Vault functions as an intermediate certificate authority with a Microsoft Active Directory Certificate Services (AD CS) node functioning as the root CA.
Prerequisites (if applicable)
- Vault with the PKI secrets engine enabled at pki/ (default mount path)
- Access to submit requests to your AD CS environment
This article has been created to assist customers with this setup process. AD CS requires certificate signing requests to include the details of the template that it should use to create the certificate. This is the inverse of how a CA operates in that normally the CA would decide the certificate type/key usage values and ignore the value in the certificate signing request. Vault and many other tools do not include any certificate template information in certificate signing requests as required by AD CS, however using this procedure you can work around this to receive a certificate for use in Vault, signed by AD CS.
If you have attempted this process before reading this article and received an error from AD CS like "The request contains no certificate template information" or "The request does not contain a certificate template extension or the CertificateTemplate request attribute" this guide can help.
Step 1: Create an intermediate certificate signing request within Vault:
vault write -format=json pki/intermediate/generate/internal common_name="HashiCorp Test Intermediate CA" | jq -r '.data.csr' > pki_intermediate.csr
Step 2: Copy the certificate signing request to the AD CS server.
Step 3: Open a command prompt and issue the certreq command to submit the request. Note that we are instructing AD CS to use the 'SubCA' template which can be viewed within the
Certificate Templatesfolder with the Certification Authority MMC snap in.
certreq -submit -attrib "CertificateTemplate:SubCA" pki_intermediate.csr
- Select the appropriate CA node to process the request and click OK:
- Save the certificate file generated by AD CS as intermediate-signed.cer, then copy it to the Vault node to be imported.
- Import the signed certificate into Vault:
vault write pki/intermediate/set-signed email@example.com
- The process is now complete with Vault able to act as an intermediate certificate authority with it's certificate having been signed by an AD CS root.
Note that if the user or computer account you are using to submit the request to AD CS does not have the requisite permissions to request a certificate using the Subordinate Certification Authority the permissions on this certificate template would need to be updated.