Vault for PKI

Here’s how to use Vault for public key infrastructure.

Update: Vault now has a great article on this

Install the latest version of Vault and jq

sudo apt-get install unzip jq
sudo mv vault /usr/local/bin

Start Vault (we use development mode for this tutorial)

vault server -dev

Create a PKI secret backend

export VAULT_ADDR=''

vault mount pki
vault mount-tune -max-lease-ttl=87600h pki

vault write pki/root/generate/internal ttl=87600h

vault write pki/config/urls issuing_certificates="" \

vault write pki/roles/yourrole \
    allowed_domains="yourhost" \
    allow_subdomains="false" max_ttl="72h"

And issue certificates

data=`vault write -format=json pki/issue/yourrole common_name=yourhost`

jq -r '.data.certificate' <<< $data > cert.pem
jq -r '.data.private_key' <<< $data > key.pem
jq -r '.data.issuing_ca' <<< $data > ca.pem

Published July 21, 2018 · Tweet

You might also enjoy

Trying Out Vault for Postgres Credentials

R and Database URLs

Package Your JavaScript Libraries With Rollup

All code examples are public domain.
Use them however you’d like (licensed under CC0).