Introduction
In most cases the CA certificate is specified for each instance of the Vault LDAP Authentication method using the configuration parameter: certificate. While this is configurable per authentication method, this article documents an alternative method of presenting the CA certificate.
Scenario
Vault also reads certificates stored in Operating Systems (OS) certificate trust store for Vault LDAP Authentication Method and so you may wish to use that instead of specifying the CA certificate via the certificate parameter that may be omitted altogether when initially configuring the method.
This trust store is read during Vault startup only. CA certificate additions to the OS trust store will require a restart to the Vault process before the LDAP authentication method can use those to establish new LDAP connections to the configured server address.
Please note:
- Multiple CA's may be added to the OS certificate trust store.
- Identical CA certificates are expected on the OS / Path(s) of all the Vault nodes within a cluster.
Recommendation
The OS trust store can be leveraged to supply CA certificates to the LDAP authentication method. This proves useful when multiple LDAP authentication methods are configured to connect to LDAP servers and those servers serves certificates are issued by the same Certificate Authority.
In these cases the CA certificate does not need to be provided as part of configuration step.
Additional Information
CA Certificate trust stores are stored in different locations depending on the Linux distribution and flavour.
Here are the default OS trust store path for some Linux distribution:
- Ubuntu:
/usr/local/share/ca-certificates - CentOS:
/etc/pki/ca-trust/source/anchors - RHEL / RedHat:
/etc/pki/ca-trust/source/anchors
After copying certificates to the required path - run update - eg:
-
sudo update-ca-certificatesDebian / Ubuntu -
sudo update-ca-truston RHEL OS / CentOS
For further information please refer to the OS vendor specific documentation.
Related Links: