Learn how to deploy a three-node Vault cluster and configure the EJBCA PKI Secrets Engine for HashiCorp Vault plugin to issue certificates from EJBCA through Vault.

PKI administrators interested in offering an integration to use EJBCA to standardize the PKI in the environment and have a single place to manage certificates while providing the ability to issue certificates from HashiCorp Vault should find this tutorial helpful. The steps outlined in this tutorial show how HashiCorp Vault can be deployed to integrate with EJBCA for users to request certificates from vault issued by EJBCA.

In this tutorial, you will learn how to:

  • Configure EJBCA for the HashiCorp Vault EJBCA plugin
  • Create keys and certificate signing requests (CSRs) to request certificates from EJBCA for the HashiCorp Vault EJBCA plugin​
  • Create Certificates from the CSRs using EJBCA
  • Deploy HashiCorp Vault with the EJBCA Vault plugin
  • Configure the EJBCA Plugin to issue certificates from EJBCA

Prerequisites

Before you begin, you need:

For more information on the EJBCA PKI Secrets Engine for HashiCorp Vault plugin, refer to Keyfactor GitHub.

Step 1 - Configure EJBCA for the HashiCorp Vault EJBCA plugin

Follow these steps to configure a certificate profile and an end entity profile in EJBCA, and add a RA role for Vault.

Create certificate profile

To create a certificate profile, do the following:

  1. Go to the EJBCA Administration user interface using a web browser.
  2. In EJBCA, under CA Functions, click Certificate Profiles.
  3. Click Clone by the TLS Server Profile template to create a new profile using that template.
  4. Name the new certificate profile TlsServerRsa-1y, and click Create from template.
  5. To edit the profile default values to fit your needs, find the newly created TlsServerRsa-1y profile displayed in the list and click Edit.
  6. On the Edit page, update the following:
    • Select RSA for the Available Key Algorithms (this should be the only option selected).
    • Select 2048, 3072, and 4096 for the Available Bit Lengths.
    • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
  7. To store the certificate profile, click Save.

The TlsServerRsa-1y profile is displayed in the list of certificate profiles.

Create end entity profile

To update the end entity profile, do the following:

  1. In EJBCA, under RA Functions, click End Entity Profiles.
  2. Select the TLS Server Profile, and click Edit End Entity Profile.
  3. Edit the profile and update the following:
    • In the Other Subject Attributes section, select DNS Name from the Subject Alternative Name list, and click Add.
    • In the Other Subject Attributes section, select IP Address from the Subject Alternative Name list, and click Add.
    • In the Available Certificate Profiles section, select the TlsServerRsa-1y in addition to the other profile selected.
    • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
  4. Click Save to store the end entity profile.

The end entity profile is displayed in the list of end entity profiles.

Create role

To create an RA role for Vault and authorize actions in EJBCA:

  1. In EJBCA, under System Functions, click Roles and Access Rules.
  2. Next to the list of available roles, click Add.
  3. For Role name, specify RA-Vault and click Add.
    The Roles Management page now lists the RA-Vault role.
  4. To update the access rules for the role, click Access Rules for the RA-Vault role.
  5. On the Edit Access Rules page, edit the following:
    • For Role Template, select RA Administrators.
    • For Authorized CAs, select My PKISubCA-G1.
    • For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
  6. Click Save to store the updated access rules for the role.

  7. At the top right of the Edit Access Rules page, click Advanced Mode.

    • Under Regular Access Rules, select Allow for /ca_functionality/view_ca/.

  8. Click Save.
  9. At the top right of the Edit Access Rules page, click Members.
  10. Members are defined by an attribute from the certificate DN and the serial number:
    • Match with: Select X509:CN, Common name.
    • CA: Verify that Management CA is selected for the CA to match on.
    • Match Value: Specify the name value from the certificate, in this example: "vault-ra-01". Note that this is a case-sensitive matching.
  11. Click Add to add the user to the role.

An RA role for Vault has been created and the TLS Server Profile was updated to include an IP Address in the Subject Alternative Name as an option.

Step 2 - Create Keys and Certificate Signing Requests (CSRs)

To prepare for the HashiCorp Vault deployment, you will download the Vault command line interface and use OpenSSL to generate private keys and certificate signing requests (CSRs).

 Download the Vault CLI and generate the CSRs:

  1. SSH to the MicroK8s test host that has EJBCA deployed and configured.

  2. In your terminal, enter the following to create a directory to organize all the files for this tutorial:

    $ mkdir vault
    CODE

  3. Change to the vault directory:

    $ cd vault
    CODE

  4. Download the vault binary to use vault locally once deployed:

    $ curl -O https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip
    CODE

  5. Unzip the archive and remove the zip file:

    $ unzip -q vault_1.15.4_linux_amd64.zip && rm -f vault_1.15.4_linux_amd64.zip
    CODE

  6. Create environment variables used to create CSRs for certificates issued from EJBCA that Vault will use:

    $ export VAULT_K8S_NAMESPACE="vault" VAULT_SERVICE_NAME="vault-internal" K8S_CLUSTER_NAME="cluster.local"
    CODE

  7. Create an OpenSSL configuration file for the Vault instances TLS certificate:

    $ cat > vault-internal.conf <<EOF
[req]
default_bits = 2048
prompt = no
encrypt_key = yes
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
C = SE
O = Keyfactor Community
CN = system:node:*.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}
[ v3_req ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${VAULT_SERVICE_NAME}
DNS.2 = *.${VAULT_SERVICE_NAME}.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}
DNS.3 = *.${VAULT_K8S_NAMESPACE}
DNS.4 = vault-active
IP.1 = 127.0.0.1

EOF
    CODE

  8. Generate private key and create the CSR using the OpenSSL configuration file:

    openssl req -new -newkey rsa:2048 -nodes -keyout vault-internal.key -sha256 -out vault-internal.csr -config vault-internal.conf
    CODE

  9. Create an OpenSSL configuration file for the Ingress TLS certificate used for accessing Vault externally from inside the Kubernetes cluster:

    cat > api.vault.conf <<EOF
[req]
default_bits = 2048
prompt = no
encrypt_key = yes
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
C = SE
O = Keyfactor Community
CN = api.vault
[ v3_req ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = api.vault

EOF
    CODE

  10. Generate the private key and create the CSR using the OpenSSL configuration file for the external Ingress TLS certificate:

    $ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -sha256 -out api.vault.csr -config api.vault.conf
    CODE

  11. Create an OpenSSL configuration file for the Vault RA credential:

    cat > vault-ra-01.conf <<EOF
[req]
default_bits = 2048
prompt = no
encrypt_key = yes
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
C = SE
O = Keyfactor Community
CN = vault-ra-01
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth

EOF
    CODE

  12. Generate the private key and create the CSR using the OpenSSL configuration file for the Vault RA credential:

    openssl req -new -newkey rsa:2048 -nodes -keyout vault-ra-01-key.pem -sha256 -out vault-ra-01.csr -config vault-ra-01.conf
    CODE

  13. Output the vault-internal.csr to the terminal to use in a later step:

    cat vault-internal.csr
    CODE

  14. The vault-internal.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----
MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0
ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS
XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm
+LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1
jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd
2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r
bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe
r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu
YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou
dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70
uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG
45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1
/Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt
5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM
s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=
-----END CERTIFICATE REQUEST-----
    CODE

  15. Output the api.vault.csr to the terminal to use in a later step:

    cat api.vault.csr
    CODE

  16. The api.vault.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----
MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP
BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+
YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW
f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD
cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ
69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ
DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN
MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja
gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw
4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I
QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ
0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ
oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne
lA==
-----END CERTIFICATE REQUEST-----
    CODE

  17. Output the vault-ra-01.csr to the terminal to use in a later step:

    cat vault-ra-01.csr
    CODE

  18. The vault-ra-01.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----
MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF
upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx
9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr
OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/
h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA
R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN
AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI
hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z
7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT
QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av
vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo
eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw
cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=
-----END CERTIFICATE REQUEST-----
    CODE

The Vault CLI is downloaded, and certificate signing requests have been created to be used for the Vault integration with EJBCA.

Step 3 - Create Certificates from the CSRs Using EJBCA RA UI

The CSRs generated in Step 2 - Create Keys and Certificate Signing Requests (CSRs) must be signed before Vault can be deployed. The EJBCA RA Web is used to issue the certificates by signing the CSRs. Once the CSRs are signed the certificate files are uploaded to the Kubernetes server and staged for the Vault deployment.

To complete the certificate issuance for the CSRs generated in step 1, follow these steps:

  1. Go to the EJBCA RA Web using a web browser.
  2. Click Make New Request and update the following:
    • Select TLS Server Profile for the Certificate Type.
    • Select TlsSercerRsa-1y for the Certificate subtype.
    • Select ManagementCA for the CA.

    • Select Provided by user radio button for Key-pair generation.

    • Paste the contents of the vault-internal.csr from the terminal window into the CSR text field (the first PEM output in the terminal window), such as:

      -----BEGIN CERTIFICATE REQUEST-----
MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0
ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS
XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm
+LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1
jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd
2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r
bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe
r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu
YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou
dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70
uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG
45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1
/Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt
5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM
s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=
-----END CERTIFICATE REQUEST-----
      CODE
    • Click Upload CSR.
    • Enter vault-internal for the Username.
    • Click Download PEM full chain.
  3. Select Reset at the bottom of the page to make another request.
    • Select TLS Server Profile for the Certificate Type.
    • Select ManagementCA for the CA.
    • Select Provided by user for Key-pair generation.

    • Paste the contents of the api.vault.csr from the terminal window into the CSR text field (second PEM output in the terminal window), such as:

      -----BEGIN CERTIFICATE REQUEST-----
MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP
BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+
YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW
f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD
cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ
69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ
DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN
MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja
gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw
4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I
QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ
0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ
oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne
lA==
-----END CERTIFICATE REQUEST-----
      CODE
    • Click Upload CSR.
    • Enter api.vault for the Username
    • Click Download PEM full chain.
  4. Select Reset at the bottom of the page to make another request.
    • Select RA-Administrator for the Certificate Type.
    • Select Provided by user for Key-pair generation.

    • Paste the contents of the vault-ra-01.csr from the terminal window into the CSR text field  (third PEM output in the terminal window), such as:

      -----BEGIN CERTIFICATE REQUEST-----
MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD
b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF
upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx
9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr
OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/
h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA
R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN
AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI
hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z
7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT
QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av
vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo
eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw
cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=
-----END CERTIFICATE REQUEST-----
      CODE
    • Click Upload CSR.
    • Enter vault-ra-01 for the Username.
    • Click Download PEM full chain.
  5. Return to the terminal window and open a new tab or terminal window.

  6. In your terminal, enter the following to upload files to the MicroK8s VM:

    • Upload the systemnode.vault.svc.cluster.local.pem file to the MicroK8s VM:

      $ scp ~/Downloads/systemnode.vault.svc.cluster.local.pem user@172.16.170.187:~/vault/vault-internal.crt
      CODE
      • Type the password to the user account if prompted for the password.

    • Upload the api.vault file to the MicroK8s VM:

      $ scp ~/Downloads/api.vault.pem user@172.16.170.187:~/vault/server.crt
      CODE
      • Type the password to the user account if prompted for the password

    • Upload the vault-ra-01.pem file to the MicroK8s VM:

      $ scp ~/Downloads/vault-ra-01.pem user@172.16.170.187:~/vault/vault-ra-01-crt.pem
      CODE


      Replace the IP Address with the IP Address or FQDN of the MicroK8s VM and the username being used to access the MicroK8s VM to complete this tutorial. The IP Address and username are examples provided to show the complete command.

  7. Return to the terminal window or tab of the MicroK8s session.

  8. Continuing from the ~/vault directory output the vault-internal.crt to the terminal:

    $ cat vault-internal.crt
    CODE

  9. The output is similar to the following:

    Subject: CN=system:node:*.vault.svc.cluster.local,O=Keyfactor Community,C=SE
Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
-----BEGIN CERTIFICATE-----
MIIFETCCAvmgAwIBAgIUE4Z7mJUOr7JUIXddQ3RYLKF+GE8wDQYJKoZIhvcNAQEL
BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzA2MTYxNjA3NDZaFw0yNDA2MTMx
NjA3NDVaMFsxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu
aXR5MS4wLAYDVQQDDCVzeXN0ZW06bm9kZToqLnZhdWx0LnN2Yy5jbHVzdGVyLmxv
Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3BmtknZsEl0+o5t5
ZXDz3WNGXQdMXLQnMWpvh1I/f6lcOQV4illUfH8lQ21O4FlIzOLoFTKjpvi8XgtB
sZWrAFvuEKmZZ8uwZAWSWz3LM3pWwb7Fh3ApmtoMduV0N5DyT3HYEYrBtYx2sGzF
GOg/cfkjijMnnWD5/5835wIQ3IRAFsL1fYB5neRcH4frm3vRypMK5GrM3dmr6jEM
4FKX8a7IXGJsG6oXcljvneVqJlZVesSSTczppfFGzYSm85q7p6Qhkt+va22ADXD2
XIIxwCr+dxNZfeNK2MKIFP2g0DK9mM/LbpT5n4SS/faLYBi4Q4jYC+Cwnq+JIG0t
eC1PDwIDAQABo4HlMIHiMB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DS
MHsGA1UdEQR0MHKCECoudmF1bHQtaW50ZXJuYWyCKCoudmF1bHQtaW50ZXJuYWwu
dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByoudmF1bHSCJXN5c3RlbTpub2RlOiou
dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwHQYDVR0OBBYEFD1BrwJRiwqbZ7b6Ijec5hbdenVKMA4GA1UdDwEB/wQEAwIF
oDANBgkqhkiG9w0BAQsFAAOCAgEAmht4w6wtqEem0YlGXaIMzxkAcsb6qhf3m8tN
1nMngtPNq0gqi1o1+a2hSvTsc5Tj+K+3Sx6wiP4iBqi3cMfK9qb0JkiWZ5P2LUQW
9SuXwQAwWxz8Z/T3E/zc8zbXfI5BzcKxlsHjDrLfiLzOsV+xzcCXiCncQmfMQeZA
A055GiBCg5luz9lDJMErPjRcaR5ug5j4gWz5tUwGZ/K0RgqnxyL59dHoO/EtB1vW
m/tygbwPJgbZYKmZ2+j+02Po3i8cfObs1jE+yanAD2rCnubPpaJiX0IR0DWc9AWt
dvYuNyVVSpIWP4ghHY9P7QvZhwP1alodCzuDWsRZFiN8rjW3Mm0vrs6TB2JwNxAs
AIxXG2I1S7ueTSROKbKCP22GL9AI+j9KRyH13eJqMo5CdS9FJXZlIGDzIxrca6yX
SePsZIwWK4GocWFf5S3LNkpRsGKFTLO4GFr8T6bZdP225tfR+z7joyLrJ20l531X
BJ1kiXOtGbek7iVOLnSteSwGmU6W12YD4KbJVUGjmax6Cw1xIKVAIdgr+OfiqAAN
5sfsjwysYdzRvKvQFMZkXcgQ7giJz7bzaDfZaiNNYNVMaR1ygI5sjqsSJ5a5HzeQ
4Thzy5GJ3hKxUu6yW/OHlI0Jw1cvkYxkb/KN72Aee13YAtG34wHP/es/TulW3zDi
usFT0JE=
-----END CERTIFICATE-----
Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
-----BEGIN CERTIFICATE-----
MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
qMN+i82CAMeU
-----END CERTIFICATE-----
    CODE
  10. Select the ManagementCA output to select and copy it (the PEM block at the end of the output).

  11. Create the ManagementCA.crt file.

    $ vim ManagementCA.crt
    CODE

  12. Paste the ManagementCA certificate into the file.

    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE
Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE
-----BEGIN CERTIFICATE-----
MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL
BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw
ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj
dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp
KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8
fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O
tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja
8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG
zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT
X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/
q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K
kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh
PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q
GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB
o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA
BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E
BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX
tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n
JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5
CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd
uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx
H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi
VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R
2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu
eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc
GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs
zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP
qMN+i82CAMeU
-----END CERTIFICATE-----
    CODE
  13. Save and close the file.

  14. Download the CA chain for the EC certificate chain:

    $ curl -X GET --cert vault-ra-01-crt.pem --key vault-ra-01-key.pem --cacert ManagementCA.crt "https://ejbca-internal.ejbca-k8s/ejbca/ra/cert?caid=-1419783344&chain=true&format=pem" -H  "accept: */*" -o cacerts.pem
    CODE

  15. Append the Management CA to the cacerts.pem file:

    $ cat ManagementCA.crt >> cacerts.pem
    CODE

Certificates are now issued and uploaded to the MicroK8s VM and staged to use for the deployment. Continue to the next step to deploy HashiCorp Vault with the EJBCA Vault Plugin.

Step 4 - Deploy HashiCorp Vault with EJBCA Vault Plugin

Next, deploy HashiCorp Vault using a Helm chart that uses the certificates created from the previous step.

To deploy Vault, follow these steps:

  1. Create a namespace to deploy Vault into:

    $ kubectl create namespace vault
    CODE

     

    • The output is similar to the following:

      $ namespace/vault created
      CODE

  2. Create a configmap to use the EJBCA TLS cert trust chain on the vault container to trust EJBCA CA certificates:

    $ kubectl -n vault create configmap vault-tls-trust-chain-configmap --from-file=ca-certificates.crt=cacerts.pem
    CODE

     

    • The output is similar to the following:

      $ configmap/vault-tls-trust-chain-configmap created
      CODE

  3. Create a secret with the certificate, key, and CA certificate for vault-internal:

    $ kubectl create secret generic vault-ha-tls \
   -n vault \
   --from-file=vault.key=vault-internal.key \
   --from-file=vault.crt=vault-internal.crt \
   --from-file=vault.ca=ManagementCA.crt
    CODE

     

    • The output is similar to the following:

      $ secret/vault-ha-tls created
      CODE

  4. Create a TLS secret with the certificate and key for ingress:

    $ kubectl -n vault create secret tls tls-api-vault --cert server.crt --key server.key
    CODE

     

    • The output is similar to the following:

      $ secret/tls-api-vault created
      CODE

  5. Add the HashiCorp Vault repo to deploy with Helm:

    $ helm repo add hashicorp https://helm.releases.hashicorp.com
    CODE

    • The output is similar to the following:

      $ "hashicorp" has been added to your repositories
      CODE

  6. Download the overrides.yaml file from the Keyfactor Community GitHub repository:

    $ curl -LOs https://raw.githubusercontent.com/Keyfactor/keyfactorcommunity/feature/Add-Vault-Vars-tutorial/apps-integration/hashicorp-vault/overrides.yaml
    CODE
    • You could now make changes to the file but since the overrides.yaml file is already set up for this tutorial, no changes will be made.

