Tutorial - Use EJBCA with HashiCorp Vault

Learn how to deploy a three-node Vault cluster and configure the EJBCA PKI Secrets Engine for HashiCorp Vault plugin to issue certificates from EJBCA through Vault.

PKI administrators interested in offering an integration to use EJBCA to standardize the PKI in the environment and have a single place to manage certificates while providing the ability to issue certificates from HashiCorp Vault should find this tutorial helpful. The steps outlined in this tutorial show how HashiCorp Vault can be deployed to integrate with EJBCA for users to request certificates from vault issued by EJBCA.

In this tutorial, you will learn how to:

• Configure EJBCA for the HashiCorp Vault EJBCA plugin
• Create keys and certificate signing requests (CSRs) to request certificates from EJBCA for the HashiCorp Vault EJBCA plugin​
• Create Certificates from the CSRs using EJBCA
• Deploy HashiCorp Vault with the EJBCA Vault plugin
• Configure the EJBCA Plugin to issue certificates from EJBCA

Prerequisites

Before you begin, you need:

• Kubernetes running in the background. To download and install, you can follow the tutorials Install MicroK8s to run EJBCA and Deploy EJBCA container in MicroK8s.
• A running EJBCA instance with an active Certificate Authority (CA) in EJBCA, certificate and end entity profiles, and roles configured. To get started, you can follow our tutorials Get started with EJBCA and issue TLS certificates.
• Additionally, you need internet access to download the HashiCorp Vault container and additional files.​

For more information on the EJBCA PKI Secrets Engine for HashiCorp Vault plugin, refer to Keyfactor GitHub.

Step 1 - Configure EJBCA for the HashiCorp Vault EJBCA plugin

Follow these steps to configure a certificate profile and an end entity profile in EJBCA, and add a RA role for Vault.

Create certificate profile

To create a certificate profile, do the following:

1. Go to the EJBCA Administration user interface using a web browser.
2. In EJBCA, under CA Functions, click Certificate Profiles.
   
3. Click Clone by the TLS Server Profile template to create a new profile using that template.
   
4. Name the new certificate profile TlsServerRsa-1y, and click Create from template.
5. To edit the profile default values to fit your needs, find the newly created TlsServerRsa-1y profile displayed in the list and click Edit.
   
6. On the Edit page, update the following:
   • Select RSA for the Available Key Algorithms (this should be the only option selected).
   • Select 2048, 3072, and 4096 for the Available Bit Lengths.
   • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
7. To store the certificate profile, click Save.
   

The TlsServerRsa-1y profile is displayed in the list of certificate profiles.

Create end entity profile

To update the end entity profile, do the following:

1. In EJBCA, under RA Functions, click End Entity Profiles.
2. Select the TLS Server Profile, and click Edit End Entity Profile.
3. Edit the profile and update the following:
   • In the Other Subject Attributes section, select DNS Name from the Subject Alternative Name list, and click Add.
   • In the Other Subject Attributes section, select IP Address from the Subject Alternative Name list, and click Add.
     
   • In the Available Certificate Profiles section, select the TlsServerRsa-1y in addition to the other profile selected.
   • For Available CAs, select the ManagementCA in addition to the MyPKISubCA-G1.
4. Click Save to store the end entity profile.

The end entity profile is displayed in the list of end entity profiles.

Create role

To create an RA role for Vault and authorize actions in EJBCA:

1. In EJBCA, under System Functions, click Roles and Access Rules.
2. Next to the list of available roles, click Add.
3. For Role name, specify RA-Vault and click Add.
   The Roles Management page now lists the RA-Vault role.
4. To update the access rules for the role, click Access Rules for the RA-Vault role.
   
5. On the Edit Access Rules page, edit the following:
   • For Role Template, select RA Administrators.
   • For Authorized CAs, select My PKISubCA-G1.
     
   • For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
6. Click Save to store the updated access rules for the role.

7. At the top right of the Edit Access Rules page, click Advanced Mode.

   • Under Regular Access Rules, select Allow for /ca_functionality/view_ca/.

8. Click Save.
9. At the top right of the Edit Access Rules page, click Members.
10. Members are defined by an attribute from the certificate DN and the serial number:
    • Match with: Select X509:CN, Common name.
    • CA: Verify that Management CA is selected for the CA to match on.
    • Match Value: Specify the name value from the certificate, in this example: "vault-ra-01". Note that this is a case-sensitive matching.
11. Click Add to add the user to the role.

An RA role for Vault has been created and the TLS Server Profile was updated to include an IP Address in the Subject Alternative Name as an option.

Step 2 - Create Keys and Certificate Signing Requests (CSRs)

To prepare for the HashiCorp Vault deployment, you will download the Vault command line interface and use OpenSSL to generate private keys and certificate signing requests (CSRs).

 Download the Vault CLI and generate the CSRs:

1. SSH to the MicroK8s test host that has EJBCA deployed and configured.

2. In your terminal, enter the following to create a directory to organize all the files for this tutorial:
   

   $ mkdir vault

3. Change to the vault directory:
   

   $ cd vault

4. Download the vault binary to use vault locally once deployed:

   $ curl -O https://releases.hashicorp.com/vault/1.15.4/vault_1.15.4_linux_amd64.zip

5. Unzip the archive and remove the zip file:

   $ unzip -q vault_1.15.4_linux_amd64.zip && rm -f vault_1.15.4_linux_amd64.zip

6. Create environment variables used to create CSRs for certificates issued from EJBCA that Vault will use:

   $ export VAULT_K8S_NAMESPACE="vault" VAULT_SERVICE_NAME="vault-internal" K8S_CLUSTER_NAME="cluster.local"

7. Create an OpenSSL configuration file for the Vault instances TLS certificate:

   $ cat > vault-internal.conf <<EOF

   [req]

   default_bits = 2048

   prompt = no

   encrypt_key = yes

   distinguished_name = kubelet_serving

   req_extensions = v3_req

   [ kubelet_serving ]

   C = SE

   O = Keyfactor Community

   CN = system:node:*.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}

   [ v3_req ]

   keyUsage = digitalSignature, keyEncipherment

   extendedKeyUsage = serverAuth

   subjectAltName = @alt_names

   [alt_names]

   DNS.1 = *.${VAULT_SERVICE_NAME}

   DNS.2 = *.${VAULT_SERVICE_NAME}.${VAULT_K8S_NAMESPACE}.svc.${K8S_CLUSTER_NAME}

   DNS.3 = *.${VAULT_K8S_NAMESPACE}

   DNS.4 = vault-active

   IP.1 = 127.0.0.1

    

   EOF

8. Generate private key and create the CSR using the OpenSSL configuration file:

   openssl req -new -newkey rsa:2048 -nodes -keyout vault-internal.key -sha256 -out vault-internal.csr -config vault-internal.conf

9. Create an OpenSSL configuration file for the Ingress TLS certificate used for accessing Vault externally from inside the Kubernetes cluster:

   cat > api.vault.conf <<EOF

   [req]

   default_bits = 2048

   prompt = no

   encrypt_key = yes

   distinguished_name = kubelet_serving

   req_extensions = v3_req

   [ kubelet_serving ]

   C = SE

   O = Keyfactor Community

   CN = api.vault

   [ v3_req ]

   keyUsage = digitalSignature, keyEncipherment

   extendedKeyUsage = serverAuth

   subjectAltName = @alt_names

   [alt_names]

   DNS.1 = api.vault

    

   EOF

10. Generate the private key and create the CSR using the OpenSSL configuration file for the external Ingress TLS certificate:

    $ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -sha256 -out api.vault.csr -config api.vault.conf

11. Create an OpenSSL configuration file for the Vault RA credential:

    cat > vault-ra-01.conf <<EOF

    [req]

    default_bits = 2048

    prompt = no

    encrypt_key = yes

    distinguished_name = kubelet_serving

    req_extensions = v3_req

    [ kubelet_serving ]

    C = SE

    O = Keyfactor Community

    CN = vault-ra-01

    [ v3_req ]

    keyUsage = digitalSignature

    extendedKeyUsage = clientAuth

     

    EOF

12. Generate the private key and create the CSR using the OpenSSL configuration file for the Vault RA credential:

    openssl req -new -newkey rsa:2048 -nodes -keyout vault-ra-01-key.pem -sha256 -out vault-ra-01.csr -config vault-ra-01.conf

13. Output the vault-internal.csr to the terminal to use in a later step:

    cat vault-internal.csr

14. The vault-internal.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----

    MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

    b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0

    ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS

    XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm

    +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1

    jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd

    2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r

    bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe

    r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg

    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu

    YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou

    dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70

    uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG

    45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1

    /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt

    5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM

    s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=

    -----END CERTIFICATE REQUEST-----

15. Output the api.vault.csr to the terminal to use in a later step:

    cat api.vault.csr

16. The api.vault.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----

    MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

    b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD

    ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP

    BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+

    YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW

    f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD

    cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ

    69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ

    DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN

    MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja

    gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw

    4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I

    QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ

    0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ

    oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne

    lA==

    -----END CERTIFICATE REQUEST-----

17. Output the vault-ra-01.csr to the terminal to use in a later step:

    cat vault-ra-01.csr

18. The vault-ra-01.csr is displayed in the terminal:

    -----BEGIN CERTIFICATE REQUEST-----

    MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

    b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF

    AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF

    upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx

    9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr

    OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/

    h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA

    R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN

    AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI

    hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z

    7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT

    QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av

    vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo

    eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw

    cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=

    -----END CERTIFICATE REQUEST-----

The Vault CLI is downloaded, and certificate signing requests have been created to be used for the Vault integration with EJBCA.

Step 3 - Create Certificates from the CSRs Using EJBCA RA UI

The CSRs generated in Step 2 - Create Keys and Certificate Signing Requests (CSRs) must be signed before Vault can be deployed. The EJBCA RA Web is used to issue the certificates by signing the CSRs. Once the CSRs are signed the certificate files are uploaded to the Kubernetes server and staged for the Vault deployment.

To complete the certificate issuance for the CSRs generated in step 1, follow these steps:

1. Go to the EJBCA RA Web using a web browser.
2. Click Make New Request and update the following:
   
   • Select TLS Server Profile for the Certificate Type.
   • Select TlsSercerRsa-1y for the Certificate subtype.
   • Select ManagementCA for the CA.

   • Select Provided by user radio button for Key-pair generation.

   • Paste the contents of the vault-internal.csr from the terminal window into the CSR text field (the first PEM output in the terminal window), such as:

     -----BEGIN CERTIFICATE REQUEST-----

     MIIDKzCCAhMCAQAwWzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

     b21tdW5pdHkxLjAsBgNVBAMMJXN5c3RlbTpub2RlOioudmF1bHQuc3ZjLmNsdXN0

     ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcGa2SdmwS

     XT6jm3llcPPdY0ZdB0xctCcxam+HUj9/qVw5BXiKWVR8fyVDbU7gWUjM4ugVMqOm

     +LxeC0GxlasAW+4QqZlny7BkBZJbPcszelbBvsWHcCma2gx25XQ3kPJPcdgRisG1

     jHawbMUY6D9x+SOKMyedYPn/nzfnAhDchEAWwvV9gHmd5Fwfh+ube9HKkwrkaszd

     2avqMQzgUpfxrshcYmwbqhdyWO+d5WomVlV6xJJNzOml8UbNhKbzmrunpCGS369r

     bYANcPZcgjHAKv53E1l940rYwogU/aDQMr2Yz8tulPmfhJL99otgGLhDiNgL4LCe

     r4kgbS14LU8PAgMBAAGggYowgYcGCSqGSIb3DQEJDjF6MHgwCwYDVR0PBAQDAgWg

     MBMGA1UdJQQMMAoGCCsGAQUFBwMBMFQGA1UdEQRNMEuCECoudmF1bHQtaW50ZXJu

     YWyCKCoudmF1bHQtaW50ZXJuYWwudmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByou

     dmF1bHSHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAIyTD/JXkvpcsl5BaP4VRG70

     uJ4ubfuvn8BOWDXYLvARm5PmSgYibZ7C7Y3ak657lC8G7pHWRWwNb+MBmeG9ELiG

     45OHP2w60B9SPSMZZ89eZ7SpGq005Fw9+ALzfJHfjn5QyZx2p9ytio1exhMKIKl1

     /Q9N3GHPCarLdKYNwSpOjOlYM0fz50KQPd/9vgp/Mxohk/42SUP3uB+MDxRXUHQt

     5peX4WklJH1OFWUWNDGiPV2URkAdW4S5dFoDb3SKGxIwpS312vdXpz/tFsxqz/mM

     s9QnOaGJbp6YS8x/G41en0ia9XblKR/pQNiGdIPUEKHojkCIE0ROYEU0iKqXZuY=

     -----END CERTIFICATE REQUEST-----
   • Click Upload CSR.
   • Enter vault-internal for the Username.
   • Click Download PEM full chain.
3. Select Reset at the bottom of the page to make another request.
   
   • Select TLS Server Profile for the Certificate Type.
   • Select ManagementCA for the CA.
   • Select Provided by user for Key-pair generation.

