Subordinate HashiCorp Vault CA to EJBCA Root

Introduction

Today there is a need for PKI across many use cases in an organization and across many organizational boundaries. A wide range of products and tools may be best suited for a specific use case, while a very diverse spread of PKI makes it difficult to control and uphold encryption and signing policies, key management and trust, etc. A common best practice in PKI is to use a hierarchy of certificate authorities (CAs) to both control and efficiently utilize trust.

Many organizations use HashiCorp Vault to manage secrets and PrimeKey EJBCA for centralized PKI management. It is possible to use both products together in several different ways and the following describes how to set up a Vault CA to be a subordinate (sub) CA or a Root CA in EJBCA. Having a single trust anchor, in the form of a Root CA, is common practice in many organizations and can be achieved by subordinating HashiCorp Vault to EJBCA. 

Prerequisites

The following presents a command line driven approach, which is suitable for scripting and automation. Note that you could perform the same tasks with administrative Web UIs.

The following prerequisites are required to complete the subordination:

  • EJBCA
    • EJBCA deployed with a Root CA
    • A certificate profile in EJBCA for the HashiCorp Vault Subordinate CA
    • An end entity profile in EJBCA for the HashiCorp Vault Subordinate CA that is configured to use the HashiCorp Vault Sub CA certificate profile
    • RA credential that has access to create the HashiCorp Vault Subordinate CA end entity in EJBCA
    • A workstation with the EJBCA Client Toolbox utility configured to use EJBCA
  • HashiCorp Vault
    • HashiCorp Vault installed, initialized, and unsealed
    • JSON processor jq installed on the HashiCorp Vault server
    • Vault command line interface v1.3.4
    • Vault version 1.4.0 Docker container

Subordinate HashiCorp Vault CA to EJBCA Root

To complete a subordination of a Vault CA, follow the steps outlined in the sections below.

Step 1 - HashiCorp Vault Configuration

Perform the following on the Vault server using the Vault command line utility. Access the Vault server using SSH.

  1. Enable the Vault PKI.
    vault secrets enable pki
  2. Create the Vault Subordinate CA.
    vault secrets enable -path=subca01 pki
  3. Create the Subordinate CA Certificate Signing Request (CSR).
    vault write -format=json subca01/intermediate/generate/internal common_name="Vault Intermediate Authority G1" key_bits="2048" | jq -r '.data.csr' > subca01.csr

    The CA DN for the Vault Sub CA is created and enforced on EJBCA. Select the values appropriate for your organization.


  4. Copy the subca01.csr file to the workstation that has the EJBCA Client Toolbox utility configured for performing actions on the EJBCA CA.

Setp 2 - ClientToolBox Workstation Configuration

The following describes interacting with EJBCA using the EJBCA Client Toolbox Web Service CLI tool, which can be run remotely from any workstation with mutual TLS authentication. Note that the same actions can also be performed in the EJBCA CA or RA UIs or with other protocols and APIs. For more information on the EJBCA Web Service CLI, see Using the Web Services CLI and for using the EJBCA user interface in general, refer to the CA Operations Guide.

Perform the following to sign the Sub CA CSR using the EJBCA Web Service CLI tool. Note the following location directory of the CSR file subca01.csr in the steps below: /var/tmp.

  1. Open a terminal window and change directories to the clientToolBox utility.
  2. Create the end entity in EJBCA.
    ./ejbcaClientToolBox.sh EjbcaWsRaCli edituser vault-subca01 foo123 false 'cn=Vault Intermediate Authority G1,ou=Certification Authorities,o=PrimeKey,c=SE' NULL NULL PrimeKey-Root-G1 1 USERGENERATED NEW Hashicorp-SubCAEE Hashicorp-SubCACP
  3. Submit the CSR to be signed.
    ./ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req vault-subca01 foo123 /var/tmp/subca01.csr PEM NONE /var/tmp/
  4. Obtain the Root CA certificate.
    curl -o /var/tmp/root.crt "https://enrollprimekey.primekey.se/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3DPrimeKey+Root+CA+G1%2COU%3DCertification+Authorities%2CO%3DPrimeKey%2CC%3DSE&level=0"
  5. Add the Root CA certificate to the subca01.crt file.
    cat /var/tmp/root.crt >> /var/tmp/subca01.pem
  6. Copy the subca01.pem file to the Vault server.

Step 3 - Finalize HashiCorp Vault Sub CA Configuration

The following describes how to import the signed certificate to complete the subordination and configure a domain to issue the certificates against. The PEM file should be located in /var/tmp to complete the following steps.

  1. Import the Sub CA certificate into Vault.
    vault write subca01/intermediate/set-signed certificate=@/var/tmp/subca01.pem -format=json"
  2. Create a domain to issue certificates.
    vault write subca01/roles/primekey-se allowed_domains='primekey.se,primekey.som' allow_subdomains='true' max_ttl='160h' key_usage='DigitalSignature, KeyEncipherment' -format=json"
  3. Test issuing a certificate.
    vault write subca01/issue/primekey-se common_name='vault.primekey.se' ttl='24h' -format=json

Using the HashiCorp Vault Sub CA

The HashiCorp subordinate CA can now be used to issue certificates in your HashiCorp environment. The advantage of having HashiCorp CAs signed by a Root CA is that clients that need to be configured with trust anchors, usually to trust more than one subordinate CA, only have to be configured with the Root CA as trust anchor. Also, the central PKI management team can overlook subordinate CAs and revoke sub CAs that have been compromised, or should no longer be used for other reasons.