Trust multiple Vault CA certs in seperate regions

I have been deploying a multiregion openstack setup as follows:

[central]

  • keystone
  • mysql-innodb-cluster
  • vault

[remote region]

  • vault
  • mysql-innodb-cluster
  • ceph
  • nova
  • neutron
  • other openstack charms …

The [central] keystone is exposed via cross-model-relations and the remote region identity-service endpoints consume that CMR. This works, and I can authenticate via the central keystone and view the remote region endpoints and services.

Due to the independent vault deployment in each region, I get cert errors on most services. These disappear when I temporarily reconfigure as “insecure”. I would like to make the regions trust each others certs, either by creating the remote regions Vault PKI using the cert/key exported from central, or from generating a CSR on the remote regions and signing it at the central vault. I cannot quite get the steps needed for either and hoping someone would have further insight?

Alternative option would be to remove remote region vault and use the same cross model relation to central vault.