  7. Deploy Vault using Helm chart:

    $ helm install vault hashicorp/vault -f overrides.yaml --namespace vault
    CODE

    • The output is similar to the following:

      NAME: vault
LAST DEPLOYED: Wed Jun 14 12:45:09 2023
NAMESPACE: vault
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!

Now that you have deployed Vault, you should look over the docs on using
Vault with Kubernetes available here:

https://www.vaultproject.io/docs/


Your release is named vault. To learn more about the release, try:

  $ helm status vault
  $ helm get manifest vault
      CODE

  8. You can use the following monitoring commands to view what is going on with the deployment:

    $ kubectl -n vault get pods

$ kubectl --namespace='vault' get all

$ kubectl -n vault get all,ingress,secret,no,pvc

$ kubectl -n vault describe pod/vault-0

$ kubectl -n vault logs pod/vault-0

$ kubectl -n vault logs pod/vault-0 -c ejbca-vault-plugin
    CODE

Vault is now deployed with the certificates from EJBCA, the EJBCA Vault plugin, and ready to initialize. Continue to the next step to initialize Vault.

Step 5 - Initialize Vault

In order to use Vault it must be initialized on one of the nodes, then the other two nodes must be added to the cluster. Each node also has to be unlocked by providing the unseal key.

To complete the Vault initialization and begin using the cluster, follow these steps:

  1. Continuing from the terminal used in the previous step, initialize Vault and save the unseal keys to the cluster-keys.json file:

    $ kubectl exec -n vault vault-0 -- vault operator init \
    -key-shares=5 \
    -key-threshold=3 \
    -format=json > ./cluster-keys.json
    CODE

     

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      CODE

  2. Create environment variables for three unseal keys to unseal the vault nodes:

    $ export VAULT_UNSEAL_KEY0=$(jq -r ".unseal_keys_b64[0]" cluster-keys.json)
export VAULT_UNSEAL_KEY1=$(jq -r ".unseal_keys_b64[1]" cluster-keys.json)
export VAULT_UNSEAL_KEY2=$(jq -r ".unseal_keys_b64[2]" cluster-keys.json)
    CODE

     

  3. Unlock the 1st instance of Vault:

    $ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY0
kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1
kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       8c48fbd6-019c-2aa9-8f2f-a8b62e997268
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       8c48fbd6-019c-2aa9-8f2f-a8b62e997268
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.1
Build Date              2023-03-23T12:51:35Z
Storage Type            raft
Cluster Name            vault-cluster-af3cf4e1
Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 active
Active Since            2023-07-29T14:29:15.391001943Z
Raft Committed Index    36
Raft Applied Index      36
      CODE

  4. Exec into the 2nd instance of Vault to join the 2nd instance to the Vault cluster:

    $ kubectl exec -n vault -it vault-1 -- /bin/sh
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
/ $
      CODE

  5. Join the 2nd Vault instance to the Vault cluster:

    $ vault operator raft join -address=https://vault-1.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
    CODE

    • The output is similar to the following:

      Key       Value
---       -----
Joined    true
      CODE

  6. Exit the exec session on the 2nd Vault instance:

    $ exit
    CODE

  7. Unlock the 2nd instance of Vault:

    $ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY0
kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1
kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       f9f2c78c-c615-a91b-b7b2-25c0b711dd2f
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       f9f2c78c-c615-a91b-b7b2-25c0b711dd2f
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.1
Build Date              2023-03-23T12:51:35Z
Storage Type            raft
Cluster Name            vault-cluster-af3cf4e1
Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 standby
Active Node Address     https://10.1.89.154:8200
Raft Committed Index    37
Raft Applied Index      37
      CODE

  8. Exec into the 3rd instance of Vault to join the 3rd instance to the Vault cluster:

    $ kubectl exec -n vault -it vault-2 -- /bin/sh
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
/ $
      CODE

  9. Join the 3rd Vault instance to the Vault cluster and exit the exec session:

    $ vault operator raft join -address=https://vault-2.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200
    CODE

    • The output is similar to the following:

      Key       Value
---       -----
Joined    true
      CODE

  10. Exit the exec session on the 3rd Vault instance:

    $ exit
    CODE

  11. Unlock the 3rd instance of Vault:

    $ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY0
kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1
kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    1/3
Unseal Nonce       24c26cf4-fe74-2829-f005-ad46f1796a66
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                Value
---                -----
Seal Type          shamir
Initialized        true
Sealed             true
Total Shares       5
Threshold          3
Unseal Progress    2/3
Unseal Nonce       24c26cf4-fe74-2829-f005-ad46f1796a66
Version            1.13.1
Build Date         2023-03-23T12:51:35Z
Storage Type       raft
HA Enabled         true
[user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2
Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            5
Threshold               3
Version                 1.13.1
Build Date              2023-03-23T12:51:35Z
Storage Type            raft
Cluster Name            vault-cluster-af3cf4e1
Cluster ID              585b2724-0e39-c9c6-e438-91591c3d0487
HA Enabled              true
HA Cluster              https://vault-0.vault-internal:8201
HA Mode                 standby
Active Node Address     https://10.1.89.154:8200
Raft Committed Index    41
Raft Applied Index      41
      CODE

  12. Unset the environment variables for the three unseal keys used to unseal the vault nodes:

    $ unset VAULT_UNSEAL_KEY0 VAULT_UNSEAL_KEY1 VAULT_UNSEAL_KEY2
    CODE

Vault is now initialized, unlocked, and ready to configure the EJBCA Vault plugin.

 

Step 6 - Configure EJBCA Vault Plugin

To issue certificates with the EJBCA Vault plugin, the plugin has be to enabled and configured to access the EJBCA.

Enable and configure the EJBCA Vault plugin:

  1. Continuing from the terminal used in the previous step, create an environment variable for the Root token to log in to Vault:

    $ export CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token")
    CODE

     

  2. Login to Vault as the root user:

    $ kubectl exec -n vault vault-0 -- vault login $CLUSTER_ROOT_TOKEN
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.9tQdMV8ygFINYGc7E5QzKMUn
token_accessor       udQyRMMtJHWEwi3GhqaNqc9j
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
      CODE

  3. Compute the hash of the EJBCA Vault Plugin binary:

    $ export SHA256=$(kubectl exec -n vault vault-0 -- sha256sum /usr/local/libexec/vault/ejbca-vault-pki-engine | cut -d ' ' -f1)
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
      CODE

  4. Add the EJBCA Vault Plugin to Vault using the hash computed from the previous step:

    $ kubectl exec -n vault vault-0 -- vault write sys/plugins/catalog/secret/ejbca-vault-pki-engine sha_256=$SHA256 command="ejbca-vault-pki-engine"
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Success! Data written to: sys/plugins/catalog/secret/ejbca-vault-pki-engine
      CODE

  5. Enable the EJBCA Vault plugin:

    $ kubectl exec -n vault vault-0 -- vault secrets enable -path=ejbca100 -plugin-name=ejbca-vault-pki-engine plugin
    CODE

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)
Success! Enabled the ejbca-vault-pki-engine secrets engine at: ejbca100/
      CODE

  6. Query to find the cluster IP Address of the EJBCA Internal Service and add a hosts file entry on the Microk8s VM:

    $ EJBCA_INTERNAL_SVC=$(kubectl -n ejbca-k8s get service/ejbca-internal -o jsonpath='{.spec.clusterIP}')

$ sudo bash -c 'echo '"${EJBCA_INTERNAL_SVC} ejbca-internal.ejbca-k8s"' >> /etc/hosts'
    CODE

  7. Query to find the Load Balancer IP Address and add a hosts file entry on the MicroK8s VM for api.vault name:

    $ theIP="$(kubectl -n ingress get services -o json | jq -r '.items[] |.status.loadBalancer?|.ingress[]?|.ip ' | cut -d : -f 2)"
$ sudo sed -i "s|${theIP} |${theIP} api.vault |" /etc/hosts
    CODE

  8. Add two environment variables used to connect to Vault with the Vault CLI binary:

    $ export VAULT_CACERT=ManagementCA.crt 
export VAULT_ADDR="https://api.vault"
    CODE

  9. Login to Vault with the Vault CLI binary:

    $ ./vault login $CLUSTER_ROOT_TOKEN
    CODE

    • The output is similar to the following:

      Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                  Value
---                  -----
token                hvs.9tQdMV8ygFINYGc7E5QzKMUn
token_accessor       udQyRMMtJHWEwi3GhqaNqc9j
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"]
      CODE

