Tutorial - Use EJBCA with HashiCorp Vault
Learn how to deploy a three-node Vault cluster and configure the EJBCA PKI Secrets Engine for HashiCorp Vault plugin to issue certificates from EJBCA through Vault.
PKI administrators interested in offering an integration to use EJBCA to standardize the PKI in the environment and have a single place to manage certificates while providing the ability to issue certificates from HashiCorp Vault should find this tutorial helpful. The steps outlined in this tutorial show how HashiCorp Vault can be deployed to integrate with EJBCA for users to request certificates from vault issued by EJBCA.
In this tutorial, you will learn how to:
- Configure EJBCA for the HashiCorp Vault EJBCA plugin
- Create keys and certificate signing requests (CSRs) to request certificates from EJBCA for the HashiCorp Vault EJBCA plugin
- Create Certificates from the CSRs using EJBCA
- Deploy HashiCorp Vault with the EJBCA Vault plugin
- Configure the EJBCA Plugin to issue certificates from EJBCA
Prerequisites
For this tutorial, EJBCA Community Docker container version 8.2.0.1 was used.
Before you begin, you need:
- Kubernetes running in the background. To download and install, you can follow the tutorials Install MicroK8s to run EJBCA and Deploy EJBCA container in MicroK8s.
- A running EJBCA instance with an active Certificate Authority (CA) in EJBCA, certificate and end entity profiles, and roles configured. To get started, you can follow our tutorials Get started with EJBCA and issue TLS certificates.
- Additionally, you need internet access to download the HashiCorp Vault container and additional files.
For more information on the EJBCA PKI Secrets Engine for HashiCorp Vault plugin, refer to Keyfactor GitHub.
Step 1 - Configure EJBCA for the HashiCorp Vault EJBCA plugin
Follow these steps to configure a certificate profile and an end entity profile in EJBCA, and add a RA role for Vault.
Create certificate profile
To create a certificate profile, do the following:
- Go to the EJBCA Administration user interface using a web browser.
- In EJBCA, under CA Functions, click Certificate Profiles.
- Click Clone by the TLS Server Profile template to create a new profile using that template.
- Name the new certificate profile TlsServerRsa-1y, and click Create from template.
- To edit the profile default values to fit your needs, find the newly created TlsServerRsa-1y profile displayed in the list and click Edit.
- On the Edit page, update the following:
- Select RSA for the Available Key Algorithms (this should be the only option selected).
- Select 2048, 3072, and 4096 for the Available Bit Lengths.
- For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
- To store the certificate profile, click Save.
The TlsServerRsa-1y profile is displayed in the list of certificate profiles.
Create end entity profile
To update the end entity profile, do the following:
- In EJBCA, under RA Functions, click End Entity Profiles.
- Select the TLS Server Profile, and click Edit End Entity Profile.
- Edit the profile and update the following:
- In the Other Subject Attributes section, select DNS Name from the Subject Alternative Name list, and click Add.
- In the Other Subject Attributes section, select IP Address from the Subject Alternative Name list, and click Add.
- In the Available Certificate Profiles section, select the TlsServerRsa-1y in addition to the other profile selected.
- For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
- Click Save to store the end entity profile.
The end entity profile is displayed in the list of end entity profiles.
Create role
To create an RA role for Vault and authorize actions in EJBCA:
- In EJBCA, under System Functions, click Roles and Access Rules.
- Next to the list of available roles, click Add.
- For Role name, specify RA-Vault and click Add.
The Roles Management page now lists the RA-Vault role. - To update the access rules for the role, click Access Rules for the RA-Vault role.
- On the Edit Access Rules page, edit the following:
- For Role Template, select RA Administrators.
- For Authorized CAs, select My PKISubCA-G1.
- For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
- Click Save to store the updated access rules for the role.
At the top right of the Edit Access Rules page, click Advanced Mode.
Under Regular Access Rules, select Allow for /ca_functionality/view_ca/.
- Click Save.
- At the top right of the Edit Access Rules page, click Members.
- Members are defined by an attribute from the certificate DN and the serial number:
- Match with: Select X509:CN, Common name.
- CA: Verify that Management CA is selected for the CA to match on.
- Match Value: Specify the name value from the certificate, in this example: "vault-ra-01". Note that this is a case-sensitive matching.
- Click Add to add the user to the role.
An RA role for Vault has been created and the TLS Server Profile was updated to include an IP Address in the Subject Alternative Name as an option.
