Vault for PKI

Here’s how to use Vault for public key infrastructure.

Update: Vault now has a great article on this

Install the latest version of Vault and jq

sudo apt-get install unzip jq
sudo mv vault /usr/local/bin

Start Vault (we use development mode for this tutorial)

vault server -dev

Create a PKI secret backend

export VAULT_ADDR=''

vault mount pki
vault mount-tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal ttl=87600h

vault write pki/config/urls issuing_certificates="" \

vault write pki/roles/yourrole \
    allowed_domains="yourhost" \
    allow_subdomains="false" max_ttl="72h"

And issue certificates

data=`vault write -format=json pki/issue/yourrole common_name=yourhost`

jq -r '.data.certificate' <<< $data > cert.pem
jq -r '.data.private_key' <<< $data > key.pem
jq -r '.data.issuing_ca' <<< $data > ca.pem

Published July 21, 2018 · Tweet

You might also enjoy

Trying Out Vault for Postgres Credentials

Why and How to Keep Your Decryption Keys Off Web Servers

Argon2 with Devise

All code examples are public domain.
Use them however you’d like (licensed under CC0).