Skip to content
Discussion options

You must be logged in to vote

looks like this is the Vault issuer chain, not a step-ca RA config knob.

I checked current vaultcas and repro'd it with Vault dev 1.21: if <mount>/cert/ca_chain only returns the intermediate, VaultCAS.GetCertificateAuthority() dies with root certificate not found. After importing the public root into that PKI mount, the same endpoint returned intermediate + self-signed root and vaultcas accepted it.

So the root private key can stay outside Vault, but the public root cert still needs to be in the issuer chain Vault returns. For a freshly signed intermediate:

{ cat int1.crt; printf '\n'; cat root_ca.crt; } > intermediate_ca.crt
vault write pki_int1/intermediate/set-signed certificate=@inter…

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by lsimard
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants