Skip to main content
Perform the following tasks to initialize the vault and then test the PKI operations:
  1. Initialize Vault.
  2. Generate managed keys on the CryptoHub for the Root and Intermediate CA.
  3. Enable the PKI secrets engine for the Root and Intermediate CA.
  4. Create a Root CA certificate from the managed key generated on the CryptoHub.
  5. Create a CSR for the Intermediate CA from the managed key generated on the CryptoHub.
  6. Use the managed Root CA to issue the Intermediate CA certificate from a CSR.
  7. Issue a leaf certificate from the managed Intermediate CA.

Initialize Vault

Before performing PKI operations, you must initialize, unseal (if required), and log in to Vault.
1
In a different terminal window from where Vault is running, set the VAULT_ADDR and PIN environment variables.
Shell
$ export VAULT_ADDR='http://127.0.0.1:8200'

$ export PIN='identity_password'
Set the PIN value to the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
2
Check the Vault status.
Shell
$ vault status
The output should look similar to the following example:
Text
Key                      Value
---                      -----
Recovery Seal Type       pkcs11
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  n/a
HA Enabled               false
3
Initialize Vault.
We do not recommend using 1 for both the key shares and the key threshold in production.
Shell
$ vault operator init -key-shares=1 -key-threshold=1
The output should look similar to the following example:
None
Unseal Key 1: qK4pHBY46Zxg2nt/cMgeLGh01Kh9SQ1ChOIDHPe/kmg=

Initial Root Token: hvs.iYjhzPiwz00bpqX6rmzSe7yj

Success! Vault is initialized

Recovery key initialized with 1 key shares and a key threshold 
of 1. Please securely distribute the key shares printed above.
4
If you did not configure HSM auto-unseal, you must unseal Vault manually:
Shell
$ vault operator unseal <Unseal Key 1 provided from above>
5
Log in to Vault.
Shell
$ vault login <Initial Root Token provided from above>

Generate managed keys

Perform the following steps to generate managed keys on the CryptoHub for the Root and Intermediate CA:
1
Generate a managed key on the CryptoHub for the Root CA.
Shell
$ vault write /sys/managed-keys/pkcs11/hsm-key-root library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-root" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
You must always set the value specified in the token_label field to Futurex.
The value specified in the library field must match the value set in the name field of the kms_library stanza in the following Vault configuration file.
Text
# Provide your Futurex HSM connection information
kms_library "pkcs11" {
    name="hsm1"
    library = "/usr/local/bin/fxpkcs11/libfxpkcs11-Debug.so"
}
2
Generate a managed key on the CryptoHub for the Intermediate CA.
Shell
$ vault write /sys/managed-keys/pkcs11/hsm-key-int library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-int" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
3
Verify that the key configuration has been written to Vault.
Shell
$ vault list /sys/managed-keys/pkcs11
4
Verify that the key configurations are valid by test-signing some data.
Shell
$ vault write -f /sys/managed-keys/pkcs11/hsm-key-root/test/sign

$ vault write -f /sys/managed-keys/pkcs11/hsm-key-int/test/sign

Enable the PKI secrets engine

Perform the following steps to enable the PKI secrets engine for the Root and Intermediate CA:
1
Enable the PKI secrets engine for the Root CA.
Shell
$ vault secrets enable -path=pki -allowed-managed-keys=hsm-key-root pki
2
Enable the PKI secrets engine for the Intermediate CA.
Shell
$ vault secrets enable -path=pki_int -allowed-managed-keys=hsm-key-int pki

Create a Root certificate

Perform the following steps to create a Root CA certificate from the managed key generated on the CryptoHub:
1
Create a Root CA certificate with its corresponding managed key and output it to a file.
Shell
$ vault write -field=certificate pki/root/generate/kms managed_key_name=hsm-key-root common_name=example.com ttl=8760h > /tmp/CA_cert.crt
2
Verify the certificate looks correct.
Shell
$ cat /tmp/CA_cert.crt

Create a CSR

Perform the following steps to create a Certificate Signing Request (CSR) for the Intermediate CA from the managed key generated on the CryptoHub:
1
Create a CSR for the Intermediate CA with its corresponding managed key and output it to a file.
The following command requires installing the jq package, which processes JSON output, on your system.
Shell
$ vault write -format=json pki_int/intermediate/generate/kms managed_key_name=hsm-key-int common_name="example.com" | jq -r '.data.csr' > /tmp/pki_intermediate.csr
2
Verify the CSR looks correct.
Shell
$ cat /tmp/pki_intermediate.csr

Use the Root CA to issue the certificate

Perform the following steps to use the managed Root CA to issue the Intermediate CA certificate from a CSR:
1
Issue the Intermediate CA certificate from the CSR by using the managed Root CA and output it to a file.
The following command requires installing the jq package, which processes JSON output, on your system.
Shell
$ vault write -format=json pki/root/sign-intermediate csr=@/tmp/pki_intermediate.csr format=pem_bundle ttl="43800h" | jq -r '.data.certificate' > /tmp/intermediate.cert.pem
2
Write the signed Intermediate CA certificate to Vault.
Shell
$ vault write pki_int/intermediate/set-signed certificate=@/tmp/intermediate.cert.pem

Issue a leaf certificate

Perform the following steps to issue a leaf certificate from the managed Intermediate CA:
1
Create a new role.
Shell
$ vault write pki_int/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"
2
Issue a leaf certificate.
Shell
$ vault write -format=json pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"