Step 2 - Create Keys and Certificate Signing Requests (CSRs)
To prepare for the HashiCorp Vault deployment, you will download the Vault command line interface and use OpenSSL to generate private keys and certificate signing requests (CSRs).
Download the Vault CLI and generate the CSRs:
- SSH to the MicroK8s test host that has EJBCA deployed and configured.
In your terminal, enter the following to create a directory to organize all the files for this tutorial:
CODE$ mkdir vault
Change to the vault directory:
CODE$ cd vault
Download the vault binary to use vault locally once deployed:
CODE$ curl -O https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip
Unzip the archive and remove the zip file:
CODE$ unzip -q vault_1.15.4_linux_amd64.zip && rm -f vault_1.15.4_linux_amd64.zip
Create environment variables used to create CSRs for certificates issued from EJBCA that Vault will use:
CODE$ export VAULT_K8S_NAMESPACE="vault" VAULT_SERVICE_NAME="vault-internal" K8S_CLUSTER_NAME="cluster.local"
Create an OpenSSL configuration file for the Vault instances TLS certificate:
CODE$ cat > vault-internal.conf <<EOF [req] default_bits = 2048 prompt = no encrypt_key = yes distinguished_name = kubelet_serving req_extensions = v3_req [ kubelet_serving ] C = SE O = Keyfactor Community CN = system:node:*.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME} [ v3_req ] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = *.${VAULT_SERVICE_NAME} DNS.2 = *.${VAULT_SERVICE_NAME}.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME} DNS.3 = *.${VAULT_K8S_NAMESPACE} DNS.4 = vault-active IP.1 = 127.0.0.1 EOF
Generate private key and create the CSR using the OpenSSL configuration file:
CODEopenssl req -new -newkey rsa:2048 -nodes -keyout vault-internal.key -sha256 -out vault-internal.csr -config vault-internal.conf
Create an OpenSSL configuration file for the Ingress TLS certificate used for accessing Vault externally from inside the Kubernetes cluster:
CODEcat > api.vault.conf <<EOF [req] default_bits = 2048 prompt = no encrypt_key = yes distinguished_name = kubelet_serving req_extensions = v3_req [ kubelet_serving ] C = SE O = Keyfactor Community CN = api.vault [ v3_req ] keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = api.vault EOF
Generate the private key and create the CSR using the OpenSSL configuration file for the external Ingress TLS certificate:
CODE$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -sha256 -out api.vault.csr -config api.vault.conf
Create an OpenSSL configuration file for the Vault RA credential:
CODEcat > vault-ra-01.conf <<EOF [req] default_bits = 2048 prompt = no encrypt_key = yes distinguished_name = kubelet_serving req_extensions = v3_req [ kubelet_serving ] C = SE O = Keyfactor Community CN = vault-ra-01 [ v3_req ] keyUsage = digitalSignature extendedKeyUsage = clientAuth EOF
Generate the private key and create the CSR using the OpenSSL configuration file for the Vault RA credential:
CODEopenssl req -new -newkey rsa:2048 -nodes -keyout vault-ra-01-key.pem -sha256 -out vault-ra-01.csr -config vault-ra-01.conf
Output the vault-internal.csr to the terminal to use in a later step:
CODEcat vault-internal.csr
The vault-internal.csr is displayed in the terminal:
CODE-----BEGIN CERTIFICATE REQUEST----- MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0 ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1 jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd 2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70 uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG 45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1 /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt 5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY= -----END CERTIFICATE REQUEST-----
Output the api.vault.csr to the terminal to use in a later step:
CODEcat api.vault.csr
The api.vault.csr is displayed in the terminal:
CODE-----BEGIN CERTIFICATE REQUEST----- MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+ YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ 69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw 4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ 0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne lA== -----END CERTIFICATE REQUEST-----
Output the vault-ra-01.csr to the terminal to use in a later step:
CODEcat vault-ra-01.csr
The vault-ra-01.csr is displayed in the terminal:
CODE-----BEGIN CERTIFICATE REQUEST----- MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx 9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/ h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z 7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY= -----END CERTIFICATE REQUEST-----
The Vault CLI is downloaded, and certificate signing requests have been created to be used for the Vault integration with EJBCA.
Step 3 - Create Certificates from the CSRs Using EJBCA RA UI
The CSRs generated in Step 2 - Create Keys and Certificate Signing Requests (CSRs) must be signed before Vault can be deployed. The EJBCA RA Web is used to issue the certificates by signing the CSRs. Once the CSRs are signed the certificate files are uploaded to the Kubernetes server and staged for the Vault deployment.