  10. Configure the EJBCA Vault Plugin to issue the TLS Server Profile from EJBCA:

    $ ./vault write ejbca100/config \
hostname="https://ejbca-internal.ejbca-k8s/ejbca" \
client_cert=@./vault-ra-01-crt.pem \
client_key=@./vault-ra-01-key.pem \
default_ca="MyPKISubCA-G1" \
default_end_entity_profile="TLS Server Profile" \
default_certificate_profile="TLS Server Profile"
    CODE

    • The output is similar to the following:

      Success! Data written to: ejbca100/config
      CODE

  11. Create a role to enroll for certificates using the EJBCA Vault Plugin:

    $ ./vault write ejbca100/roles/tls-server-auth \
allow_any_name=true \
allow_subdomains=true \
max_ttl=8760h \
key_type="ec" \
key_bits=256 \
signature_bits=0 \
use_pss=false \
country="SE" \
organization="Keyfactor Community"
    CODE

    • The output is similar to the following:

      Key                                   Value
---                                   -----
account_binding_id                    n/a
allow_any_name                        true
allow_bare_domains                    false
allow_glob_domains                    false
allow_ip_sans                         true
allow_localhost                       true
allow_subdomains                      true
allow_token_displayname               false
allow_wildcard_certificates           true
allowed_domains                       []
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
allowed_uri_sans_template             false
allowed_user_ids                      []
basic_constraints_valid_for_non_ca    false
certificate_profile_name              TLS Server Profile
client_flag                           true
cn_validations                        [email hostname]
code_signing_flag                     false
country                               [SE]
email_protection_flag                 false
end_entity_profile_name               TLS Server Profile
enforce_hostnames                     true
ext_key_usage                         []
ext_key_usage_oids                    []
generate_lease                        false
issuer_ref                            MyPKISubCA-G1
key_bits                              256
key_type                              ec
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]
locality                              []
max_ttl                               8760h
no_store                              false
not_after                             n/a
not_before_duration                   30s
organization                          [Keyfactor Community]
ou                                    []
policy_identifiers                    []
postal_code                           []
province                              []
require_cn                            true
server_flag                           true
signature_bits                        0
street_address                        []
ttl                                   0s
use_csr_common_name                   true
use_csr_sans                          true
use_pss                               false
      CODE

Certificates can now be issued from the Vault using the EJBCA Vault Plugin. Continue to the next session to issue a certificate from EJBCA.

Step 7 - Issue a Certificate through Vault

After the EJBCA Vault plugin is configured, certificates can be issued from EJBCA through requests from Vault.

To issue certificates from EJBCA using Vault, follow these steps:

  1. Continuing from the terminal used in the previous step, issue a certificate with a PEM bundle format:

    $ ./vault write ejbca100/issue/tls-server-auth \
common_name="test-vault-01.keyfactor-community" \
alt_names="test-vault-01.keyfactor-community" \
format="pem_bundle"
    CODE

     

    • The output is similar to the following:

      Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIC9jCCAp2gAwIBAgIUTnZdWZm6OPGwnu9sm0QXbmIKeNgwCgYIKoZIzj0EAwQw
SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDUzNTFaFw0yNDA3
MjUxNDUzNTBaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAxLmtleWZhY3Rvci1jb21tdW5p
dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQvP2pe5Cw75p28nx8LdeRPUf+M
VkPrFfXX7Ab0fTEY70ycsykptNjzXcxGnh0jK+69sl/Ljk+FlzCCaRI7+T6ho4IB
VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
BEgwRoIhdGVzdC12YXVsdC0wMS5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
dWx0LTAxLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
RzEuY3JsMB0GA1UdDgQWBBSsvRUcTOp1hh/ymJ3z/HmbqS07gjAOBgNVHQ8BAf8E
BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgW1D3QnNlMP20+HJPaTWsqREIe8oPHJKR
pWsHPzuT/gcCIC7P58EjIK4rIzd1QM4NrcVDvlHxOCR0r/Z0K7L+Ltsz
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
-----END CERTIFICATE-----
expiration 1721919230
issuing_ca -----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE-----
private_key -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIjlDsYsuC4poF9u0rBrWzq9a2rTJ+WQAeXuM/p1XnkToAoGCCqGSM49
AwEHoUQDQgAELz9qXuQsO+advJ8fC3XkT1H/jFZD6xX11+wG9H0xGO9MnLMpKbTY
813MRp4dIyvuvbJfy45PhZcwgmkSO/k+oQ==
-----END EC PRIVATE KEY-----
private_key_type ec
serial_number 4e:76:5d:59:99:ba:38:f1:b0:9e:ef:6c:9b:44:17:6e:62:0a:78:d8
      CODE

  2. Issue a certificate with the PEM format:

    $ ./vault write ejbca100/issue/tls-server-auth \
common_name="test-vault-02.keyfactor-community" \
alt_names="test-vault-02.keyfactor-community" \
format="pem"
    CODE

     

    • The output is similar to the following:

      Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIC+DCCAp2gAwIBAgIUZdwM99w2DTEFCK1w3TBQITqHUqMwCgYIKoZIzj0EAwQw
SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0MjZaFw0yNDA3
MjUxNDU0MjVaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAyLmtleWZhY3Rvci1jb21tdW5p
dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCdKMxL2t6ORf8JZsT92nL0z8M
W/+Rseuc3/HZ0mFf7oYGbaK3KuwjSt8JFxa248xb+JwFBypd0kk9tbptA7+Ho4IB
VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
BEgwRoIhdGVzdC12YXVsdC0wMi5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
dWx0LTAyLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
RzEuY3JsMB0GA1UdDgQWBBTreB/rOSR/Ra/ttNXcI5dEZ6QLvjAOBgNVHQ8BAf8E
BAMCBaAwCgYIKoZIzj0EAwQDSQAwRgIhAOCE/Gsyp0PYeCuDn9x/EbYJ2QB8F8Wr
2Hf/SbPxnNJgAiEAk4hO26vR0AOIkOdlgfTPPGcf+MZO6Ueoj+xcaoanZXg=
-----END CERTIFICATE-----
expiration 1721919265
issuing_ca -----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE-----
private_key -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIFANef/AcMbGNwZc9XL0vK897vCpZ2rMZY6ftksEM5+ooAoGCCqGSM49
AwEHoUQDQgAEAnSjMS9rejkX/CWbE/dpy9M/DFv/kbHrnN/x2dJhX+6GBm2ityrs
I0rfCRcWtuPMW/icBQcqXdJJPbW6bQO/hw==
-----END EC PRIVATE KEY-----
private_key_type ec
serial_number 65:dc:0c:f7:dc:36:0d:31:05:08:ad:70:dd:30:50:21:3a:87:52:a3
      CODE

  3. Issue a certificate with the PEM format and no certificate chain:

    $ ./vault write ejbca100/issue/tls-server-auth \
common_name="test-vault-03.keyfactor-community" \
alt_names="test-vault-03.keyfactor-community" \
format="pem" \
remove_roots_from_chain=true
    CODE

  4. The output is similar to the following:

    Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIC9jCCAp2gAwIBAgIUQSvvqyz1iMmceyJwMYXQTngxJF0wCgYIKoZIzj0EAwQw
SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ
BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0NTJaFw0yNDA3
MjUxNDU0NTFaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t
bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAzLmtleWZhY3Rvci1jb21tdW5p
dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASnS/wiAh7PUKSHTjkTp5R3ZM7Q
b5WDzN5iH1TKTUCGKijPxabnj9hP01rIpcrGrEoYyewwbTcUfzkuh5L4y2cJo4IB
VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH
AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi
Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R
BEgwRoIhdGVzdC12YXVsdC0wMy5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh
dWx0LTAzLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et
RzEuY3JsMB0GA1UdDgQWBBQ6IBt+b5Fze81KTjqFkb5Ze5Z3iTAOBgNVHQ8BAf8E
BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgSTefGBLKXwTPOqsvzbNOJByci+2cpxDc
NF5X53SEjUACIG+YHGzmHzcgOqj56jI6fTgNjRpStz86OpsD3ZErk1W/
-----END CERTIFICATE-----
expiration 1721919291
issuing_ca -----BEGIN CERTIFICATE-----
MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw
STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw
MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj
cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI
KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015
UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw
MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD
QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB
/wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/
2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV
-----END CERTIFICATE-----
private_key -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJBnYuZRQWtF8P/I+HgPSmcq941yHXOVRFF1LAvval06oAoGCCqGSM49
AwEHoUQDQgAEp0v8IgIez1Ckh045E6eUd2TO0G+Vg8zeYh9Uyk1Ahiooz8Wm54/Y
T9NayKXKxqxKGMnsMG03FH85LoeS+MtnCQ==
-----END EC PRIVATE KEY-----
private_key_type ec
serial_number 41:2b:ef:ab:2c:f5:88:c9:9c:7b:22:70:31:85:d0:4e:78:31:24:5d
    CODE

Certificates can now be issued from EJBCA using Vault. This completes the tutorial for deploying Hashicorp Vault with the EJBCA Vault plugin.

Next steps

In this tutorial, you learned how to deploy a three-node Vault cluster and configure the EJBCA Vault PKI Engine plugin to issue certificates from EJBCA through Vault.

For more tutorials for trying out and evaluating EJBCA, see Tutorials and Guides.

Related Content