Skip to main content
Skip table of contents

Tutorial - Use EJBCA with HashiCorp Vault

Learn how to deploy a three-node Vault cluster and configure the EJBCA PKI Secrets Engine for HashiCorp Vault plugin to issue certificates from EJBCA through Vault.

PKI administrators interested in offering an integration to use EJBCA to standardize the PKI in the environment and have a single place to manage certificates while providing the ability to issue certificates from HashiCorp Vault should find this tutorial helpful. The steps outlined in this tutorial show how HashiCorp Vault can be deployed to integrate with EJBCA for users to request certificates from vault issued by EJBCA.

In this tutorial, you will learn how to:

  • Configure EJBCA for the HashiCorp Vault EJBCA plugin
  • Create keys and certificate signing requests (CSRs) to request certificates from EJBCA for the HashiCorp Vault EJBCA plugin​
  • Create Certificates from the CSRs using EJBCA
  • Deploy HashiCorp Vault with the EJBCA Vault plugin
  • Configure the EJBCA Plugin to issue certificates from EJBCA

Prerequisites

For this tutorial, EJBCA Community Docker container version 8.2.0.1 was used.

Before you begin, you need:

For more information on the EJBCA PKI Secrets Engine for HashiCorp Vault plugin, refer to Keyfactor GitHub.

Step 1 - Configure EJBCA for the HashiCorp Vault EJBCA plugin

Follow these steps to configure a certificate profile and an end entity profile in EJBCA, and add a RA role for Vault.

Create certificate profile

To create a certificate profile, do the following:

  1. Go to the EJBCA Administration user interface using a web browser.
  2. In EJBCA, under CA Functions, click Certificate Profiles.
  3. Click Clone by the TLS Server Profile template to create a new profile using that template.
  4. Name the new certificate profile TlsServerRsa-1y, and click Create from template.
  5. To edit the profile default values to fit your needs, find the newly created TlsServerRsa-1y profile displayed in the list and click Edit.
  6. On the Edit page, update the following:
    • Select RSA for the Available Key Algorithms (this should be the only option selected).
    • Select 2048, 3072, and 4096 for the Available Bit Lengths.
    • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
  7. To store the certificate profile, click Save.

The TlsServerRsa-1y profile is displayed in the list of certificate profiles.

Create end entity profile

To update the end entity profile, do the following:

  1. In EJBCA, under RA Functions, click End Entity Profiles.
  2. Select the TLS Server Profile, and click Edit End Entity Profile.
  3. Edit the profile and update the following:
    • In the Other Subject Attributes section, select DNS Name from the Subject Alternative Name list, and click Add.
    • In the Other Subject Attributes section, select IP Address from the Subject Alternative Name list, and click Add.
    • In the Available Certificate Profiles section, select the TlsServerRsa-1y in addition to the other profile selected.
    • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
  4. Click Save to store the end entity profile.

The end entity profile is displayed in the list of end entity profiles.

Create role

To create an RA role for Vault and authorize actions in EJBCA:

  1. In EJBCA, under System Functions, click Roles and Access Rules.
  2. Next to the list of available roles, click Add.
  3. For Role name, specify RA-Vault and click Add.
    The Roles Management page now lists the RA-Vault role.
  4. To update the access rules for the role, click Access Rules for the RA-Vault role.
  5. On the Edit Access Rules page, edit the following:
    • For Role Template, select RA Administrators.
    • For Authorized CAs, select My PKISubCA-G1.
    • For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
  6. Click Save to store the updated access rules for the role.
  7. At the top right of the Edit Access Rules page, click Advanced Mode.

    • Under Regular Access Rules, select Allow for /ca_functionality/view_ca/.

  8. Click Save.
  9. At the top right of the Edit Access Rules page, click Members.
  10. Members are defined by an attribute from the certificate DN and the serial number:
    • Match with: Select X509:CN, Common name.
    • CA: Verify that Management CA is selected for the CA to match on.
    • Match Value: Specify the name value from the certificate, in this example: "vault-ra-01". Note that this is a case-sensitive matching.
  11. Click Add to add the user to the role.

An RA role for Vault has been created and the TLS Server Profile was updated to include an IP Address in the Subject Alternative Name as an option.

Step 2 - Create Keys and Certificate Signing Requests (CSRs)

To prepare for the HashiCorp Vault deployment, you will download the Vault command line interface and use OpenSSL to generate private keys and certificate signing requests (CSRs).

 Download the Vault CLI and generate the CSRs:

  1. SSH to the MicroK8s test host that has EJBCA deployed and configured.
  2. In your terminal, enter the following to create a directory to organize all the files for this tutorial:

    CODE
    $ mkdir vault
  3. Change to the vault directory:

    CODE
    $ cd vault
  4. Download the vault binary to use vault locally once deployed:

    CODE
    $ curl -O https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip
  5. Unzip the archive and remove the zip file:

    CODE
    $ unzip -q vault_1.15.4_linux_amd64.zip && rm -f vault_1.15.4_linux_amd64.zip
  6. Create environment variables used to create CSRs for certificates issued from EJBCA that Vault will use:

    CODE
    $ export VAULT_K8S_NAMESPACE="vault" VAULT_SERVICE_NAME="vault-internal" K8S_CLUSTER_NAME="cluster.local"
  7. Create an OpenSSL configuration file for the Vault instances TLS certificate:

    CODE
    $ cat > vault-internal.conf <<EOF
    [req]
    default_bits = 2048
    prompt = no
    encrypt_key = yes
    distinguished_name = kubelet_serving
    req_extensions = v3_req
    [ kubelet_serving ]
    C = SE
    O = Keyfactor Community
    CN = system:node:*.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}
    [ v3_req ]
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = *.${VAULT_SERVICE_NAME}
    DNS.2 = *.${VAULT_SERVICE_NAME}.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}
    DNS.3 = *.${VAULT_K8S_NAMESPACE}
    DNS.4 = vault-active
    IP.1 = 127.0.0.1
    
    EOF
  8. Generate private key and create the CSR using the OpenSSL configuration file:

    CODE
    openssl req -new -newkey rsa:2048 -nodes -keyout vault-internal.key -sha256 -out vault-internal.csr -config vault-internal.conf
  9. Create an OpenSSL configuration file for the Ingress TLS certificate used for accessing Vault externally from inside the Kubernetes cluster:

    CODE
    cat > api.vault.conf <<EOF
    [req]
    default_bits = 2048
    prompt = no
    encrypt_key = yes
    distinguished_name = kubelet_serving
    req_extensions = v3_req
    [ kubelet_serving ]
    C = SE
    O = Keyfactor Community
    CN = api.vault
    [ v3_req ]
    keyUsage = digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = api.vault
    
    EOF
  10. Generate the private key and create the CSR using the OpenSSL configuration file for the external Ingress TLS certificate:

    CODE
    $ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -sha256 -out api.vault.csr -config api.vault.conf
  11. Create an OpenSSL configuration file for the Vault RA credential:

    CODE
    cat > vault-ra-01.conf <<EOF
    [req]
    default_bits = 2048
    prompt = no
    encrypt_key = yes
    distinguished_name = kubelet_serving
    req_extensions = v3_req
    [ kubelet_serving ]
    C = SE
    O = Keyfactor Community
    CN = vault-ra-01
    [ v3_req ]
    keyUsage = digitalSignature
    extendedKeyUsage = clientAuth
    
    EOF
  12. Generate the private key and create the CSR using the OpenSSL configuration file for the Vault RA credential:

    CODE
    openssl req -new -newkey rsa:2048 -nodes -keyout vault-ra-01-key.pem -sha256 -out vault-ra-01.csr -config vault-ra-01.conf
  13. Output the vault-internal.csr to the terminal to use in a later step:

    CODE
    cat vault-internal.csr
  14. The vault-internal.csr is displayed in the terminal:

    CODE
    -----BEGIN CERTIFICATE REQUEST-----
    MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
    b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0
    ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS
    XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm
    +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1
    jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd
    2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r
    bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe
    r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu
    YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou
    dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70
    uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG
    45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1
    /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt
    5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM
    s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=
    -----END CERTIFICATE REQUEST-----
  15. Output the api.vault.csr to the terminal to use in a later step:

    CODE
    cat api.vault.csr
  16. The api.vault.csr is displayed in the terminal:

    CODE
    -----BEGIN CERTIFICATE REQUEST-----
    MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
    b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD
    ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP
    BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+
    YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW
    f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD
    cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ
    69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ
    DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN
    MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja
    gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw
    4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I
    QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ
    0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ
    oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne
    lA==
    -----END CERTIFICATE REQUEST-----
  17. Output the vault-ra-01.csr to the terminal to use in a later step:

    CODE
    cat vault-ra-01.csr
  18. The vault-ra-01.csr is displayed in the terminal:

    CODE
    -----BEGIN CERTIFICATE REQUEST-----
    MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
    b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF
    AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF
    upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx
    9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr
    OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/
    h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA
    R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN
    AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI
    hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z
    7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT
    QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av
    vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo
    eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw
    cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=
    -----END CERTIFICATE REQUEST-----
    
    

The Vault CLI is downloaded, and certificate signing requests have been created to be used for the Vault integration with EJBCA.

Step 3 - Create Certificates from the CSRs Using EJBCA RA UI

The CSRs generated in Step 2 - Create Keys and Certificate Signing Requests (CSRs) must be signed before Vault can be deployed. The EJBCA RA Web is used to issue the certificates by signing the CSRs. Once the CSRs are signed the certificate files are uploaded to the Kubernetes server and staged for the Vault deployment.

To complete the certificate issuance for the CSRs generated in step 1, follow these steps:

  1. Go to the EJBCA RA Web using a web browser.
  2. Click Make New Request and update the following:
    • Select TLS Server Profile for the Certificate Type.
    • Select TlsSercerRsa-1y for the Certificate subtype.
    • Select ManagementCA for the CA.
    • Select Provided by user radio button for Key-pair generation.

