Temporary performance degradation

We are currently experiencing service degradation and working on resolving this. Thank you for your patience and understanding.

Vault Operator

Guillaume Belanger Publisher

Platform:

Ubuntu
22.04
Channel Revision Published Runs on
latest/edge 31 22 Feb 2024
Ubuntu 22.04 
juju deploy vault-dev --channel edge

Learn to deploy on juju >

Relevant links

Contacts

Share your thoughts on this charm with the community on discourse.

Join the discussion

Use Vault as an intermediate CA

In this how-to guide, we will configure Vault to act as an intermediate Certificate Authority (CA) using Vault’s PKI secrets engine. Here self-signed-certificates will be the parent CA and tls-certificates-requirer will be the charm requesting a certificate to Vault.

The certificates issued by Vault will have a validity period that is half of its intermediate CA’s, which is determined by the root provider’s configuration, in this case, the self-signed certificates.

image

  1. Configure Vault’s common name

Vault PKI will only allow issuing certificates for the subdomains of the common_name configured here, it will reject any requests using differnt domains in their subject.

juju config vault common_name=mydomain.com
  1. Deploy the parent CA
juju deploy self-signed-certificates --channel 1/stable
  1. Integrate Vault with its parent CA
juju integrate vault:tls-certificates-pki self-signed-certificates
  1. Deploy tls-certificates-requirer

The common name must be a subdomain of the Vault common name

juju deploy tls-certificates-requirer --config common_name=demo.mydomain.com  --config sans_dns=demo.mydomain.com
  1. Integrate TLS Certificates Requirer with Vault
juju integrate tls-certificates-requirer vault:vault-pki
  1. Retrieve the certificate
juju run tls-certificates-requirer/leader get-certificate

Help improve this document in the forum (guidelines). Last updated 1 year, 1 month ago.