-
|
Hi ! I’m running into an issue with step-ca in RA mode using HashiCorp Vault as the backend CA. At startup, step-ca fails with: From the Vault logs, step-ca is calling: GET /v1/<pki_mount>/cert/ca_chain My understanding of the problem is that vault returns only the intermediate CAs, but the external root CA is missing from /cert/ca_chain. The root private key is intentionally kept outside Vault, but the public root cert is also not present in the chain. This causes step-ca to refuse to start, as it expects a complete CA chain ending with a root. Is there any way in step-ca (RA mode) to explicitly configure or provide a missing root CA, or is step-ca strictly dependent on Vault returning a full chain? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
looks like this is the Vault issuer chain, not a step-ca RA config knob. I checked current So the root private key can stay outside Vault, but the public root cert still needs to be in the issuer chain Vault returns. For a freshly signed intermediate: { cat int1.crt; printf '\n'; cat root_ca.crt; } > intermediate_ca.crt
vault write pki_int1/intermediate/set-signed certificate=@intermediate_ca.crtThe For your existing mount I'd check the real response first: vault read -format=json <pki_mount>/cert/ca_chain | jq -r .data.certificate | step certificate inspect --bundleIf that bundle stops at the intermediate, update/import the issuer chain so the default issuer's |
Beta Was this translation helpful? Give feedback.
looks like this is the Vault issuer chain, not a step-ca RA config knob.
I checked current
vaultcasand repro'd it with Vault dev 1.21: if<mount>/cert/ca_chainonly returns the intermediate,VaultCAS.GetCertificateAuthority()dies withroot certificate not found. After importing the public root into that PKI mount, the same endpoint returned intermediate + self-signed root andvaultcasaccepted it.So the root private key can stay outside Vault, but the public root cert still needs to be in the issuer chain Vault returns. For a freshly signed intermediate:
{ cat int1.crt; printf '\n'; cat root_ca.crt; } > intermediate_ca.crt vault write pki_int1/intermediate/set-signed certificate=@inter…