Root and Intermediate CA Guidance

[erkerb4]

Hello!

I would like to pick everyone's brain about establishing a Root and Intermediate Certificate Authority using the vault-operator. I've seen a couple of discussions on here and Slack, but have not seen enough breadcrumbs to get it working. I'd be happy to do a PR If I can get this to work, so others can take advantage of it.

There is a good starting point at the repo for root CA . I am attempting to make this work with test.local domain just as PoC. I am trying to follow the Vault docs; however, I am falling short.

This block works OK with creating the Root CA:

externalConfig:
  secrets:
    - type: pki
      path: pki
      description: Root Authority for TEST Local
      config:
        max_lease_ttl: 87600h
      configuration:
        config:
        - name: urls 
          issuing_certificates: http://vault.vault:8200/v1/pki/ca
          crl_distribution_points: http://vault.vault:8200/v1/pki/crl
          ocsp_servers: http://vault.vault:8200/v1/pki/ocsp
        root/generate:
        - name: exported
          save_to: "secret/data/pki/ca"
          common_name: Root CA 1
          alt_names: test local
          issuer_name: test-local-root-ca-1
          key_name: test-local-root-ca-1
          ttl: 87600h
          create_only: true
          format: pem
          key_type: rsa
          key_bits: 2048
          signature_bits: 256
          permitted_dns_domains: test.local
        roles:
        - name: test-local-root-ca1
          issuer_ref: test-local-root-ca-1
          allow_localhost: false
          allowed_domains: test.local
          allow_bare_domains: false
          allow_subdomains: false
          allow_glob_domains: false
          allow_any_name: true
          enforce_hostnames: false
          max_ttl: 72h

Step 2, guides you to create a new secret engine at the path of pki_int and generate intermediate CA. The steps are to create a CSR, and get it signed by the root. So this is how I've attempted to replicate it with the config:

- type: pki
  path: pki
  description: Root Authority for TEST Local
  config:
    max_lease_ttl: 87600h
  configuration:
    config:
    - name: urls 
      issuing_certificates: http://vault.vault:8200/v1/pki/ca
      crl_distribution_points: http://vault.vault:8200/v1/pki/crl
      ocsp_servers: http://vault.vault:8200/v1/pki/ocsp
    root/generate:
    - name: exported
      save_to: "secret/data/pki/ca"
      common_name: Root CA 1
      alt_names: test local
      issuer_name: test-local-root-ca-1
      key_name: test-local-root-ca-1
      ttl: 87600h
      create_only: true
      format: pem
      key_type: rsa
      key_bits: 2048
      signature_bits: 256
      permitted_dns_domains: test.local
 < --- NEW BLOCK START --- >
    intermediate/generate:
    - name: exported
      common_name: Intermediate CA 1
      issuer_name: test-local-intermediate-ca-1
      alt_names: test local
      key_name: test-local-intermediate-ca-1
      create_only: true
      save_to: "secret/data/pki/int"
      format: pem
      key_type: rsa
      key_bits: 2048
      signature_bits: 256
 < --- NEW BLOCK END--- >
    roles:
    - name: test-local-root-ca1
      issuer_ref: test-local-root-ca-1
      allow_localhost: false
      allowed_domains: test.local
      allow_bare_domains: false
      allow_subdomains: false
      allow_glob_domains: false
      allow_any_name: true
      enforce_hostnames: false
      max_ttl: 72h
 < --- NEW BLOCK START --- >
- type: pki
  path: pki_int
  description: Intermediate Authority for TEST Local
  config:
    max_lease_ttl: 43800h
 < --- NEW BLOCK END--- >

At this stage, I would expect to have a CSR created, but i do not. vault-configurer complains with the following log entries:

{"level":"warning","msg":"Endpoint ignored these unrecognized parameters: [name]","time":"2023-08-09T18:03:03Z"}
{"level":"error","msg":"error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki/intermediate/generate/exported: Error making API request.\n\nURL: GET http://vault.vault:8200/v1/pki/intermediate/generate/exported\nCode: 405. Errors:\n\n* 1 error occurred:\n\t* unsupported operation\n\n","time":"2023-08-09T18:03:03Z"}
{"level":"info","msg":"Failed applying configuration file: /config/vault-configurer/vault-config.yml , sleeping for 1m0s before trying again","time":"2023-08-09T18:03:03Z"}

It's complaining that pki/intermediate/generate/exported is an unsupported operation. Am I misreading PKI docs : Generate intermediate CSR ?

Any pointers would be appreciated. Thank you for taking the time to go through this discussion.

I am using Bank Vaults 1.21.1 with Vault 1.13.5.

Edit

I also attempted to generate the intermediate at pki_int path, and the results are the same:

- type: pki
  path: pki_int
  description: Intermediate Authority for TEST Local
  config:
    max_lease_ttl: 43800h
  configuration:
    intermediate/generate:
    - name: exported
      common_name: Intermediate CA 1
      issuer_name: test-local-intermediate-ca-1
      alt_names: test local
      key_name: test-local-intermediate-ca-1
      create_only: true
      save_to: "secret/data/pki_int/int_csr"
      format: pem
      key_type: rsa
      key_bits: 2048
      signature_bits: 256

vault-configurer log:

{"level":"error","msg":"error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki_int/intermediate/generate/exported: Error making API request.\n\nURL: GET http://vault.vault:8200/v1/pki_int/intermediate/generate/exported\nCode: 405. Errors:\n\n* 1 error occurred:\n\t* unsupported operation\n\n","time":"2023-08-09T18:34:21Z"}

[cemarp]

I believe your problem is you need to set up a new path for the intermediate as well. Try putting the new blocks at the bottom under pki_int

[erkerb4]

Thank you for your response! I did attempt to create a new path for intermediate:

  externalConfig:
    secrets:
    - type: pki
      path: pki
      description: Root Authority for TEST Local
      config:
      ....
      ....
    - type: pki
      path: pki_int
      description: Intermediate Authority for TEST Local
      config:
        max_lease_ttl: 43800h
      configuration:
        intermediate/generate:
        - name: exported
          common_name: Intermediate CA 1
          issuer_name: test-local-intermediate-ca-1
          alt_names: test local
          key_name: test-local-intermediate-ca-1
          create_only: true
          save_to: "secret/data/pki_int/int_csr"
          format: pem
          key_type: rsa
          key_bits: 2048
          signature_bits: 256

This was the response I've seen at vault-configurer logs:

{"level":"error","msg":"error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki_int/intermediate/generate/exported: Error making API request.\n\nURL: GET http://vault.vault:8200/v1/pki_int/intermediate/generate/exported\nCode: 405. Errors:\n\n* 1 error occurred:\n\t* unsupported operation\n\n","time":"2023-08-09T18:34:21Z"}

[frnode]

@erkerb4 did you manage to do this?

Thank you

[erkerb4]

I was not able to get it to work with the operator. At the time, I abandoned this method, and wrote an Ansible playbook to create the root and intermediate. We used to run the job every time we synced changes (with ArgoCD).

[frnode]

Okay, thank you very much for your feedback !