    • Paste the contents of the vault-internal.csr from the terminal window into the CSR text field (the first PEM output in the terminal window), such as:

      CODE
      -----BEGIN CERTIFICATE REQUEST-----
      MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
      b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0
      ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS
      XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm
      +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1
      jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd
      2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r
      bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe
      r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu
      YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou
      dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70
      uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG
      45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1
      /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt
      5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM
      s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=
      -----END CERTIFICATE REQUEST-----
    • Click Upload CSR.
    • Enter vault-internal for the Username.
    • Click Download PEM full chain.
  3. Select Reset at the bottom of the page to make another request.
    • Select TLS Server Profile for the Certificate Type.
    • Select ManagementCA for the CA.
    • Select Provided by user for Key-pair generation.
    • Paste the contents of the api.vault.csr from the terminal window into the CSR text field (second PEM output in the terminal window), such as:

      CODE
      -----BEGIN CERTIFICATE REQUEST-----
      MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
      b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD
      ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP
      BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+
      YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW
      f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD
      cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ
      69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ
      DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN
      MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja
      gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw
      4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I
      QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ
      0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ
      oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne
      lA==
      -----END CERTIFICATE REQUEST-----
    • Click Upload CSR.
    • Enter api.vault for the Username
    • Click Download PEM full chain.
  4. Select Reset at the bottom of the page to make another request.
    • Select RA-Administrator for the Certificate Type.
    • Select Provided by user for Key-pair generation.
    • Paste the contents of the vault-ra-01.csr from the terminal window into the CSR text field  (third PEM output in the terminal window), such as:

      CODE
      -----BEGIN CERTIFICATE REQUEST-----
      MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
      b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF
      AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF
      upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx
      9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr
      OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/
      h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA
      R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN
      AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI
      hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z
      7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT
      QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av
      vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo
      eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw
      cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=
      -----END CERTIFICATE REQUEST-----
    • Click Upload CSR.
    • Enter vault-ra-01 for the Username.
    • Click Download PEM full chain.
  5. Return to the terminal window and open a new tab or terminal window.
  6. In your terminal, enter the following to upload files to the MicroK8s VM:

    • Upload the systemnode.vault.svc.cluster.local.pem file to the MicroK8s VM:

      CODE
      $ scp ~/Downloads/systemnode.vault.svc.cluster.local.pem user@172.16.170.187:~/vault/vault-internal.crt
      • Type the password to the user account if prompted for the password.
    • Upload the api.vault file to the MicroK8s VM:

      CODE
      $ scp ~/Downloads/api.vault.pem user@172.16.170.187:~/vault/server.crt
      • Type the password to the user account if prompted for the password
    • Upload the vault-ra-01.pem file to the MicroK8s VM:

      CODE
      $ scp ~/Downloads/vault-ra-01.pem user@172.16.170.187:~/vault/vault-ra-01-crt.pem


      Replace the IP Address with the IP Address or FQDN of the MicroK8s VM and the username being used to access the MicroK8s VM to complete this tutorial. The IP Address and username are examples provided to show the complete command.

  7. Return to the terminal window or tab of the MicroK8s session.

  8. Continuing from the ~/vault directory output the vault-internal.crt to the terminal:

    CODE
    $ cat vault-internal.crt
  9. The output is similar to the following:

    CODE
    Subject: CN=system:node:*.vault.svc.cluster.local,O=Keyfactor Community,C=SE
    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIFETCCAvmgAwIBAgIUE4Z7mJUOr7JUIXddQ3RYLKF+GE8wDQYJKoZIhvcNAQEL
    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzA2MTYxNjA3NDZaFw0yNDA2MTMx
    NjA3NDVaMFsxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu
    aXR5MS4wLAYDVQQDDCVzeXN0ZW06bm9kZToqLnZhdWx0LnN2Yy5jbHVzdGVyLmxv
    Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3BmtknZsEl0+o5t5
    ZXDz3WNGXQdMXLQnMWpvh1I/f6lcOQV4illUfH8lQ21O4FlIzOLoFTKjpvi8XgtB
    sZWrAFvuEKmZZ8uwZAWSWz3LM3pWwb7Fh3ApmtoMduV0N5DyT3HYEYrBtYx2sGzF
    GOg/cfkjijMnnWD5/5835wIQ3IRAFsL1fYB5neRcH4frm3vRypMK5GrM3dmr6jEM
    4FKX8a7IXGJsG6oXcljvneVqJlZVesSSTczppfFGzYSm85q7p6Qhkt+va22ADXD2
    XIIxwCr+dxNZfeNK2MKIFP2g0DK9mM/LbpT5n4SS/faLYBi4Q4jYC+Cwnq+JIG0t
    eC1PDwIDAQABo4HlMIHiMB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DS
    MHsGA1UdEQR0MHKCECoudmF1bHQtaW50ZXJuYWyCKCoudmF1bHQtaW50ZXJuYWwu
    dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByoudmF1bHSCJXN5c3RlbTpub2RlOiou
    dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUH
    AwEwHQYDVR0OBBYEFD1BrwJRiwqbZ7b6Ijec5hbdenVKMA4GA1UdDwEB/wQEAwIF
    oDANBgkqhkiG9w0BAQsFAAOCAgEAmht4w6wtqEem0YlGXaIMzxkAcsb6qhf3m8tN
    1nMngtPNq0gqi1o1+a2hSvTsc5Tj+K+3Sx6wiP4iBqi3cMfK9qb0JkiWZ5P2LUQW
    9SuXwQAwWxz8Z/T3E/zc8zbXfI5BzcKxlsHjDrLfiLzOsV+xzcCXiCncQmfMQeZA
    A055GiBCg5luz9lDJMErPjRcaR5ug5j4gWz5tUwGZ/K0RgqnxyL59dHoO/EtB1vW
    m/tygbwPJgbZYKmZ2+j+02Po3i8cfObs1jE+yanAD2rCnubPpaJiX0IR0DWc9AWt
    dvYuNyVVSpIWP4ghHY9P7QvZhwP1alodCzuDWsRZFiN8rjW3Mm0vrs6TB2JwNxAs
    AIxXG2I1S7ueTSROKbKCP22GL9AI+j9KRyH13eJqMo5CdS9FJXZlIGDzIxrca6yX
    SePsZIwWK4GocWFf5S3LNkpRsGKFTLO4GFr8T6bZdP225tfR+z7joyLrJ20l531X
    BJ1kiXOtGbek7iVOLnSteSwGmU6W12YD4KbJVUGjmax6Cw1xIKVAIdgr+OfiqAAN
    5sfsjwysYdzRvKvQFMZkXcgQ7giJz7bzaDfZaiNNYNVMaR1ygI5sjqsSJ5a5HzeQ
    4Thzy5GJ3hKxUu6yW/OHlI0Jw1cvkYxkb/KN72Aee13YAtG34wHP/es/TulW3zDi
    usFT0JE=
    -----END CERTIFICATE-----
    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
    ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
    dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
    DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
    KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
    fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
    tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
    8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
    zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
    X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
    q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
    kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
    PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
    GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
    o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
    BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
    BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
    tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
    JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
    CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
    uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
    H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
    VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
    2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
    eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
    GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
    zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
    qMN+i82CAMeU
    -----END CERTIFICATE-----
  10. Select the ManagementCA output to select and copy it (the PEM block at the end of the output).
  11. Create the ManagementCA.crt file.