   • Paste the contents of the api.vault.csr from the terminal window into the CSR text field (second PEM output in the terminal window), such as:

     -----BEGIN CERTIFICATE REQUEST-----

     MIICzTCCAbUCAQAwPzELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

     b21tdW5pdHkxEjAQBgNVBAMMCWFwaS52YXVsdDCCASIwDQYJKoZIhvcNAQEBBQAD

     ggEPADCCAQoCggEBAM6cSK2PW8yJ9H/qElCvWudcgUy4lSwcvznfefTUsZhEW1IP

     BvtthX0AaGraDNIsaChjCtsvUTwDskTZkkm8EB1p0U22BQdgV0z71DklhETSx7Y+

     YUPS/aqERQ+MpG0rBsf9UPvdXZJnmX+Ua/iHiKwISFc2LALTpbJaIpR8Jo0EwHuW

     f1U/wa7col5xsS/I9orhGYqvnDzvnvjsJTR1rAEDH/RN/AHkQOiBDoyfRJfM+VdD

     cbS6MPKEB1uvQKdhYQ6dzLBTDiIzkWvguoMxDMkBJSjBAgZoxBpO/6GMDoH5o6LZ

     69li1V1NjRYQ5WOMKki8LlhHxrsYeEq4OMSWgOcCAwEAAaBJMEcGCSqGSIb3DQEJ

     DjE6MDgwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBQGA1UdEQQN

     MAuCCWFwaS52YXVsdDANBgkqhkiG9w0BAQsFAAOCAQEACHKgifwtgESJGh/rO6Ja

     gPZ3W0UpYUM80Ssgegyr9Pja9yZwlv+TcmsZ7IqVNCKD0djWXxfVrQW2gqLhb+Jw

     4ZeUZDB8Yui+W7Pl+t6q7dMmRmzZ0OX8cwkbkoyfMn64yT+tFQAd1Ln38666+a7I

     QYstwvDd8+w9bloDIRXZ0E0+qkiNnRKZO11NxxACahvfpgyPSyl7qF9CCfzgeqoJ

     0qkP8lBMGPKrAeq708Bv+jzy93t3qpqpLDEsa88TqEdTM6Bt1EG3jE+r4FWidsfJ

     oQu4YK6vYJQTBRvmFFPGGdhqzaB6LY1W7ZvRKNAo6w1A2D9/G/BWmKrnm6VtR4Ne

     lA==

     -----END CERTIFICATE REQUEST-----
   • Click Upload CSR.
   • Enter api.vault for the Username
   • Click Download PEM full chain.
4. Select Reset at the bottom of the page to make another request.
   
   • Select RA-Administrator for the Certificate Type.
   • Select Provided by user for Key-pair generation.

   • Paste the contents of the vault-ra-01.csr from the terminal window into the CSR text field  (third PEM output in the terminal window), such as:

     -----BEGIN CERTIFICATE REQUEST-----

     MIICuTCCAaECAQAwQTELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBD

     b21tdW5pdHkxFDASBgNVBAMMC3ZhdWx0LXJhLTAxMIIBIjANBgkqhkiG9w0BAQEF

     AAOCAQ8AMIIBCgKCAQEApP82z06nC5N6m4HyP7O5pNY0IxCP9kHy6Fk7k9GFfbwF

     upLkxeN0sDsqnIrOECVhhszaMbyHxF/bo5ZlbrSgyK6GbUNQ+txvU+48ArkGx1bx

     9Cajd0HBVTlm1LgacSCskGoock2uyueoK8fAHKwJf/xLvUwosr+40KNACv3SLDEr

     OIF857WCeqa9wkHo0k68Qcx9ChXnUotw90H7gXtLyzmmcunPt5SwJ+FGzcWrDxY/

     h3DUzyjqXFNfHxqpAyX+n0FCjnB0jLjz/iokS6mxm8Ly9rQHQHe7z3aUuZIWl3oA

     R07R+gG2JrosQ6DvAxZxOXy0qq6IuIMWUBIsdt9SrQIDAQABoDMwMQYJKoZIhvcN

     AQkOMSQwIjALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZI

     hvcNAQELBQADggEBAKOIa9D37s2vDE4giASd+RfLnsNqLnZx3HiaF10XaHHkxq8Z

     7GVS/0BNTQPN2DM2lKRadTxvfgJ1bCN7raMnhjqUkrr1U7RNXsHiCvtcdwUEKjNT

     QES7lq+MHaCuu8uov1sBlcyYSh0dd448P3vksIYT6Z3/eWsl+W+X2ZUdLO74u7av

     vRATm5uX9nePLt/RA2fZmPmlAoI+15hjEkWhPv6hV4nQmcfGc0x2SbO7Gk6sTFTo

     eLpD19NHDfa59ocNV8mkmGAJJR409WClrxqCzbFrN4uWRx3DKJTT25WQpPb2zHnw

     cNVJxJIGOyapXZ9Ldn+pf2AwH2CooiIQpNP5oKY=

     -----END CERTIFICATE REQUEST-----
   • Click Upload CSR.
     
   • Enter vault-ra-01 for the Username.
   • Click Download PEM full chain.
5. Return to the terminal window and open a new tab or terminal window.
   

6. In your terminal, enter the following to upload files to the MicroK8s VM:

   • Upload the systemnode.vault.svc.cluster.local.pem file to the MicroK8s VM:
     

     $ scp ~/Downloads/systemnode.vault.svc.cluster.local.pem user@172.16.170.187:~/vault/vault-internal.crt
     • Type the password to the user account if prompted for the password.

   • Upload the api.vault file to the MicroK8s VM:
     

     $ scp ~/Downloads/api.vault.pem user@172.16.170.187:~/vault/server.crt
     • Type the password to the user account if prompted for the password

   • Upload the vault-ra-01.pem file to the MicroK8s VM:
     

     $ scp ~/Downloads/vault-ra-01.pem user@172.16.170.187:~/vault/vault-ra-01-crt.pem

     
     

     Replace the IP Address with the IP Address or FQDN of the MicroK8s VM and the username being used to access the MicroK8s VM to complete this tutorial. The IP Address and username are examples provided to show the complete command.

7. Return to the terminal window or tab of the MicroK8s session.

8. Continuing from the ~/vault directory output the vault-internal.crt to the terminal:
   

   $ cat vault-internal.crt

9. The output is similar to the following:

   Subject: CN=system:node:*.vault.svc.cluster.local,O=Keyfactor Community,C=SE

   Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE

   -----BEGIN CERTIFICATE-----

   MIIFETCCAvmgAwIBAgIUE4Z7mJUOr7JUIXddQ3RYLKF+GE8wDQYJKoZIhvcNAQEL

   BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

   Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzA2MTYxNjA3NDZaFw0yNDA2MTMx

   NjA3NDVaMFsxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29tbXVu

   aXR5MS4wLAYDVQQDDCVzeXN0ZW06bm9kZToqLnZhdWx0LnN2Yy5jbHVzdGVyLmxv

   Y2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3BmtknZsEl0+o5t5

   ZXDz3WNGXQdMXLQnMWpvh1I/f6lcOQV4illUfH8lQ21O4FlIzOLoFTKjpvi8XgtB

   sZWrAFvuEKmZZ8uwZAWSWz3LM3pWwb7Fh3ApmtoMduV0N5DyT3HYEYrBtYx2sGzF

   GOg/cfkjijMnnWD5/5835wIQ3IRAFsL1fYB5neRcH4frm3vRypMK5GrM3dmr6jEM

   4FKX8a7IXGJsG6oXcljvneVqJlZVesSSTczppfFGzYSm85q7p6Qhkt+va22ADXD2

   XIIxwCr+dxNZfeNK2MKIFP2g0DK9mM/LbpT5n4SS/faLYBi4Q4jYC+Cwnq+JIG0t

   eC1PDwIDAQABo4HlMIHiMB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWABCwE86DS

   MHsGA1UdEQR0MHKCECoudmF1bHQtaW50ZXJuYWyCKCoudmF1bHQtaW50ZXJuYWwu

   dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCByoudmF1bHSCJXN5c3RlbTpub2RlOiou

   dmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUH

   AwEwHQYDVR0OBBYEFD1BrwJRiwqbZ7b6Ijec5hbdenVKMA4GA1UdDwEB/wQEAwIF

   oDANBgkqhkiG9w0BAQsFAAOCAgEAmht4w6wtqEem0YlGXaIMzxkAcsb6qhf3m8tN

   1nMngtPNq0gqi1o1+a2hSvTsc5Tj+K+3Sx6wiP4iBqi3cMfK9qb0JkiWZ5P2LUQW

   9SuXwQAwWxz8Z/T3E/zc8zbXfI5BzcKxlsHjDrLfiLzOsV+xzcCXiCncQmfMQeZA

   A055GiBCg5luz9lDJMErPjRcaR5ug5j4gWz5tUwGZ/K0RgqnxyL59dHoO/EtB1vW

   m/tygbwPJgbZYKmZ2+j+02Po3i8cfObs1jE+yanAD2rCnubPpaJiX0IR0DWc9AWt

   dvYuNyVVSpIWP4ghHY9P7QvZhwP1alodCzuDWsRZFiN8rjW3Mm0vrs6TB2JwNxAs

   AIxXG2I1S7ueTSROKbKCP22GL9AI+j9KRyH13eJqMo5CdS9FJXZlIGDzIxrca6yX

   SePsZIwWK4GocWFf5S3LNkpRsGKFTLO4GFr8T6bZdP225tfR+z7joyLrJ20l531X

   BJ1kiXOtGbek7iVOLnSteSwGmU6W12YD4KbJVUGjmax6Cw1xIKVAIdgr+OfiqAAN

   5sfsjwysYdzRvKvQFMZkXcgQ7giJz7bzaDfZaiNNYNVMaR1ygI5sjqsSJ5a5HzeQ

   4Thzy5GJ3hKxUu6yW/OHlI0Jw1cvkYxkb/KN72Aee13YAtG34wHP/es/TulW3zDi

   usFT0JE=

   -----END CERTIFICATE-----

   Subject: CN=ManagementCA,O=Keyfactor Community,C=SE

   Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE

   -----BEGIN CERTIFICATE-----

   MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL

   BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

   Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw

   ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj

   dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC

   DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp

   KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8

   fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O

   tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja

   8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG

   zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT

   X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/

   q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K

   kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh

   PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q

   GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB

   o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA

   BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E

   BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX

   tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n

   JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5

   CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd

   uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx

   H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi

   VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R

   2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu

   eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc

   GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs

   zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP

   qMN+i82CAMeU

   -----END CERTIFICATE-----
10. Select the ManagementCA output to select and copy it (the PEM block at the end of the output).

11. Create the ManagementCA.crt file.

    $ vim ManagementCA.crt

12. Paste the ManagementCA certificate into the file.

    Subject: CN=ManagementCA,O=Keyfactor Community,C=SE

    Issuer: CN=ManagementCA,O=Keyfactor Community,C=SE

    -----BEGIN CERTIFICATE-----

    MIIFdTCCA12gAwIBAgIUWpEFjDfFuGU6I5s/zCpuXrVmZIswDQYJKoZIhvcNAQEL

    BQAwQjEVMBMGA1UEAwwMTWFuYWdlbWVudENBMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

    Q29tbXVuaXR5MQswCQYDVQQGEwJTRTAeFw0yMzAxMTgwODM0MDJaFw0zMzAxMTUw

    ODM0MDFaMEIxFTATBgNVBAMMDE1hbmFnZW1lbnRDQTEcMBoGA1UECgwTS2V5ZmFj

    dG9yIENvbW11bml0eTELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4IC

    DwAwggIKAoICAQDIf6n+++qldacqGvWlgiPx7AnSMuremYdrRhoylF+3kJbDFiMp

    KpVzEaeguionS4uXqErZAzgzcbu6huf4bRscYk04nCgXsFAMItsiEZ314oE4thv8

    fbPPu4K1joeDgdHv0QhA3dkRUNorH54wOR6gLDzn6nBwePJAoKxhc/WoaONta2/O

    tHeTemYZOLt+uMY+Hj3o2sMeTm3B/B/ED5BWzVMSPOCCV6qk5/cW/P2YvWfFHUja

    8xqqbBuuDZHTuX4X58BsHH+o8bgZjWhdwcZb8Oe2VajFX6DpiBZcESQL+0ir0ZqG

    zALBc8jADv0VZC0u1Pxj39p19Xosm46jelcH3CBD+65I+1Kg5aQ1tIpBHLvdJEuT

    X6WkNPMmi0VqawxtlgshlF10kLsHm/r+dlGTQ78EA23JkgglBPovCmWSb6+KJyk/

    q6dWElqrbdHwieuajb2D9s/P7RDU7h9gSf6C4nbIX1x5H/mpVCdZWDuqL0Y7tn9K

    kvhh3TNXZf1TiryJkw3GDxHS88mh+pGEZsnC3hH5rLKj/JFVQtbWeu1QdhI5fFlh

    PtUjIWeFHbgvMisd4qjouJfhuF2LRfpdn/u52MHTVntVGtGYNV3uUVpVR6YkFH0q

    GfAqP5clv1qSF5gRANIPVQSpF0wcvTHvgWdv9bOy7a9BLvWFg46Ys4HKWQIDAQAB

    o2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNf+MZRDSTxfobte/gWA

    BCwE86DSMB0GA1UdDgQWBBTX/jGUQ0k8X6G7Xv4FgAQsBPOg0jAOBgNVHQ8BAf8E

    BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAC17+M739nb2AG3bpKObDDlW+fYMdEhX

    tjQcOvHIUrITKryX3lmHyWDFFgFTeTYcoxq8ywFvpvXz4pHgeFWRZYQw7cSWwH8n

    JfLE+EJlpYU2yUGto/S8NPXV54dAYNsvQQncQixsIYgxsmX7yIzBt1+v3sLmQlp5

    CfZRCOxj+2fa9jb/jygdQC3AAS5uT86gYz0YcB5VXQ0+jYWsL7MDwgb8ORcmiugd

    uZ0kgBXd40Qg9bJhfz0N+BKWPTbS4dFst4ey5dndLp4QxWXzTt+gbmOMBpiwB6xx

    H3hw/LrRBEs7hrhVIlJ76cMx/f/5wERD0qS3uPXpCCtcKDBqHFruOI/NMNEVRFwi

    VxVD8w1jWYXDUyNVErU0LzqGOkyDuRwEDN8svaKn8+WdyumDB21tTWEbYPbFWc9R

    2epNj8moBVcfnxwsVP5TCXk6tEEOMkCVLNC3JBUWSfGJjg/2PDEdo2cPYCXYU4Hu

    eE/SnoUbRh0M34BfaHHt8S/vcEZWSkctJUmRZbTju57FKMlIHcgE5FHN5ahDAiSc

    GgncvFfPKXcEPFh5bhKdhT6FzbKysCoRw16rwhzfsm4X42jvzBEOKpUcFDpRuBJs

    zTk30lhAdmROkG5UTemobyKgDVw50VcFKbMk3Q5Gzs9TZ+uRAWJA7rF6MSc+cSlP

    qMN+i82CAMeU

    -----END CERTIFICATE-----
13. Save and close the file.

14. Download the CA chain for the EC certificate chain:

    $ curl -X GET --cert vault-ra-01-crt.pem --key vault-ra-01-key.pem --cacert ManagementCA.crt "https://ejbca-internal.ejbca-k8s/ejbca/ra/cert?caid=-1419783344&chain=true&format=pem" -H "accept: */*" -o cacerts.pem

15. Append the Management CA to the cacerts.pem file:

    $ cat ManagementCA.crt >> cacerts.pem

Certificates are now issued and uploaded to the MicroK8s VM and staged to use for the deployment. Continue to the next step to deploy HashiCorp Vault with the EJBCA Vault Plugin.

Step 4 - Deploy HashiCorp Vault with EJBCA Vault Plugin

Next, deploy HashiCorp Vault using a Helm chart that uses the certificates created from the previous step.

To deploy Vault, follow these steps:

1. Create a namespace to deploy Vault into:
   

   $ kubectl create namespace vault

   
   

   • The output is similar to the following:
     

     $ namespace/vault created

2. Create a configmap to use the EJBCA TLS cert trust chain on the vault container to trust EJBCA CA certificates:
   

   $ kubectl -n vault create configmap vault-tls-trust-chain-configmap --from-file=ca-certificates.crt=cacerts.pem

   
   

   • The output is similar to the following:
     

     $ configmap/vault-tls-trust-chain-configmap created

3. Create a secret with the certificate, key, and CA certificate for vault-internal:
   

   $ kubectl create secret generic vault-ha-tls \

   -n vault \

   --from-file=vault.key=vault-internal.key \

   --from-file=vault.crt=vault-internal.crt \

   --from-file=vault.ca=ManagementCA.crt

   
   

   • The output is similar to the following:
     

     $ secret/vault-ha-tls created

4. Create a TLS secret with the certificate and key for ingress:
   

   $ kubectl -n vault create secret tls tls-api-vault --cert server.crt --key server.key

   
   

   • The output is similar to the following:
     

     $ secret/tls-api-vault created

5. Add the HashiCorp Vault repo to deploy with Helm:

   $ helm repo add hashicorp https://helm.releases.hashicorp.com

   • The output is similar to the following:

     $ "hashicorp" has been added to your repositories

6. Download the overrides.yaml file from the Keyfactor Community GitHub repository:

   $ curl -LOs https://raw.githubusercontent.com/Keyfactor/keyfactorcommunity/feature/Add-Vault-Vars-tutorial/apps-integration/hashicorp-vault/overrides.yaml
   • You could now make changes to the file but since the overrides.yaml file is already set up for this tutorial, no changes will be made.

7. Deploy Vault using Helm chart:

   $ helm install vault hashicorp/vault -f overrides.yaml --namespace vault

   • The output is similar to the following:

     NAME: vault

     LAST DEPLOYED: Wed Jun 14 12:45:09 2023

     NAMESPACE: vault

     STATUS: deployed

     REVISION: 1

     NOTES:

     Thank you for installing HashiCorp Vault!

      

     Now that you have deployed Vault, you should look over the docs on using

     Vault with Kubernetes available here:

      

     https://www.vaultproject.io/docs/

      

      

     Your release is named vault. To learn more about the release, try:

      

     $ helm status vault

     $ helm get manifest vault

8. You can use the following monitoring commands to view what is going on with the deployment:

   $ kubectl -n vault get pods

    

   $ kubectl --namespace='vault' get all

    

   $ kubectl -n vault get all,ingress,secret,no,pvc

    

   $ kubectl -n vault describe pod/vault-0

    

   $ kubectl -n vault logs pod/vault-0

    

   $ kubectl -n vault logs pod/vault-0 -c ejbca-vault-plugin

Vault is now deployed with the certificates from EJBCA, the EJBCA Vault plugin, and ready to initialize. Continue to the next step to initialize Vault.

Step 5 - Initialize Vault

In order to use Vault it must be initialized on one of the nodes, then the other two nodes must be added to the cluster. Each node also has to be unlocked by providing the unseal key.

To complete the Vault initialization and begin using the cluster, follow these steps:

1. Continuing from the terminal used in the previous step, initialize Vault and save the unseal keys to the cluster-keys.json file:
   

   $ kubectl exec -n vault vault-0 -- vault operator init \

   -key-shares=5 \

   -key-threshold=3 \

   -format=json > ./cluster-keys.json

   
   

   • The output is similar to the following:
     

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

2. Create environment variables for three unseal keys to unseal the vault nodes:
   

   $ export VAULT_UNSEAL_KEY0=$(jq -r ".unseal_keys_b64[0]" cluster-keys.json)

   export VAULT_UNSEAL_KEY1=$(jq -r ".unseal_keys_b64[1]" cluster-keys.json)

   export VAULT_UNSEAL_KEY2=$(jq -r ".unseal_keys_b64[2]" cluster-keys.json)

   
   

3. Unlock the 1st instance of Vault:

   $ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY0

   kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1

   kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed true

     Total Shares 5

     Threshold 3

     Unseal Progress 1/3

     Unseal Nonce 8c48fbd6-019c-2aa9-8f2f-a8b62e997268

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     HA Enabled true

     [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY1

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed true

     Total Shares 5

     Threshold 3

     Unseal Progress 2/3

     Unseal Nonce 8c48fbd6-019c-2aa9-8f2f-a8b62e997268

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     HA Enabled true

     [user@microk8-01 vault]$ kubectl exec -n vault vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY2

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed false

     Total Shares 5

     Threshold 3

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     Cluster Name vault-cluster-af3cf4e1

     Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487

     HA Enabled true

     HA Cluster https://vault-0.vault-internal:8201

     HA Mode active

     Active Since 2023-07-29T14:29:15.391001943Z

     Raft Committed Index 36

     Raft Applied Index 36

4. Exec into the 2nd instance of Vault to join the 2nd instance to the Vault cluster:

   $ kubectl exec -n vault -it vault-1 -- /bin/sh

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     / $

5. Join the 2nd Vault instance to the Vault cluster:

   $ vault operator raft join -address=https://vault-1.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200

   • The output is similar to the following:

     Key Value

     --- -----

     Joined true

6. Exit the exec session on the 2nd Vault instance:

   $ exit

7. Unlock the 2nd instance of Vault:

   $ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY0

   kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1

   kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed true

     Total Shares 5

     Threshold 3

     Unseal Progress 1/3

     Unseal Nonce f9f2c78c-c615-a91b-b7b2-25c0b711dd2f

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     HA Enabled true

     [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY1

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed true

     Total Shares 5

     Threshold 3

     Unseal Progress 2/3

     Unseal Nonce f9f2c78c-c615-a91b-b7b2-25c0b711dd2f

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     HA Enabled true

     [user@microk8-01 vault]$ kubectl exec -n vault vault-1 -- vault operator unseal $VAULT_UNSEAL_KEY2

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Key Value

     --- -----

     Seal Type shamir

     Initialized true

     Sealed false

     Total Shares 5

     Threshold 3

     Version 1.13.1

     Build Date 2023-03-23T12:51:35Z

     Storage Type raft

     Cluster Name vault-cluster-af3cf4e1

     Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487

     HA Enabled true

     HA Cluster https://vault-0.vault-internal:8201

     HA Mode standby

     Active Node Address https://10.1.89.154:8200

     Raft Committed Index 37

     Raft Applied Index 37

8. Exec into the 3rd instance of Vault to join the 3rd instance to the Vault cluster:

   $ kubectl exec -n vault -it vault-2 -- /bin/sh

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     / $

9. Join the 3rd Vault instance to the Vault cluster and exit the exec session:

   $ vault operator raft join -address=https://vault-2.vault-internal:8200 -leader-ca-cert="$(cat /vault/userconfig/vault-ha-tls/vault.ca)" -leader-client-cert="$(cat /vault/userconfig/vault-ha-tls/vault.crt)" -leader-client-key="$(cat /vault/userconfig/vault-ha-tls/vault.key)" https://vault-0.vault-internal:8200

   • The output is similar to the following:

     Key Value

     --- -----

     Joined true

10. Exit the exec session on the 3rd Vault instance:

    $ exit

11. Unlock the 3rd instance of Vault:

    $ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY0

    kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1

    kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2

    • The output is similar to the following:

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

      Key Value

      --- -----

      Seal Type shamir

      Initialized true

      Sealed true

      Total Shares 5

      Threshold 3

      Unseal Progress 1/3

      Unseal Nonce 24c26cf4-fe74-2829-f005-ad46f1796a66

      Version 1.13.1

      Build Date 2023-03-23T12:51:35Z

      Storage Type raft

      HA Enabled true

      [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY1

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

      Key Value

      --- -----

      Seal Type shamir

      Initialized true

      Sealed true

      Total Shares 5

      Threshold 3

      Unseal Progress 2/3

      Unseal Nonce 24c26cf4-fe74-2829-f005-ad46f1796a66

      Version 1.13.1

      Build Date 2023-03-23T12:51:35Z

      Storage Type raft

      HA Enabled true

      [user@microk8-01 vault]$ kubectl exec -n vault vault-2 -- vault operator unseal $VAULT_UNSEAL_KEY2

      Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

      Key Value

      --- -----

      Seal Type shamir

      Initialized true

      Sealed false

      Total Shares 5

      Threshold 3

      Version 1.13.1

      Build Date 2023-03-23T12:51:35Z

      Storage Type raft

      Cluster Name vault-cluster-af3cf4e1

      Cluster ID 585b2724-0e39-c9c6-e438-91591c3d0487

      HA Enabled true

      HA Cluster https://vault-0.vault-internal:8201

      HA Mode standby

      Active Node Address https://10.1.89.154:8200

      Raft Committed Index 41

      Raft Applied Index 41

12. Unset the environment variables for the three unseal keys used to unseal the vault nodes:
    

    $ unset VAULT_UNSEAL_KEY0 VAULT_UNSEAL_KEY1 VAULT_UNSEAL_KEY2

Vault is now initialized, unlocked, and ready to configure the EJBCA Vault plugin.

Step 6 - Configure EJBCA Vault Plugin

To issue certificates with the EJBCA Vault plugin, the plugin has be to enabled and configured to access the EJBCA.

Enable and configure the EJBCA Vault plugin:

1. Continuing from the terminal used in the previous step, create an environment variable for the Root token to log in to Vault:
   

   $ export CLUSTER_ROOT_TOKEN=$(cat cluster-keys.json | jq -r ".root_token")

   
   

2. Login to Vault as the root user:
   

   $ kubectl exec -n vault vault-0 -- vault login $CLUSTER_ROOT_TOKEN

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Success! You are now authenticated. The token information displayed below

     is already stored in the token helper. You do NOT need to run "vault login"

     again. Future Vault requests will automatically use this token.

      

     Key Value

     --- -----

     token hvs.9tQdMV8ygFINYGc7E5QzKMUn

     token_accessor udQyRMMtJHWEwi3GhqaNqc9j

     token_duration ∞

     token_renewable false

     token_policies ["root"]

     identity_policies []

     policies ["root"]

3. Compute the hash of the EJBCA Vault Plugin binary:
   

   $ export SHA256=$(kubectl exec -n vault vault-0 -- sha256sum /usr/local/libexec/vault/ejbca-vault-pki-engine | cut -d ' ' -f1)

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

4. Add the EJBCA Vault Plugin to Vault using the hash computed from the previous step:

   $ kubectl exec -n vault vault-0 -- vault write sys/plugins/catalog/secret/ejbca-vault-pki-engine sha_256=$SHA256 command="ejbca-vault-pki-engine"

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Success! Data written to: sys/plugins/catalog/secret/ejbca-vault-pki-engine

5. Enable the EJBCA Vault plugin:

   $ kubectl exec -n vault vault-0 -- vault secrets enable -path=ejbca100 -plugin-name=ejbca-vault-pki-engine plugin

   • The output is similar to the following:

     Defaulted container "vault" out of: vault, ejbca-vault-plugin (init)

     Success! Enabled the ejbca-vault-pki-engine secrets engine at: ejbca100/

6. Query to find the cluster IP Address of the EJBCA Internal Service and add a hosts file entry on the Microk8s VM:

   $ EJBCA_INTERNAL_SVC=$(kubectl -n ejbca-k8s get service/ejbca-internal -o jsonpath='{.spec.clusterIP}')

    

   $ sudo bash -c 'echo '"${EJBCA_INTERNAL_SVC} ejbca-internal.ejbca-k8s"' >> /etc/hosts'

7. Query to find the Load Balancer IP Address and add a hosts file entry on the MicroK8s VM for api.vault name:

   $ theIP="$(kubectl -n ingress get services -o json | jq -r '.items[] |.status.loadBalancer?|.ingress[]?|.ip ' | cut -d : -f 2)"

   $ sudo sed -i "s|${theIP} |${theIP} api.vault |" /etc/hosts

8. Add two environment variables used to connect to Vault with the Vault CLI binary:

   $ export VAULT_CACERT=ManagementCA.crt

   export VAULT_ADDR="https://api.vault"

9. Login to Vault with the Vault CLI binary:

   $ ./vault login $CLUSTER_ROOT_TOKEN

   • The output is similar to the following:

     Success! You are now authenticated. The token information displayed below

     is already stored in the token helper. You do NOT need to run "vault login"

     again. Future Vault requests will automatically use this token.

      

     Key Value

     --- -----

     token hvs.9tQdMV8ygFINYGc7E5QzKMUn

     token_accessor udQyRMMtJHWEwi3GhqaNqc9j

     token_duration ∞

     token_renewable false

     token_policies ["root"]

     identity_policies []

     policies ["root"]

10. Configure the EJBCA Vault Plugin to issue the TLS Server Profile from EJBCA:

    $ ./vault write ejbca100/config \

    hostname="https://ejbca-internal.ejbca-k8s/ejbca" \

    client_cert=@./vault-ra-01-crt.pem \

    client_key=@./vault-ra-01-key.pem \

    default_ca="MyPKISubCA-G1" \

    default_end_entity_profile="TLS Server Profile" \

    default_certificate_profile="TLS Server Profile"

    • The output is similar to the following:

      Success! Data written to: ejbca100/config

11. Create a role to enroll for certificates using the EJBCA Vault Plugin:

    $ ./vault write ejbca100/roles/tls-server-auth \

    allow_any_name=true \

    allow_subdomains=true \

    max_ttl=8760h \

    key_type="ec" \

    key_bits=256 \

    signature_bits=0 \

    use_pss=false \

    country="SE" \

    organization="Keyfactor Community"

    • The output is similar to the following:

      Key Value

      --- -----

      account_binding_id n/a

      allow_any_name true

      allow_bare_domains false

      allow_glob_domains false

      allow_ip_sans true

      allow_localhost true

      allow_subdomains true

      allow_token_displayname false

      allow_wildcard_certificates true

      allowed_domains []

      allowed_domains_template false

      allowed_other_sans []

      allowed_serial_numbers []

      allowed_uri_sans []

      allowed_uri_sans_template false

      allowed_user_ids []

      basic_constraints_valid_for_non_ca false

      certificate_profile_name TLS Server Profile

      client_flag true

      cn_validations [email hostname]

      code_signing_flag false

      country [SE]

      email_protection_flag false

      end_entity_profile_name TLS Server Profile

      enforce_hostnames true

      ext_key_usage []

      ext_key_usage_oids []

      generate_lease false

      issuer_ref MyPKISubCA-G1

      key_bits 256

      key_type ec

      key_usage [DigitalSignature KeyAgreement KeyEncipherment]

      locality []

      max_ttl 8760h

      no_store false

      not_after n/a

      not_before_duration 30s

      organization [Keyfactor Community]

      ou []

      policy_identifiers []

      postal_code []

      province []

      require_cn true

      server_flag true

      signature_bits 0

      street_address []

      ttl 0s

      use_csr_common_name true

      use_csr_sans true

      use_pss false

Certificates can now be issued from the Vault using the EJBCA Vault Plugin. Continue to the next session to issue a certificate from EJBCA.

Step 7 - Issue a Certificate through Vault

After the EJBCA Vault plugin is configured, certificates can be issued from EJBCA through requests from Vault.

To issue certificates from EJBCA using Vault, follow these steps:

1. Continuing from the terminal used in the previous step, issue a certificate with a PEM bundle format:
   

   $ ./vault write ejbca100/issue/tls-server-auth \

   common_name="test-vault-01.keyfactor-community" \

   alt_names="test-vault-01.keyfactor-community" \

   format="pem_bundle"

   
   

   • The output is similar to the following:

     Key Value

     --- -----

     ca_chain [-----BEGIN CERTIFICATE-----

     MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

     MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

     bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

     AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

     cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

     /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

     KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

     UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

     MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

     QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

     /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

     2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

     -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

     MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

     MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

     Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

     zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

     dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

     BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

     BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

     vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

     -----END CERTIFICATE-----]

     certificate -----BEGIN CERTIFICATE-----

     MIIC9jCCAp2gAwIBAgIUTnZdWZm6OPGwnu9sm0QXbmIKeNgwCgYIKoZIzj0EAwQw

     SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ

     BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDUzNTFaFw0yNDA3

     MjUxNDUzNTBaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t

     bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAxLmtleWZhY3Rvci1jb21tdW5p

     dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQvP2pe5Cw75p28nx8LdeRPUf+M

     VkPrFfXX7Ab0fTEY70ycsykptNjzXcxGnh0jK+69sl/Ljk+FlzCCaRI7+T6ho4IB

     VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH

     AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi

     Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R

     BEgwRoIhdGVzdC12YXVsdC0wMS5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh

     dWx0LTAxLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw

     NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et

     RzEuY3JsMB0GA1UdDgQWBBSsvRUcTOp1hh/ymJ3z/HmbqS07gjAOBgNVHQ8BAf8E

     BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgW1D3QnNlMP20+HJPaTWsqREIe8oPHJKR

     pWsHPzuT/gcCIC7P58EjIK4rIzd1QM4NrcVDvlHxOCR0r/Z0K7L+Ltsz

     -----END CERTIFICATE-----

     -----BEGIN CERTIFICATE-----

     MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

     MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

     bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

     AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

     cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

     /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

     KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

     UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

     MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

     QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

     /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

     2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

     -----END CERTIFICATE-----

     -----BEGIN CERTIFICATE-----

     MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

     MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

     Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

     zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

     dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

     BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

     BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

     vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

     -----END CERTIFICATE-----

     expiration 1721919230

     issuing_ca -----BEGIN CERTIFICATE-----

     MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

     MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

     bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

     AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

     cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

     /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

     KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

     UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

     MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

     QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

     /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

     2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

     -----END CERTIFICATE-----

     private_key -----BEGIN EC PRIVATE KEY-----

     MHcCAQEEIIjlDsYsuC4poF9u0rBrWzq9a2rTJ+WQAeXuM/p1XnkToAoGCCqGSM49

     AwEHoUQDQgAELz9qXuQsO+advJ8fC3XkT1H/jFZD6xX11+wG9H0xGO9MnLMpKbTY

     813MRp4dIyvuvbJfy45PhZcwgmkSO/k+oQ==

     -----END EC PRIVATE KEY-----

     private_key_type ec

     serial_number 4e:76:5d:59:99:ba:38:f1:b0:9e:ef:6c:9b:44:17:6e:62:0a:78:d8

2. Issue a certificate with the PEM format:
   

   $ ./vault write ejbca100/issue/tls-server-auth \

   common_name="test-vault-02.keyfactor-community" \

   alt_names="test-vault-02.keyfactor-community" \

   format="pem"

   
   

   • The output is similar to the following:

     Key Value

     --- -----

     ca_chain [-----BEGIN CERTIFICATE-----

     MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

     MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

     bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

     AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

     cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

     /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

     KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

     UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

     MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

     QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

     /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

     2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

     -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

     MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

     MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

     Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

     zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

     dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

     BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

     BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

     vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

     -----END CERTIFICATE-----]

     certificate -----BEGIN CERTIFICATE-----

     MIIC+DCCAp2gAwIBAgIUZdwM99w2DTEFCK1w3TBQITqHUqMwCgYIKoZIzj0EAwQw

     SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ

     BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0MjZaFw0yNDA3

     MjUxNDU0MjVaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t

     bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAyLmtleWZhY3Rvci1jb21tdW5p

     dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCdKMxL2t6ORf8JZsT92nL0z8M

     W/+Rseuc3/HZ0mFf7oYGbaK3KuwjSt8JFxa248xb+JwFBypd0kk9tbptA7+Ho4IB

     VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH

     AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi

     Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R

     BEgwRoIhdGVzdC12YXVsdC0wMi5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh

     dWx0LTAyLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw

     NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et

     RzEuY3JsMB0GA1UdDgQWBBTreB/rOSR/Ra/ttNXcI5dEZ6QLvjAOBgNVHQ8BAf8E

     BAMCBaAwCgYIKoZIzj0EAwQDSQAwRgIhAOCE/Gsyp0PYeCuDn9x/EbYJ2QB8F8Wr

     2Hf/SbPxnNJgAiEAk4hO26vR0AOIkOdlgfTPPGcf+MZO6Ueoj+xcaoanZXg=

     -----END CERTIFICATE-----

     expiration 1721919265

     issuing_ca -----BEGIN CERTIFICATE-----

     MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

     STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

     BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

     MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

     bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

     AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

     cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

     /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

     KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

     UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

     MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

     QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

     /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

     2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

     -----END CERTIFICATE-----

     private_key -----BEGIN EC PRIVATE KEY-----

     MHcCAQEEIFANef/AcMbGNwZc9XL0vK897vCpZ2rMZY6ftksEM5+ooAoGCCqGSM49

     AwEHoUQDQgAEAnSjMS9rejkX/CWbE/dpy9M/DFv/kbHrnN/x2dJhX+6GBm2ityrs

     I0rfCRcWtuPMW/icBQcqXdJJPbW6bQO/hw==

     -----END EC PRIVATE KEY-----

     private_key_type ec

     serial_number 65:dc:0c:f7:dc:36:0d:31:05:08:ad:70:dd:30:50:21:3a:87:52:a3

3. Issue a certificate with the PEM format and no certificate chain:

   $ ./vault write ejbca100/issue/tls-server-auth \

   common_name="test-vault-03.keyfactor-community" \

   alt_names="test-vault-03.keyfactor-community" \

   format="pem" \

   remove_roots_from_chain=true

4. The output is similar to the following:

   Key Value

   --- -----

   ca_chain [-----BEGIN CERTIFICATE-----

   MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

   STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

   BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

   MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

   bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

   AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

   cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

   /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

   KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

   UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

   MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

   QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

   /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

   2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----

   MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw

   STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

   BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1

   MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig

   Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI

   zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW

   dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/

   BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/

   BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL

   vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=

   -----END CERTIFICATE-----]

   certificate -----BEGIN CERTIFICATE-----

   MIIC9jCCAp2gAwIBAgIUQSvvqyz1iMmceyJwMYXQTngxJF0wCgYIKoZIzj0EAwQw

   SDELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxGzAZ

   BgNVBAMMEk15IFBLSSBTdWIgQ0EgLSBHMTAeFw0yMzA3MjkxNDU0NTJaFw0yNDA3

   MjUxNDU0NTFaMFcxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3IgQ29t

   bXVuaXR5MSowKAYDVQQDDCF0ZXN0LXZhdWx0LTAzLmtleWZhY3Rvci1jb21tdW5p

   dHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASnS/wiAh7PUKSHTjkTp5R3ZM7Q

   b5WDzN5iH1TKTUCGKijPxabnj9hP01rIpcrGrEoYyewwbTcUfzkuh5L4y2cJo4IB

   VDCCAVAwHwYDVR0jBBgwFoAUsOV/dnTiKri4+FhlM+BiocqkU+0wYQYIKwYBBQUH

   AQEEVTBTMDEGCCsGAQUFBzAChiVodHRwOi8vbXkucGtpL2NlcnRzL015UEtJU3Vi

   Q0EtRzEuY3J0MB4GCCsGAQUFBzABhhJodHRwOi8vbXkucGtpL29jc3AwTwYDVR0R

   BEgwRoIhdGVzdC12YXVsdC0wMy5rZXlmYWN0b3ItY29tbXVuaXR5giF0ZXN0LXZh

   dWx0LTAzLmtleWZhY3Rvci1jb21tdW5pdHkwEwYDVR0lBAwwCgYIKwYBBQUHAwEw

   NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL215LnBraS9jcmxzL015UEtJU3ViQ0Et

   RzEuY3JsMB0GA1UdDgQWBBQ6IBt+b5Fze81KTjqFkb5Ze5Z3iTAOBgNVHQ8BAf8E

   BAMCBaAwCgYIKoZIzj0EAwQDRwAwRAIgSTefGBLKXwTPOqsvzbNOJByci+2cpxDc

   NF5X53SEjUACIG+YHGzmHzcgOqj56jI6fTgNjRpStz86OpsD3ZErk1W/

   -----END CERTIFICATE-----

   expiration 1721919291

   issuing_ca -----BEGIN CERTIFICATE-----

   MIICmTCCAj+gAwIBAgIUJ0eL9InlnmcCEjqOzONfNtVvATEwCgYIKoZIzj0EAwQw

   STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa

   BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjMwMTIzMTYyNDQ1WhcNMzgw

   MTE5MTYyNDQ0WjBIMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv

   bW11bml0eTEbMBkGA1UEAwwSTXkgUEtJIFN1YiBDQSAtIEcxMFkwEwYHKoZIzj0C

   AQYIKoZIzj0DAQcDQgAE6jQXVZOakbP61mtnVUw/UYvG3fAxQtDAN6jcIzo2KUzj

   cZK2dCpYQhiegsCCKkm1aHJayQ5QSoxCqQaR52b6VaOCAQQwggEAMBIGA1UdEwEB

   /wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5UwYgYI

   KwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRzL015

   UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9vY3Nw

   MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJvb3RD

   QS1HMS5jcmwwHQYDVR0OBBYEFLDlf3Z04iq4uPhYZTPgYqHKpFPtMA4GA1UdDwEB

   /wQEAwIBhjAKBggqhkjOPQQDBANIADBFAiAXcyV7NumOSDB05fxPj2teGtRZmo2/

   2IHoGncs+5+riQIhAOPJrdJSu63lQqErpvK6rmZvLhnq8eqGbAzzLtYUlyuV

   -----END CERTIFICATE-----

   private_key -----BEGIN EC PRIVATE KEY-----

   MHcCAQEEIJBnYuZRQWtF8P/I+HgPSmcq941yHXOVRFF1LAvval06oAoGCCqGSM49

   AwEHoUQDQgAEp0v8IgIez1Ckh045E6eUd2TO0G+Vg8zeYh9Uyk1Ahiooz8Wm54/Y

   T9NayKXKxqxKGMnsMG03FH85LoeS+MtnCQ==

   -----END EC PRIVATE KEY-----

   private_key_type ec

   serial_number 41:2b:ef:ab:2c:f5:88:c9:9c:7b:22:70:31:85:d0:4e:78:31:24:5d

Certificates can now be issued from EJBCA using Vault. This completes the tutorial for deploying Hashicorp Vault with the EJBCA Vault plugin.

Next steps

In this tutorial, you learned how to deploy a three-node Vault cluster and configure the EJBCA Vault PKI Engine plugin to issue certificates from EJBCA through Vault.

Here are some next steps we recommend:

Unable to render include or excerpt-include. Could not retrieve page.