To complete the certificate issuance for the CSRs generated in step 1, follow these steps:
- Go to the EJBCA RA Web using a web browser.
- Click Make New Request and update the following:
- Select TLS Server Profile for the Certificate Type.
- Select TlsSercerRsa-1y for the Certificate subtype.
- Select ManagementCA for the CA.
Select Provided by user radio button for Key-pair generation.
Paste the contents of the vault-internal.csr from the terminal window into the CSR text field (the first PEM output in the terminal window), such as:
CODE-----BEGIN CERTIFICATE REQUEST----- MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0 ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1 jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd 2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70 uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG 45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1 /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt 5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY= -----END CERTIFICATE REQUEST-----
- Click Upload CSR.
- Enter vault-internal for the Username.
- Click Download PEM full chain.
- Select Reset at the bottom of the page to make another request.
- Select TLS Server Profile for the Certificate Type.
- Select ManagementCA for the CA.
- Select Provided by user for Key-pair generation.
Paste the contents of the api.vault.csr from the terminal window into the CSR text field (second PEM output in the terminal window), such as:
CODE-----BEGIN CERTIFICATE REQUEST----- MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+ YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ 69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw 4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ 0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne lA== -----END CERTIFICATE REQUEST-----
- Click Upload CSR.
- Enter api.vault for the Username
- Click Download PEM full chain.
- Select Reset at the bottom of the page to make another request.
- Select RA-Administrator for the Certificate Type.
- Select Provided by user for Key-pair generation.
Paste the contents of the vault-ra-01.csr from the terminal window into the CSR text field (third PEM output in the terminal window), such as:
CODE-----BEGIN CERTIFICATE REQUEST----- MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx 9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/ h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z 7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY= -----END CERTIFICATE REQUEST-----
- Click Upload CSR.
- Enter vault-ra-01 for the Username.
- Click Download PEM full chain.
- Return to the terminal window and open a new tab or terminal window.
In your terminal, enter the following to upload files to the MicroK8s VM:
Upload the systemnode.vault.svc.cluster.local.pem file to the MicroK8s VM:
CODE$ scp ~/Downloads/systemnode.vault.svc.cluster.local.pem user@172.16.170.187:~/vault/vault-internal.crt
- Type the password to the user account if prompted for the password.
Upload the api.vault file to the MicroK8s VM:
CODE$ scp ~/Downloads/api.vault.pem user@172.16.170.187:~/vault/server.crt
- Type the password to the user account if prompted for the password
Upload the vault-ra-01.pem file to the MicroK8s VM:
CODE$ scp ~/Downloads/vault-ra-01.pem user@172.16.170.187:~/vault/vault-ra-01-crt.pem
Replace the IP Address with the IP Address or FQDN of the MicroK8s VM and the username being used to access the MicroK8s VM to complete this tutorial. The IP Address and username are examples provided to show the complete command.
Return to the terminal window or tab of the MicroK8s session.
Continuing from the ~/vault directory output the vault-internal.crt to the terminal:
CODE$ cat vault-internal.crt
The output is similar to the following:
CODESubject: CN=system:node:*.vault.svc.cluster.local,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFETCCAvmgAwIBAgIUE4Z7mJUOr7JUIXddQ3RYLKF+GE8wDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzA2MTYxNjA3NDZaFw0yNDA2MTMx NjA3NDVaMFsxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu aXR5MS4wLAYDVQQDDCVzeXN0ZW06bm9kZToqLnZhdWx0LnN2Yy5jbHVzdGVyLmxv Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3BmtknZsEl0+o5t5 ZXDz3WNGXQdMXLQnMWpvh1I/f6lcOQV4illUfH8lQ21O4FlIzOLoFTKjpvi8XgtB sZWrAFvuEKmZZ8uwZAWSWz3LM3pWwb7Fh3ApmtoMduV0N5DyT3HYEYrBtYx2sGzF GOg/cfkjijMnnWD5/5835wIQ3IRAFsL1fYB5neRcH4frm3vRypMK5GrM3dmr6jEM 4FKX8a7IXGJsG6oXcljvneVqJlZVesSSTczppfFGzYSm85q7p6Qhkt+va22ADXD2 XIIxwCr+dxNZfeNK2MKIFP2g0DK9mM/LbpT5n4SS/faLYBi4Q4jYC+Cwnq+JIG0t eC1PDwIDAQABo4HlMIHiMB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DS MHsGA1UdEQR0MHKCECoudmF1bHQtaW50ZXJuYWyCKCoudmF1bHQtaW50ZXJuYWwu dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByoudmF1bHSCJXN5c3RlbTpub2RlOiou dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUH AwEwHQYDVR0OBBYEFD1BrwJRiwqbZ7b6Ijec5hbdenVKMA4GA1UdDwEB/wQEAwIF oDANBgkqhkiG9w0BAQsFAAOCAgEAmht4w6wtqEem0YlGXaIMzxkAcsb6qhf3m8tN 1nMngtPNq0gqi1o1+a2hSvTsc5Tj+K+3Sx6wiP4iBqi3cMfK9qb0JkiWZ5P2LUQW 9SuXwQAwWxz8Z/T3E/zc8zbXfI5BzcKxlsHjDrLfiLzOsV+xzcCXiCncQmfMQeZA A055GiBCg5luz9lDJMErPjRcaR5ug5j4gWz5tUwGZ/K0RgqnxyL59dHoO/EtB1vW m/tygbwPJgbZYKmZ2+j+02Po3i8cfObs1jE+yanAD2rCnubPpaJiX0IR0DWc9AWt dvYuNyVVSpIWP4ghHY9P7QvZhwP1alodCzuDWsRZFiN8rjW3Mm0vrs6TB2JwNxAs AIxXG2I1S7ueTSROKbKCP22GL9AI+j9KRyH13eJqMo5CdS9FJXZlIGDzIxrca6yX SePsZIwWK4GocWFf5S3LNkpRsGKFTLO4GFr8T6bZdP225tfR+z7joyLrJ20l531X BJ1kiXOtGbek7iVOLnSteSwGmU6W12YD4KbJVUGjmax6Cw1xIKVAIdgr+OfiqAAN 5sfsjwysYdzRvKvQFMZkXcgQ7giJz7bzaDfZaiNNYNVMaR1ygI5sjqsSJ5a5HzeQ 4Thzy5GJ3hKxUu6yW/OHlI0Jw1cvkYxkb/KN72Aee13YAtG34wHP/es/TulW3zDi usFT0JE= -----END CERTIFICATE----- Subject: CN=ManagementCA,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8 fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja 8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/ q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5 CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R 2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP qMN+i82CAMeU -----END CERTIFICATE-----
- Select the ManagementCA output to select and copy it (the PEM block at the end of the output).
Create the ManagementCA.crt file.
CODE$ vim ManagementCA.crt
Paste the ManagementCA certificate into the file.
CODESubject: CN=ManagementCA,O=Keyfactor Community,C=SE Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8 fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja 8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/ q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5 CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R 2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP qMN+i82CAMeU -----END CERTIFICATE-----
- Save and close the file.
Download the CA chain for the EC certificate chain:
CODE$ curl -X GET --cert vault-ra-01-crt.pem --key vault-ra-01-key.pem --cacert ManagementCA.crt "https://ejbca-internal.ejbca-k8s/ejbca/ra/cert?caid=-1419783344&chain=true&format=pem" -H "accept: */*" -o cacerts.pem
Append the Management CA to the cacerts.pem file:
CODE$ cat ManagementCA.crt >> cacerts.pem
Certificates are now issued and uploaded to the MicroK8s VM and staged to use for the deployment. Continue to the next step to deploy HashiCorp Vault with the EJBCA Vault Plugin.
Step 4 - Deploy HashiCorp Vault with EJBCA Vault Plugin
Next, deploy HashiCorp Vault using a Helm chart that uses the certificates created from the previous step.
To deploy Vault, follow these steps:
Create a namespace to deploy Vault into:
CODE$ kubectl create namespace vault
The output is similar to the following:
CODE$ namespace/vault created
Create a configmap to use the EJBCA TLS cert trust chain on the vault container to trust EJBCA CA certificates:
CODE$ kubectl -n vault create configmap vault-tls-trust-chain-configmap --from-file=ca-certificates.crt=cacerts.pem
The output is similar to the following:
CODE$ configmap/vault-tls-trust-chain-configmap created
Create a secret with the certificate, key, and CA certificate for vault-internal:
CODE$ kubectl create secret generic vault-ha-tls \ -n vault \ --from-file=vault.key=vault-internal.key \ --from-file=vault.crt=vault-internal.crt \ --from-file=vault.ca=ManagementCA.crt
The output is similar to the following:
CODE$ secret/vault-ha-tls created
Create a TLS secret with the certificate and key for ingress:
CODE$ kubectl -n vault create secret tls tls-api-vault --cert server.crt --key server.key
The output is similar to the following:
CODE$ secret/tls-api-vault created
Add the HashiCorp Vault repo to deploy with Helm:
CODE$ helm repo add hashicorp https://helm.releases.hashicorp.com
The output is similar to the following:
CODE$ "hashicorp" has been added to your repositories
Download the overrides.yaml file from the Keyfactor Community GitHub repository:
CODE$ curl -LOs https://raw.githubusercontent.com/Keyfactor/keyfactorcommunity/feature/Add-Vault-Vars-tutorial/apps-integration/hashicorp-vault/overrides.yaml
- You could now make changes to the file but since the overrides.yaml file is already set up for this tutorial, no changes will be made.