    CODE
    $ vim ManagementCA.crt
  12. Paste the ManagementCA certificate into the file.

    CODE
    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
    ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
    dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
    DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
    KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
    fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
    tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
    8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
    zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
    X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
    q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
    kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
    PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
    GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
    o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
    BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
    BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
    tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
    JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
    CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
    uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
    H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
    VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
    2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
    eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
    GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
    zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
    qMN+i82CAMeU
    -----END CERTIFICATE-----
  13. Save and close the file.
  14. Download the CA chain for the EC certificate chain:

    CODE
    $ curl -X GET --cert vault-ra-01-crt.pem --key vault-ra-01-key.pem --cacert ManagementCA.crt "https://ejbca-internal.ejbca-k8s/ejbca/ra/cert?caid=-1419783344&chain=true&format=pem" -H  "accept: */*" -o cacerts.pem
  15. Append the Management CA to the cacerts.pem file:

    CODE
    $ cat ManagementCA.crt >> cacerts.pem

Certificates are now issued and uploaded to the MicroK8s VM and staged to use for the deployment. Continue to the next step to deploy HashiCorp Vault with the EJBCA Vault Plugin.

Step 4 - Deploy HashiCorp Vault with EJBCA Vault Plugin

Next, deploy HashiCorp Vault using a Helm chart that uses the certificates created from the previous step.

To deploy Vault, follow these steps:

  1. Create a namespace to deploy Vault into:

    CODE
    $ kubectl create namespace vault


    • The output is similar to the following:

      CODE
      $ namespace/vault created
  2. Create a configmap to use the EJBCA TLS cert trust chain on the vault container to trust EJBCA CA certificates:

    CODE
    $ kubectl -n vault create configmap vault-tls-trust-chain-configmap --from-file=ca-certificates.crt=cacerts.pem


    • The output is similar to the following:

      CODE
      $ configmap/vault-tls-trust-chain-configmap created
  3. Create a secret with the certificate, key, and CA certificate for vault-internal:

    CODE
    $ kubectl create secret generic vault-ha-tls \
       -n vault \
       --from-file=vault.key=vault-internal.key \
       --from-file=vault.crt=vault-internal.crt \
       --from-file=vault.ca=ManagementCA.crt


    • The output is similar to the following:

      CODE
      $ secret/vault-ha-tls created
  4. Create a TLS secret with the certificate and key for ingress:

    CODE
    $ kubectl -n vault create secret tls tls-api-vault --cert server.crt --key server.key


    • The output is similar to the following:

      CODE
      $ secret/tls-api-vault created
  5. Add the HashiCorp Vault repo to deploy with Helm:

    CODE
    $ helm repo add hashicorp https://helm.releases.hashicorp.com
    • The output is similar to the following:

      CODE
      $ "hashicorp" has been added to your repositories
  6. Download the overrides.yaml file from the Keyfactor Community GitHub repository:

    CODE
    $ curl -LOs https://raw.githubusercontent.com/Keyfactor/keyfactorcommunity/feature/Add-Vault-Vars-tutorial/apps-integration/hashicorp-vault/overrides.yaml
    • You could now make changes to the file but since the overrides.yaml file is already set up for this tutorial, no changes will be made.
  7. Deploy Vault using Helm chart:

    CODE
    $ helm install vault hashicorp/vault -f overrides.yaml --namespace vault
    • The output is similar to the following:

      CODE
      NAME: vault
      LAST DEPLOYED: Wed Jun 14 12:45:09 2023
      NAMESPACE: vault
      STATUS: deployed
      REVISION: 1
      NOTES:
      Thank you for installing HashiCorp Vault!
      
