Vault for PKI

Here’s how to use Vault for public key infrastructure.


Update: Vault now has a great article on this


Install the latest version of Vault and jq

sudo apt-get install unzip jq
wget https://releases.hashicorp.com/vault/0.9.0/vault_0.9.0_linux_amd64.zip
unzip vault_0.9.0_linux_amd64.zip
sudo mv vault /usr/local/bin

Start Vault (we use development mode for this tutorial)

vault server -dev

Create a PKI secret backend

export VAULT_ADDR='http://127.0.0.1:8200'

vault mount pki
vault mount-tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal common_name=myvault.com ttl=87600h

vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
    crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

vault write pki/roles/yourrole \
    allowed_domains="yourhost" \
    allow_subdomains="false" max_ttl="72h"

And issue certificates

data=`vault write -format=json pki/issue/yourrole common_name=yourhost`

jq -r '.data.certificate' <<< $data > cert.pem
jq -r '.data.private_key' <<< $data > key.pem
jq -r '.data.issuing_ca' <<< $data > ca.pem

Published July 21, 2018 · Tweet


You might also enjoy

Securing Sensitive Data in Rails

Introducing Dexter, the Automatic Indexer for Postgres

Rails, Meet Data Science


All code examples are public domain.
Use them however you’d like (licensed under CC0).