem -format=json"
Create a domain to issue certificates.
CODEvault write subca01/roles/primekey-se allowed_domains='primekey.se,primekey.som' allow_subdomains='true' max_ttl='160h' key_usage='DigitalSignature, KeyEncipherment' -format=json"
Test issuing a certificate.
CODEvault write subca01/issue/primekey-se common_name='vault.primekey.se' ttl='24h' -format=json
Using the HashiCorp Vault Sub CA
The HashiCorp subordinate CA can now be used to issue certificates in your HashiCorp environment. The advantage of having HashiCorp CAs signed by a Root CA is that clients that need to be configured with trust anchors, usually to trust more than one subordinate CA, only have to be configured with the Root CA as trust anchor. Also, the central PKI management team can overlook subordinate CAs and revoke sub CAs that have been compromised, or should no longer be used for other reasons.