Use Vault as an intermediate CA
In this how-to guide, we will configure Vault to act as an intermediate Certificate Authority (CA) using Vault’s PKI secrets engine. Here self-signed-certificates will be the parent CA and tls-certificates-requirer will be the charm requesting a certificate to Vault.
The certificates issued by Vault will have a validity period that is half of its intermediate CA’s, which is determined by the root provider’s configuration, in this case, the self-signed certificates.
- Configure Vault’s common name
- Note: Vault PKI will only allow issuing certificates for the subdomains of the common_name configured here, it will reject any requests using differnt domains in their subject.
juju config vault common_name=mydomain.com
- Deploy the parent CA
juju deploy self-signed-certificates
- Integrate Vault with its parent CA
juju integrate vault:tls-certificates-pki self-signed-certificates
- Deploy
tls-certificates-requirer
juju deploy tls-certificates-requirer --config common_name=demo.mydomain.com
- Integrate TLS Certificates Requirer with Vault
juju integrate tls-certificates-requirer vault:vault-pki
- Retrieve the certificate
juju run tls-certificates-requirer/leader get-certificate