      Now that you have deployed Vault, you should look over the docs on using
      Vault with Kubernetes available here:
      
      https://www.vaultproject.io/docs/
      
      
      Your release is named vault. To learn more about the release, try:
      
        $ helm status vault
        $ helm get manifest vault
  8. You can use the following monitoring commands to view what is going on with the deployment:

    CODE
    $ kubectl -n vault get pods
    
    $ kubectl --namespace='vault' get all
    
    $ kubectl -n vault get all,ingress,secret,no,pvc
    
    $ kubectl -n vault describe pod/vault-0
    
    $ kubectl -n vault logs pod/vault-0
    
    $ kubectl -n vault logs pod/vault-0 -c ejbca-vault-plugin

Vault is now deployed with the certificates from EJBCA, the EJBCA Vault plugin, and ready to initialize. Continue to the next step to initialize Vault.

Step 5 - Initialize Vault

In order to use Vault it must be initialized on one of the nodes, then the other two nodes must be added to the cluster. Each node also has to be unlocked by providing the unseal key.

To complete the Vault initialization and begin using the cluster, follow these steps:

  1. Continuing from the terminal used in the previous step, initialize Vault and save the unseal keys to the cluster-keys.json file:

    CODE
    $ kubectl exec -n vault vault-0 -- vault operator init \
        -key-shares=5 \
        -key-threshold=3 \
        -format=json > ./cluster-keys.json


    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
  2. Create environment variables for three unseal keys to unseal the vault nodes:

    CODE
    $ export VAULT_UNSEAL_KEY0=$(jq -r ".unseal_keys_b64[0]" cluster-keys.json)
    export VAULT_UNSEAL_KEY1=$(jq -r ".unseal_keys_b64[1]" cluster-keys.json)
    export VAULT_UNSEAL_KEY2=$(jq -r ".unseal_keys_b64[2]" cluster-keys.json)


  3. Unlock the 1st instance of Vault:

    CODE
    $ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY0
    kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1
    kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    1/3
      Unseal Nonce       8c48fbd6-019c-2aa9-8f2f-a8b62e997268
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    2/3
      Unseal Nonce       8c48fbd6-019c-2aa9-8f2f-a8b62e997268
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                     Value
      ---                     -----
      Seal Type               shamir
      Initialized             true
      Sealed                  false
      Total Shares            5
      Threshold               3
      Version                 1.13.1
      Build Date              2023-03-23T12:51:35Z
      Storage Type            raft
      Cluster Name            vault-cluster-af3cf4e1
      Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
      HA Enabled              true
      HA Cluster              https://vault-0.vault-internal:8201
      HA Mode                 active
      Active Since            2023-07-29T14:29:15.391001943Z
      Raft Committed Index    36
      Raft Applied Index      36
  4. Exec into the 2nd instance of Vault to join the 2nd instance to the Vault cluster:

    CODE
    $ kubectl exec -n vault -it vault-1 -- /bin/sh
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      / $
  5. Join the 2nd Vault instance to the Vault cluster:

    CODE
    $ vault operator raft join -address=https://vault-1.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
    
    • The output is similar to the following:

      CODE
      Key       Value
      ---       -----
      Joined    true
  6. Exit the exec session on the 2nd Vault instance:

    CODE
    $ exit
  7. Unlock the 2nd instance of Vault:

    CODE
    $ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY0
    kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1
    kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    1/3
      Unseal Nonce       f9f2c78c-c615-a91b-b7b2-25c0b711dd2f
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    2/3
      Unseal Nonce       f9f2c78c-c615-a91b-b7b2-25c0b711dd2f
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                     Value
      ---                     -----
      Seal Type               shamir
      Initialized             true
      Sealed                  false
      Total Shares            5
      Threshold               3
      Version                 1.13.1
      Build Date              2023-03-23T12:51:35Z
      Storage Type            raft
      Cluster Name            vault-cluster-af3cf4e1
      Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
      HA Enabled              true
      HA Cluster              https://vault-0.vault-internal:8201
      HA Mode                 standby
      Active Node Address     https://10.1.89.154:8200
      Raft Committed Index    37
      Raft Applied Index      37
  8. Exec into the 3rd instance of Vault to join the 3rd instance to the Vault cluster:

    CODE
    $ kubectl exec -n vault -it vault-2 -- /bin/sh
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      / $
  9. Join the 3rd Vault instance to the Vault cluster and exit the exec session:

    CODE
    $ vault operator raft join -address=https://vault-2.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
    
    • The output is similar to the following:

      CODE
      Key       Value
      ---       -----
      Joined    true
  10. Exit the exec session on the 3rd Vault instance:

    CODE
    $ exit
  11. Unlock the 3rd instance of Vault:

    CODE
    $ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY0
    kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1
    kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    1/3
      Unseal Nonce       24c26cf4-fe74-2829-f005-ad46f1796a66
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                Value
      ---                -----
      Seal Type          shamir
      Initialized        true
      Sealed             true
      Total Shares       5
      Threshold          3
      Unseal Progress    2/3
      Unseal Nonce       24c26cf4-fe74-2829-f005-ad46f1796a66
      Version            1.13.1
      Build Date         2023-03-23T12:51:35Z
      Storage Type       raft
      HA Enabled         true
      [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Key                     Value
      ---                     -----
      Seal Type               shamir
      Initialized             true
      Sealed                  false
      Total Shares            5
      Threshold               3
      Version                 1.13.1
      Build Date              2023-03-23T12:51:35Z
      Storage Type            raft
      Cluster Name            vault-cluster-af3cf4e1
      Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
      HA Enabled              true
      HA Cluster              https://vault-0.vault-internal:8201
      HA Mode                 standby
      Active Node Address     https://10.1.89.154:8200
      Raft Committed Index    41
      Raft Applied Index      41
  12. Unset the environment variables for the three unseal keys used to unseal the vault nodes:

    CODE
    $ unset VAULT_UNSEAL_KEY0 VAULT_UNSEAL_KEY1 VAULT_UNSEAL_KEY2

Vault is now initialized, unlocked, and ready to configure the EJBCA Vault plugin.


Step 6 - Configure EJBCA Vault Plugin

To issue certificates with the EJBCA Vault plugin, the plugin has be to enabled and configured to access the EJBCA.

Enable and configure the EJBCA Vault plugin:

  1. Continuing from the terminal used in the previous step, create an environment variable for the Root token to log in to Vault:

    CODE
    $ export CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token")


  2. Login to Vault as the root user:

    CODE
    $ kubectl exec -n vault vault-0 -- vault login $CLUSTER_ROOT_TOKEN
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Success! You are now authenticated. The token information displayed below
      is already stored in the token helper. You do NOT need to run "vault login"
      again. Future Vault requests will automatically use this token.
      
      Key                  Value
      ---                  -----
      token                hvs.9tQdMV8ygFINYGc7E5QzKMUn
      token_accessor       udQyRMMtJHWEwi3GhqaNqc9j
      token_duration       ∞
      token_renewable      false
      token_policies       ["root"]
      identity_policies    []
      policies             ["root"]
  3. Compute the hash of the EJBCA Vault Plugin binary:

    CODE
    $ export SHA256=$(kubectl exec -n vault vault-0 -- sha256sum /usr/local/libexec/vault/ejbca-vault-pki-engine | cut -d ' ' -f1)
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
  4. Add the EJBCA Vault Plugin to Vault using the hash computed from the previous step:

    CODE
    $ kubectl exec -n vault vault-0 -- vault write sys/plugins/catalog/secret/ejbca-vault-pki-engine sha_256=$SHA256 command="ejbca-vault-pki-engine"
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Success! Data written to: sys/plugins/catalog/secret/ejbca-vault-pki-engine
  5. Enable the EJBCA Vault plugin:

    CODE
    $ kubectl exec -n vault vault-0 -- vault secrets enable -path=ejbca100 -plugin-name=ejbca-vault-pki-engine plugin
    • The output is similar to the following:

      CODE
      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      Success! Enabled the ejbca-vault-pki-engine secrets engine at: ejbca100/
  6. Query to find the cluster IP Address of the EJBCA Internal Service and add a hosts file entry on the Microk8s VM:

    CODE
    $ EJBCA_INTERNAL_SVC=$(kubectl -n ejbca-k8s get service/ejbca-internal -o jsonpath='{.spec.clusterIP}')
    
    $ sudo bash -c 'echo '"${EJBCA_INTERNAL_SVC} ejbca-internal.ejbca-k8s"' >> /etc/hosts'
  7. Query to find the Load Balancer IP Address and add a hosts file entry on the MicroK8s VM for api.vault name:

    CODE
    $ theIP="$(kubectl -n ingress get services -o json | jq -r '.items[] |.status.loadBalancer?|.ingress[]?|.ip ' | cut -d : -f 2)"
    $ sudo sed -i "s|${theIP} |${theIP} api.vault |" /etc/hosts
  8. Add two environment variables used to connect to Vault with the Vault CLI binary:

    CODE
    $ export VAULT_CACERT=ManagementCA.crt 
    export VAULT_ADDR="https://api.vault"
  9. Login to Vault with the Vault CLI binary:

    CODE
    $ ./vault login $CLUSTER_ROOT_TOKEN
    • The output is similar to the following:

      CODE
      Success! You are now authenticated. The token information displayed below
      is already stored in the token helper. You do NOT need to run "vault login"
      again. Future Vault requests will automatically use this token.
      
      Key                  Value
      ---                  -----
      token                hvs.9tQdMV8ygFINYGc7E5QzKMUn
      token_accessor       udQyRMMtJHWEwi3GhqaNqc9j
      token_duration       ∞
      token_renewable      false
      token_policies       ["root"]
      identity_policies    []
      policies             ["root"]
  10. Configure the EJBCA Vault Plugin to issue the TLS Server Profile from EJBCA:

    CODE
    $ ./vault write ejbca100/config \
    hostname="https://ejbca-internal.ejbca-k8s/ejbca" \
    client_cert=@./vault-ra-01-crt.pem \
    client_key=@./vault-ra-01-key.pem \
    default_ca="MyPKISubCA-G1" \
    default_end_entity_profile="TLS Server Profile" \
    default_certificate_profile="TLS Server Profile"
    • The output is similar to the following:

      CODE
      Success! Data written to: ejbca100/config
  11. Create a role to enroll for certificates using the EJBCA Vault Plugin:

    CODE
    $ ./vault write ejbca100/roles/tls-server-auth \
    allow_any_name=true \
    allow_subdomains=true \
    max_ttl=8760h \
    key_type="ec" \
    key_bits=256 \
    signature_bits=0 \
    use_pss=false \
    country="SE" \
    organization="Keyfactor Community"
    • The output is similar to the following:

      CODE
      Key                                   Value
      ---                                   -----
      account_binding_id                    n/a
      allow_any_name                        true
      allow_bare_domains                    false
      allow_glob_domains                    false
      allow_ip_sans                         true
      allow_localhost                       true
      allow_subdomains                      true
      allow_token_displayname               false
      allow_wildcard_certificates           true
      allowed_domains                       []
      allowed_domains_template              false
      allowed_other_sans                    []
      allowed_serial_numbers                []
      allowed_uri_sans                      []
      allowed_uri_sans_template             false
      allowed_user_ids                      []
      basic_constraints_valid_for_non_ca    false
      certificate_profile_name              TLS Server Profile
      client_flag                           true
      cn_validations                        [email hostname]
      code_signing_flag                     false
      country                               [SE]
      email_protection_flag                 false
      end_entity_profile_name               TLS Server Profile
      enforce_hostnames                     true
      ext_key_usage                         []
      ext_key_usage_oids                    []
      generate_lease                        false
      issuer_ref                            MyPKISubCA-G1
      key_bits                              256
      key_type                              ec
      key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]
      locality                              []
      max_ttl                               8760h
      no_store                              false
      not_after                             n/a
      not_before_duration                   30s
      organization                          [Keyfactor Community]
      ou                                    []
      policy_identifiers                    []
      postal_code                           []
      province                              []
      require_cn                            true
      server_flag                           true
      signature_bits                        0
      street_address                        []
      ttl                                   0s
      use_csr_common_name                   true
      use_csr_sans                          true
      use_pss                               false

Certificates can now be issued from the Vault using the EJBCA Vault Plugin. Continue to the next session to issue a certificate from EJBCA.

Step 7 - Issue a Certificate through Vault

After the EJBCA Vault plugin is configured, certificates can be issued from EJBCA through requests from Vault.

To issue certificates from EJBCA using Vault, follow these steps:

  1. Continuing from the terminal used in the previous step, issue a certificate with a PEM bundle format:

    CODE
    $ ./vault write ejbca100/issue/tls-server-auth \
    common_name="test-vault-01.keyfactor-community" \
    alt_names="test-vault-01.keyfactor-community" \
    format="pem_bundle"


    • The output is similar to the following:

      CODE
      Key Value
      --- -----
      ca_chain [-----BEGIN CERTIFICATE-----
      MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
      MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
      bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
      cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
      /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
      KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
      UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
      MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
      QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
      /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
      2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
      -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
      MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
      MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
      Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
      zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
      dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
      BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
      BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
      vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
      -----END CERTIFICATE-----]
      certificate -----BEGIN CERTIFICATE-----
      MIIC9jCCAp2gAwIBAgIUTnZdWZm6OPGwnu9sm0QXbmIKeNgwCgYIKoZIzj0EAwQw
      SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
      BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDUzNTFaFw0yNDA3
      MjUxNDUzNTBaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
      bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAxLmtleWZhY3Rvci1jb21tdW5p
      dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQvP2pe5Cw75p28nx8LdeRPUf+M
      VkPrFfXX7Ab0fTEY70ycsykptNjzXcxGnh0jK+69sl/Ljk+FlzCCaRI7+T6ho4IB
      VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
      AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
      Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
      BEgwRoIhdGVzdC12YXVsdC0wMS5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
      dWx0LTAxLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
      NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
      RzEuY3JsMB0GA1UdDgQWBBSsvRUcTOp1hh/ymJ3z/HmbqS07gjAOBgNVHQ8BAf8E
      BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgW1D3QnNlMP20+HJPaTWsqREIe8oPHJKR
      pWsHPzuT/gcCIC7P58EjIK4rIzd1QM4NrcVDvlHxOCR0r/Z0K7L+Ltsz
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
      MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
      bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
      cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
      /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
      KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
      UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
      MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
      QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
      /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
      2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
      MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
      Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
      zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
      dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
      BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
      BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
      vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
      -----END CERTIFICATE-----
      expiration 1721919230
      issuing_ca -----BEGIN CERTIFICATE-----
      MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
      MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
      bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
      cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
      /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
      KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
      UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
      MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
      QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
      /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
      2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
      -----END CERTIFICATE-----
      private_key -----BEGIN EC PRIVATE KEY-----
      MHcCAQEEIIjlDsYsuC4poF9u0rBrWzq9a2rTJ+WQAeXuM/p1XnkToAoGCCqGSM49
      AwEHoUQDQgAELz9qXuQsO+advJ8fC3XkT1H/jFZD6xX11+wG9H0xGO9MnLMpKbTY
      813MRp4dIyvuvbJfy45PhZcwgmkSO/k+oQ==
      -----END EC PRIVATE KEY-----
      private_key_type ec
      serial_number 4e:76:5d:59:99:ba:38:f1:b0:9e:ef:6c:9b:44:17:6e:62:0a:78:d8
      
  2. Issue a certificate with the PEM format:

    CODE
    $ ./vault write ejbca100/issue/tls-server-auth \
    common_name="test-vault-02.keyfactor-community" \
    alt_names="test-vault-02.keyfactor-community" \
    format="pem"
    
    


    • The output is similar to the following:

      CODE
      Key Value
      --- -----
      ca_chain [-----BEGIN CERTIFICATE-----
      MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
      MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
      bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
      cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
      /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
      KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
      UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
      MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
      QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
      /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
      2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
      -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
      MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
      MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
      Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
      zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
      dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
      BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
      BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
      vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
      -----END CERTIFICATE-----]
      certificate -----BEGIN CERTIFICATE-----
      MIIC+DCCAp2gAwIBAgIUZdwM99w2DTEFCK1w3TBQITqHUqMwCgYIKoZIzj0EAwQw
      SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
      BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0MjZaFw0yNDA3
      MjUxNDU0MjVaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
      bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAyLmtleWZhY3Rvci1jb21tdW5p
      dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCdKMxL2t6ORf8JZsT92nL0z8M
      W/+Rseuc3/HZ0mFf7oYGbaK3KuwjSt8JFxa248xb+JwFBypd0kk9tbptA7+Ho4IB
      VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
      AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
      Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
      BEgwRoIhdGVzdC12YXVsdC0wMi5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
      dWx0LTAyLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
      NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
      RzEuY3JsMB0GA1UdDgQWBBTreB/rOSR/Ra/ttNXcI5dEZ6QLvjAOBgNVHQ8BAf8E
      BAMCBaAwCgYIKoZIzj0EAwQDSQAwRgIhAOCE/Gsyp0PYeCuDn9x/EbYJ2QB8F8Wr
      2Hf/SbPxnNJgAiEAk4hO26vR0AOIkOdlgfTPPGcf+MZO6Ueoj+xcaoanZXg=
      -----END CERTIFICATE-----
      expiration 1721919265
      issuing_ca -----BEGIN CERTIFICATE-----
      MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
      STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
      BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
      MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
      bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
      AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
      cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
      /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
      KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
      UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
      MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
      QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
      /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
      2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
      -----END CERTIFICATE-----
      private_key -----BEGIN EC PRIVATE KEY-----
      MHcCAQEEIFANef/AcMbGNwZc9XL0vK897vCpZ2rMZY6ftksEM5+ooAoGCCqGSM49
      AwEHoUQDQgAEAnSjMS9rejkX/CWbE/dpy9M/DFv/kbHrnN/x2dJhX+6GBm2ityrs
      I0rfCRcWtuPMW/icBQcqXdJJPbW6bQO/hw==
      -----END EC PRIVATE KEY-----
      private_key_type ec
      serial_number 65:dc:0c:f7:dc:36:0d:31:05:08:ad:70:dd:30:50:21:3a:87:52:a3
      
  3. Issue a certificate with the PEM format and no certificate chain:

    CODE
    $ ./vault write ejbca100/issue/tls-server-auth \
    common_name="test-vault-03.keyfactor-community" \
    alt_names="test-vault-03.keyfactor-community" \
    format="pem" \
    remove_roots_from_chain=true
  4. The output is similar to the following:

    CODE
    Key Value
    --- -----
    ca_chain [-----BEGIN CERTIFICATE-----
    MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
    MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
    AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
    cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
    /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
    KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
    UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
    MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
    QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
    /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
    2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
    -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
    MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
    MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
    dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
    BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
    BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
    vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
    -----END CERTIFICATE-----]
    certificate -----BEGIN CERTIFICATE-----
    MIIC9jCCAp2gAwIBAgIUQSvvqyz1iMmceyJwMYXQTngxJF0wCgYIKoZIzj0EAwQw
    SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
    BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0NTJaFw0yNDA3
    MjUxNDU0NTFaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
    bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAzLmtleWZhY3Rvci1jb21tdW5p
    dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASnS/wiAh7PUKSHTjkTp5R3ZM7Q
    b5WDzN5iH1TKTUCGKijPxabnj9hP01rIpcrGrEoYyewwbTcUfzkuh5L4y2cJo4IB
    VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
    AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
    Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
    BEgwRoIhdGVzdC12YXVsdC0wMy5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
    dWx0LTAzLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
    NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
    RzEuY3JsMB0GA1UdDgQWBBQ6IBt+b5Fze81KTjqFkb5Ze5Z3iTAOBgNVHQ8BAf8E
    BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgSTefGBLKXwTPOqsvzbNOJByci+2cpxDc
    NF5X53SEjUACIG+YHGzmHzcgOqj56jI6fTgNjRpStz86OpsD3ZErk1W/
    -----END CERTIFICATE-----
    expiration 1721919291
    issuing_ca -----BEGIN CERTIFICATE-----
    MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
    MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
    AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
    cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
    /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
    KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
    UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
    MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
    QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
    /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
    2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
    -----END CERTIFICATE-----
    private_key -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIJBnYuZRQWtF8P/I+HgPSmcq941yHXOVRFF1LAvval06oAoGCCqGSM49
    AwEHoUQDQgAEp0v8IgIez1Ckh045E6eUd2TO0G+Vg8zeYh9Uyk1Ahiooz8Wm54/Y
    T9NayKXKxqxKGMnsMG03FH85LoeS+MtnCQ==
    -----END EC PRIVATE KEY-----
    private_key_type ec
    serial_number 41:2b:ef:ab:2c:f5:88:c9:9c:7b:22:70:31:85:d0:4e:78:31:24:5d
    

Certificates can now be issued from EJBCA using Vault. This completes the tutorial for deploying Hashicorp Vault with the EJBCA Vault plugin.

Next steps

In this tutorial, you learned how to deploy a three-node Vault cluster and configure the EJBCA Vault PKI Engine plugin to issue certificates from EJBCA through Vault.

Here are some next steps we recommend:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.