1

I want to setup Private CA for internal services using Vault (HashiCorp). I am generating Root CA & Intermediate CA certificate outside of Vault. Vault will be generating short-lived (30 days) certificate based on request.

I followed this guid https://jamielinux.com/docs/openssl-certificate-authority/introduction.html and generated Root CA Certificate example.com & dev.example.com, but do I need wildcard intermediate certificate *.dev.example.com for Vault to generate further subdomain certificate like one.dev.example.com, two.dev.example.com ?

Appreciate any help on this ?

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
roy
  • 119
  • 1
  • 2
  • 15
  • TLDR, no, just issue and provide the intermediate CA to vault to generate the certs, https://learn.hashicorp.com/tutorials/vault/pki-engine – Jacob Evans Nov 18 '20 at 22:00
  • This process doesn't explain how to use existing intermediate in Vault. – roy Nov 18 '20 at 22:04
  • you'd want a second intermediate, so your existing intermediate would sign the VAULT intermediate, it's OK to have multiple in the chain. – Jacob Evans Nov 19 '20 at 14:44

1 Answers1

1

I think you've misunderstood some terms here, copied from your source

Intermediate CA

An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

The intermediate certificate SIGNS other certificates, it does not provide the encryption for a site such as *.example.com or subdomains like *.dev.exmaple.com

The only purpose of an Intermediate is to provide protection for the certificate root, in the instances the intermediate's private key is compromised and you must revoke it (at the root level) and regenerate your certs, whereas if you didn't have this, you would need to manually remove the CA from ALL endpoints!

What it seems you are trying to do is generate a wildcard certificate which you will sign with the intermediate CA certificate to be trusted by systems in your control which you have trusted the root certificate.

The website you mentioned does not seem to give clear instructions of using subject alternative names.

copy the intermediate/openssl.cnf and append these lines.


req_extensions = v3_req
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.example.com
DNS.2 = *.m.example.com
DNS.3 = example.com

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.conf

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • To accommodate `dev.example.com` & `qa.example.com` subdomain, does these to be included in above list of DNS ? – roy Nov 18 '20 at 22:28
  • if you are generate a cert for those domains yes, if you are generating a signing certificate and having VAULT create those sites, no. – Jacob Evans Nov 19 '20 at 14:44