Deploy Vault using Helm chart:
CODE$ helm install vault hashicorp/vault -f overrides.yaml --namespace vault
The output is similar to the following:
CODENAME: vault LAST DEPLOYED: Wed Jun 14 12:45:09 2023 NAMESPACE: vault STATUS: deployed REVISION: 1 NOTES: Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: https://www.vaultproject.io/docs/ Your release is named vault. To learn more about the release, try: $ helm status vault $ helm get manifest vault
You can use the following monitoring commands to view what is going on with the deployment:
CODE$ kubectl -n vault get pods $ kubectl --namespace='vault' get all $ kubectl -n vault get all,ingress,secret,no,pvc $ kubectl -n vault describe pod/vault-0 $ kubectl -n vault logs pod/vault-0 $ kubectl -n vault logs pod/vault-0 -c ejbca-vault-plugin
Vault is now deployed with the certificates from EJBCA, the EJBCA Vault plugin, and ready to initialize. Continue to the next step to initialize Vault.
Step 5 - Initialize Vault
In order to use Vault it must be initialized on one of the nodes, then the other two nodes must be added to the cluster. Each node also has to be unlocked by providing the unseal key.
To complete the Vault initialization and begin using the cluster, follow these steps:
Continuing from the terminal used in the previous step, initialize Vault and save the unseal keys to the cluster-keys.json file:
CODE$ kubectl exec -n vault vault-0 -- vault operator init \ -key-shares=5 \ -key-threshold=3 \ -format=json > ./cluster-keys.json
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Create environment variables for three unseal keys to unseal the vault nodes:
CODE$ export VAULT_UNSEAL_KEY0=$(jq -r ".unseal_keys_b64[0]" cluster-keys.json) export VAULT_UNSEAL_KEY1=$(jq -r ".unseal_keys_b64[1]" cluster-keys.json) export VAULT_UNSEAL_KEY2=$(jq -r ".unseal_keys_b64[2]" cluster-keys.json)
Unlock the 1st instance of Vault:
CODE$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY0 kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1 kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 8c48fbd6-019c-2aa9-8f2f-a8b62e997268 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 8c48fbd6-019c-2aa9-8f2f-a8b62e997268 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft Cluster Name vault-cluster-af3cf4e1 Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487 HA Enabled true HA Cluster https://vault-0.vault-internal:8201 HA Mode active Active Since 2023-07-29T14:29:15.391001943Z Raft Committed Index 36 Raft Applied Index 36
Exec into the 2nd instance of Vault to join the 2nd instance to the Vault cluster:
CODE$ kubectl exec -n vault -it vault-1 -- /bin/sh
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) / $
Join the 2nd Vault instance to the Vault cluster:
CODE$ vault operator raft join -address=https://vault-1.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
The output is similar to the following:
CODEKey Value --- ----- Joined true
Exit the exec session on the 2nd Vault instance:
CODE$ exit
Unlock the 2nd instance of Vault:
CODE$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY0 kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1 kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce f9f2c78c-c615-a91b-b7b2-25c0b711dd2f Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce f9f2c78c-c615-a91b-b7b2-25c0b711dd2f Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft Cluster Name vault-cluster-af3cf4e1 Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487 HA Enabled true HA Cluster https://vault-0.vault-internal:8201 HA Mode standby Active Node Address https://10.1.89.154:8200 Raft Committed Index 37 Raft Applied Index 37
Exec into the 3rd instance of Vault to join the 3rd instance to the Vault cluster:
CODE$ kubectl exec -n vault -it vault-2 -- /bin/sh
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) / $
Join the 3rd Vault instance to the Vault cluster and exit the exec session:
CODE$ vault operator raft join -address=https://vault-2.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
The output is similar to the following:
CODEKey Value --- ----- Joined true
Exit the exec session on the 3rd Vault instance:
CODE$ exit
Unlock the 3rd instance of Vault:
CODE$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY0 kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1 kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 1/3 Unseal Nonce 24c26cf4-fe74-2829-f005-ad46f1796a66 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 2/3 Unseal Nonce 24c26cf4-fe74-2829-f005-ad46f1796a66 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft HA Enabled true [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2 Defaulted container "vault" out of: vault, ejbca-vault-plugin (init) Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type raft Cluster Name vault-cluster-af3cf4e1 Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487 HA Enabled true HA Cluster https://vault-0.vault-internal:8201 HA Mode standby Active Node Address https://10.1.89.154:8200 Raft Committed Index 41 Raft Applied Index 41
Unset the environment variables for the three unseal keys used to unseal the vault nodes:
CODE$ unset VAULT_UNSEAL_KEY0 VAULT_UNSEAL_KEY1 VAULT_UNSEAL_KEY2
Vault is now initialized, unlocked, and ready to configure the EJBCA Vault plugin.
