Use Vault as an intermediate CA

In this how-to guide, we will configure Vault to act as an intermediate Certificate Authority (CA) using Vault’s PKI secrets engine. Here self-signed-certificates will be the parent CA and tls-certificates-requirer will be the charm requesting a certificate to Vault.

1. Configure Vault’s common name

• Note: Vault PKI will only allow issuing certificates for the subdomains of the common_name configured here, it will reject any requests using differnt domains in their subject.

juju config vault common_name=mydomain.com

2. Deploy the parent CA

juju deploy self-signed-certificates

3. Integrate Vault with its parent CA

juju integrate vault:tls-certificates-pki self-signed-certificates

4. Deploy tls-certificates-requirer

juju deploy tls-certificates-requirer --config common_name=demo.mydomain.com

5. Integrate TLS Certificates Requirer with Vault

juju integrate tls-certificates-requirer vault:vault-pki

6. Retrieve the certificate

juju run tls-certificates-requirer/leader get-certificate