In most cases the CA certificate is specified for each instance of the Vault LDAP Authentication method using the configuration parameter:
certificate. While this is configurable per authentication method, this article documents an alternative method of presenting the CA certificate.
Vault also reads certificates stored in Operating Systems (OS) certificate trust store for Vault LDAP Authentication Method and so you may wish to use that instead of specifying the CA certificate via the
certificate parameter that may be omitted altogether when initially configuring the method.
This trust store is read during Vault startup only. CA certificate additions to the OS trust store will require a restart to the Vault process before the LDAP authentication method can use those to establish new LDAP connections to the configured server address.
- Multiple CA's may be added to the OS certificate trust store.
- Identical CA certificates are expected on the OS / Path(s) of all the Vault nodes within a cluster.
The OS trust store can be leveraged to supply CA certificates to the LDAP authentication method. This proves useful when multiple LDAP authentication methods are configured to connect to LDAP servers and those servers serves certificates are issued by the same Certificate Authority.
In these cases the CA certificate does not need to be provided as part of configuration step.
CA Certificate trust stores are stored in different locations depending on the Linux distribution and flavour.
Here are the default OS trust store path for some Linux distribution:
- RHEL / RedHat:
After copying certificates to the required path - run update - eg:
sudo update-ca-certificatesDebian / Ubuntu
sudo update-ca-truston RHEL OS / CentOS
For further information please refer to the OS vendor specific documentation.