Step 6 - Configure EJBCA Vault Plugin
To issue certificates with the EJBCA Vault plugin, the plugin has be to enabled and configured to access the EJBCA.
Enable and configure the EJBCA Vault plugin:
Continuing from the terminal used in the previous step, create an environment variable for the Root token to log in to Vault:
CODE$ export CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token")
Login to Vault as the root user:
CODE$ kubectl exec -n vault vault-0 -- vault login $CLUSTER_ROOT_TOKEN
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Success! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token hvs.9tQdMV8ygFINYGc7E5QzKMUn token_accessor udQyRMMtJHWEwi3GhqaNqc9j token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
Compute the hash of the EJBCA Vault Plugin binary:
CODE$ export SHA256=$(kubectl exec -n vault vault-0 -- sha256sum /usr/local/libexec/vault/ejbca-vault-pki-engine | cut -d ' ' -f1)
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Add the EJBCA Vault Plugin to Vault using the hash computed from the previous step:
CODE$ kubectl exec -n vault vault-0 -- vault write sys/plugins/catalog/secret/ejbca-vault-pki-engine sha_256=$SHA256 command="ejbca-vault-pki-engine"
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Success! Data written to: sys/plugins/catalog/secret/ejbca-vault-pki-engine
Enable the EJBCA Vault plugin:
CODE$ kubectl exec -n vault vault-0 -- vault secrets enable -path=ejbca100 -plugin-name=ejbca-vault-pki-engine plugin
The output is similar to the following:
CODEDefaulted container "vault" out of: vault, ejbca-vault-plugin (init) Success! Enabled the ejbca-vault-pki-engine secrets engine at: ejbca100/
Query to find the cluster IP Address of the EJBCA Internal Service and add a hosts file entry on the Microk8s VM:
CODE$ EJBCA_INTERNAL_SVC=$(kubectl -n ejbca-k8s get service/ejbca-internal -o jsonpath='{.spec.clusterIP}') $ sudo bash -c 'echo '"${EJBCA_INTERNAL_SVC} ejbca-internal.ejbca-k8s"' >> /etc/hosts'
Query to find the Load Balancer IP Address and add a hosts file entry on the MicroK8s VM for api.vault name:
CODE$ theIP="$(kubectl -n ingress get services -o json | jq -r '.items[] |.status.loadBalancer?|.ingress[]?|.ip ' | cut -d : -f 2)" $ sudo sed -i "s|${theIP} |${theIP} api.vault |" /etc/hosts
Add two environment variables used to connect to Vault with the Vault CLI binary:
CODE$ export VAULT_CACERT=ManagementCA.crt export VAULT_ADDR="https://api.vault"
Login to Vault with the Vault CLI binary:
CODE$ ./vault login $CLUSTER_ROOT_TOKEN
The output is similar to the following:
CODESuccess! You are now authenticated. The token information displayed below is already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token. Key Value --- ----- token hvs.9tQdMV8ygFINYGc7E5QzKMUn token_accessor udQyRMMtJHWEwi3GhqaNqc9j token_duration ∞ token_renewable false token_policies ["root"] identity_policies [] policies ["root"]
Configure the EJBCA Vault Plugin to issue the TLS Server Profile from EJBCA:
CODE$ ./vault write ejbca100/config \ hostname="https://ejbca-internal.ejbca-k8s/ejbca" \ client_cert=@./vault-ra-01-crt.pem \ client_key=@./vault-ra-01-key.pem \ default_ca="MyPKISubCA-G1" \ default_end_entity_profile="TLS Server Profile" \ default_certificate_profile="TLS Server Profile"
The output is similar to the following:
CODESuccess! Data written to: ejbca100/config
Create a role to enroll for certificates using the EJBCA Vault Plugin:
CODE$ ./vault write ejbca100/roles/tls-server-auth \ allow_any_name=true \ allow_subdomains=true \ max_ttl=8760h \ key_type="ec" \ key_bits=256 \ signature_bits=0 \ use_pss=false \ country="SE" \ organization="Keyfactor Community"
