Skip to main content
Welcome to this hands-on guide for Vault’s PKI Secrets Engine. In this tutorial, you will:
  • Deploy a root Certificate Authority (CA) in Vault
  • Create and sign an intermediate CA
  • Define a role for issuing certificates
  • Request certificates from the intermediate CA
Follow along with the full HashiCorp Learn tutorial: Building Your Own Certificate Authority (CA) Using Vault.
The image shows a webpage from HashiCorp Learn about building your own Certificate Authority (CA) using Vault. It includes a navigation menu and a list of steps for the process.
  • A running Vault cluster (we’ll use AWS).
  • Vault CLI installed and authenticated.
  • jq installed for JSON parsing.

Step-by-Step Overview

StepActionPathTTL
1Enable Root PKI Enginepki/87600h (10 yrs)
2Generate Root Certificate87600h
3Configure CA & CRL URLs
4Enable Intermediate PKI Enginepki_int/43800h (5 yrs)
5Generate Intermediate CSR
6Sign Intermediate CSR with Root43800h
7Import Signed Intermediate Certificate
8Create Certificate Rolepki_int/720h
9Issue a Certificate from the Intermediate Enginepki_int/24h (example)
10View Engines & Certificates in the Vault UI

1. Enable and Tune the Root PKI Engine

First, verify no PKI engine is enabled: 
vault secrets list
Enable the root PKI engine and set its maximum lease TTL to 10 years: 
vault secrets enable pki
vault secrets tune --max-lease-ttl=87600h pki

2. Generate the Root Certificate

Create an internal root CA certificate. This outputs only the PEM-format certificate: 
vault write -field=certificate pki/root/generate/internal \
    common_name="vaultadvanced.com" ttl=87600h \
  > ca_cert.crt
Confirm the file: 
ls -l ca_cert.crt

3. Configure CA and CRL Distribution URLs

Point Vault to the endpoints where clients can retrieve the issuing CA and CRL: 
vault write pki/config/urls \
    issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
    crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"

4. Enable and Tune the Intermediate PKI Engine

Remove any existing intermediate engine, then enable a fresh one with a 5-year TTL: 
vault secrets disable pki_int

vault secrets enable -path=pki_int -description="Intermediate CA" pki
vault secrets tune --max-lease-ttl=43800h pki_int

5. Generate the Intermediate CSR

Have the intermediate engine generate a private key and CSR. Extract the CSR to a file: 
vault write -format=json pki_int/intermediate/generate/internal \
    common_name="vaultadvanced.com Intermediate Authority" \
  | jq -r '.data.csr' > pki_intermediate.csr
Verify both the CA and CSR files: 
ls -l ca_cert.crt pki_intermediate.csr

6. Sign the Intermediate CSR with the Root

Submit the CSR to the root engine and save the signed intermediate certificate: 
vault write -format=json pki/root/sign-intermediate \
    csr=@pki_intermediate.csr ttl=43800h \
  | jq -r '.data.certificate' > intermediate.cert.pem

7. Import the Signed Intermediate Certificate

Configure the intermediate engine to use its signed certificate: 
vault write pki_int/intermediate/set-signed \
    [email protected]

8. Create a Role for Issuing Certificates

Define a role named vaultadvanced that can issue certificates for vaultadvanced.com and its subdomains: 
vault write pki_int/roles/vaultadvanced \
    allowed_domains="vaultadvanced.com" \
    allow_subdomains=true \
    max_ttl="720h"
Verify the new role: 
vault read pki_int/roles/vaultadvanced

9. Issue a Certificate from the Intermediate

Request a certificate with a 24-hour TTL: 
vault write pki_int/issue/vaultadvanced \
    common_name="learn.vaultadvanced.com" ttl="24h"
The private_key is only returned at issuance. Store it securely, as Vault will not retain it for later retrieval.
You can issue additional short-lived certificates, for example: 
vault write pki_int/issue/vaultadvanced \
    common_name="atm01.vaultadvanced.com" ttl="1h"

10. View Engines and Certificates in the Vault Web UI

The image shows a web interface for HashiCorp Vault, displaying a list of secret engines such as "cubbyhole" and "pki." There is a warning about using a root token and a welcome message offering a tour of the Vault Web UI.
In the UI, navigate to pki/ and pki_int/ to inspect roles and issued certificates (serial numbers only, no private keys).

References

Watch Video