Vault for PKI

Here’s how to use Vault for public key infrastructure.

Update: Vault now has a great article on this

Install the latest version of Vault and jq

sudo apt-get install unzip jq
sudo mv vault /usr/local/bin

Start Vault (we use development mode for this tutorial)

vault server -dev

Create a PKI secret backend

export VAULT_ADDR=''

vault mount pki
vault mount-tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal ttl=87600h

vault write pki/config/urls issuing_certificates="" \

vault write pki/roles/yourrole \
    allowed_domains="yourhost" \
    allow_subdomains="false" max_ttl="72h"

And issue certificates

data=`vault write -format=json pki/issue/yourrole common_name=yourhost`

jq -r '.data.certificate' <<< $data > cert.pem
jq -r '.data.private_key' <<< $data > key.pem
jq -r '.data.issuing_ca' <<< $data > ca.pem

Published July 21, 2018

You might also enjoy

Trying Out Vault for Postgres Credentials

Rails on Heroku

Installing Presto for Mac

All code examples are public domain.
Use them however you’d like (licensed under CC0).