The output is similar to the following:
CODEKey Value --- ----- account_binding_id n/a allow_any_name true allow_bare_domains false allow_glob_domains false allow_ip_sans true allow_localhost true allow_subdomains true allow_token_displayname false allow_wildcard_certificates true allowed_domains [] allowed_domains_template false allowed_other_sans [] allowed_serial_numbers [] allowed_uri_sans [] allowed_uri_sans_template false allowed_user_ids [] basic_constraints_valid_for_non_ca false certificate_profile_name TLS Server Profile client_flag true cn_validations [email hostname] code_signing_flag false country [SE] email_protection_flag false end_entity_profile_name TLS Server Profile enforce_hostnames true ext_key_usage [] ext_key_usage_oids [] generate_lease false issuer_ref MyPKISubCA-G1 key_bits 256 key_type ec key_usage [DigitalSignature KeyAgreement KeyEncipherment] locality [] max_ttl 8760h no_store false not_after n/a not_before_duration 30s organization [Keyfactor Community] ou [] policy_identifiers [] postal_code [] province [] require_cn true server_flag true signature_bits 0 street_address [] ttl 0s use_csr_common_name true use_csr_sans true use_pss false
Certificates can now be issued from the Vault using the EJBCA Vault Plugin. Continue to the next session to issue a certificate from EJBCA.
Step 7 - Issue a Certificate through Vault
After the EJBCA Vault plugin is configured, certificates can be issued from EJBCA through requests from Vault.
To issue certificates from EJBCA using Vault, follow these steps:
Continuing from the terminal used in the previous step, issue a certificate with a PEM bundle format:
CODE$ ./vault write ejbca100/issue/tls-server-auth \ common_name="test-vault-01.keyfactor-community" \ alt_names="test-vault-01.keyfactor-community" \ format="pem_bundle"
The output is similar to the following:
CODEKey Value --- ----- ca_chain [-----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE-----] certificate -----BEGIN CERTIFICATE----- MIIC9jCCAp2gAwIBAgIUTnZdWZm6OPGwnu9sm0QXbmIKeNgwCgYIKoZIzj0EAwQw SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDUzNTFaFw0yNDA3 MjUxNDUzNTBaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAxLmtleWZhY3Rvci1jb21tdW5p dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQvP2pe5Cw75p28nx8LdeRPUf+M VkPrFfXX7Ab0fTEY70ycsykptNjzXcxGnh0jK+69sl/Ljk+FlzCCaRI7+T6ho4IB VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R BEgwRoIhdGVzdC12YXVsdC0wMS5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh dWx0LTAxLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et RzEuY3JsMB0GA1UdDgQWBBSsvRUcTOp1hh/ymJ3z/HmbqS07gjAOBgNVHQ8BAf8E BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgW1D3QnNlMP20+HJPaTWsqREIe8oPHJKR pWsHPzuT/gcCIC7P58EjIK4rIzd1QM4NrcVDvlHxOCR0r/Z0K7L+Ltsz -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE----- expiration 1721919230 issuing_ca -----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- private_key -----BEGIN EC PRIVATE KEY----- MHcCAQEEIIjlDsYsuC4poF9u0rBrWzq9a2rTJ+WQAeXuM/p1XnkToAoGCCqGSM49 AwEHoUQDQgAELz9qXuQsO+advJ8fC3XkT1H/jFZD6xX11+wG9H0xGO9MnLMpKbTY 813MRp4dIyvuvbJfy45PhZcwgmkSO/k+oQ== -----END EC PRIVATE KEY----- private_key_type ec serial_number 4e:76:5d:59:99:ba:38:f1:b0:9e:ef:6c:9b:44:17:6e:62:0a:78:d8
Issue a certificate with the PEM format:
CODE$ ./vault write ejbca100/issue/tls-server-auth \ common_name="test-vault-02.keyfactor-community" \ alt_names="test-vault-02.keyfactor-community" \ format="pem"
The output is similar to the following:
CODEKey Value --- ----- ca_chain [-----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE-----] certificate -----BEGIN CERTIFICATE----- MIIC+DCCAp2gAwIBAgIUZdwM99w2DTEFCK1w3TBQITqHUqMwCgYIKoZIzj0EAwQw SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0MjZaFw0yNDA3 MjUxNDU0MjVaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAyLmtleWZhY3Rvci1jb21tdW5p dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCdKMxL2t6ORf8JZsT92nL0z8M W/+Rseuc3/HZ0mFf7oYGbaK3KuwjSt8JFxa248xb+JwFBypd0kk9tbptA7+Ho4IB VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R BEgwRoIhdGVzdC12YXVsdC0wMi5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh dWx0LTAyLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et RzEuY3JsMB0GA1UdDgQWBBTreB/rOSR/Ra/ttNXcI5dEZ6QLvjAOBgNVHQ8BAf8E BAMCBaAwCgYIKoZIzj0EAwQDSQAwRgIhAOCE/Gsyp0PYeCuDn9x/EbYJ2QB8F8Wr 2Hf/SbPxnNJgAiEAk4hO26vR0AOIkOdlgfTPPGcf+MZO6Ueoj+xcaoanZXg= -----END CERTIFICATE----- expiration 1721919265 issuing_ca -----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- private_key -----BEGIN EC PRIVATE KEY----- MHcCAQEEIFANef/AcMbGNwZc9XL0vK897vCpZ2rMZY6ftksEM5+ooAoGCCqGSM49 AwEHoUQDQgAEAnSjMS9rejkX/CWbE/dpy9M/DFv/kbHrnN/x2dJhX+6GBm2ityrs I0rfCRcWtuPMW/icBQcqXdJJPbW6bQO/hw== -----END EC PRIVATE KEY----- private_key_type ec serial_number 65:dc:0c:f7:dc:36:0d:31:05:08:ad:70:dd:30:50:21:3a:87:52:a3
Issue a certificate with the PEM format and no certificate chain:
CODE$ ./vault write ejbca100/issue/tls-server-auth \ common_name="test-vault-03.keyfactor-community" \ alt_names="test-vault-03.keyfactor-community" \ format="pem" \ remove_roots_from_chain=true
The output is similar to the following:
CODEKey Value --- ----- ca_chain [-----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE-----] certificate -----BEGIN CERTIFICATE----- MIIC9jCCAp2gAwIBAgIUQSvvqyz1iMmceyJwMYXQTngxJF0wCgYIKoZIzj0EAwQw SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0NTJaFw0yNDA3 MjUxNDU0NTFaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAzLmtleWZhY3Rvci1jb21tdW5p dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASnS/wiAh7PUKSHTjkTp5R3ZM7Q b5WDzN5iH1TKTUCGKijPxabnj9hP01rIpcrGrEoYyewwbTcUfzkuh5L4y2cJo4IB VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R BEgwRoIhdGVzdC12YXVsdC0wMy5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh dWx0LTAzLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et RzEuY3JsMB0GA1UdDgQWBBQ6IBt+b5Fze81KTjqFkb5Ze5Z3iTAOBgNVHQ8BAf8E BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgSTefGBLKXwTPOqsvzbNOJByci+2cpxDc NF5X53SEjUACIG+YHGzmHzcgOqj56jI6fTgNjRpStz86OpsD3ZErk1W/ -----END CERTIFICATE----- expiration 1721919291 issuing_ca -----BEGIN CERTIFICATE----- MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015 UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/ 2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV -----END CERTIFICATE----- private_key -----BEGIN EC PRIVATE KEY----- MHcCAQEEIJBnYuZRQWtF8P/I+HgPSmcq941yHXOVRFF1LAvval06oAoGCCqGSM49 AwEHoUQDQgAEp0v8IgIez1Ckh045E6eUd2TO0G+Vg8zeYh9Uyk1Ahiooz8Wm54/Y T9NayKXKxqxKGMnsMG03FH85LoeS+MtnCQ== -----END EC PRIVATE KEY----- private_key_type ec serial_number 41:2b:ef:ab:2c:f5:88:c9:9c:7b:22:70:31:85:d0:4e:78:31:24:5d
Certificates can now be issued from EJBCA using Vault. This completes the tutorial for deploying Hashicorp Vault with the EJBCA Vault plugin.
Next steps
In this tutorial, you learned how to deploy a three-node Vault cluster and configure the EJBCA Vault PKI Engine plugin to issue certificates from EJBCA through Vault.
Here are some next steps we recommend:
If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.
If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.