Skip to main content
This section shows several PKI operations to demonstrate how to create Root and Intermediate CAs, which can then issue leaf certificates under them.

Initialize Vault

Before performing the test PKI operations, perform the following steps to initialize, unseal (if required), and log in to Vault:
1
In a different terminal window from where Vault is running, run the following commands to set the VAULT_ADDR and PIN environment variables.
Shell
export VAULT_ADDR='http://127.0.0.1:8200'
export PIN= <HSM_PIN>
2
Run the following command to check the Vault status.
Shell
vault status
If the operation succeeds, the output should be similar to the following example:
Shell
Key                      Value
---                      -----
Recovery Seal Type       pkcs11
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  n/a
HA Enabled               false
3
Run the following command to initialize Vault:
Shell
vault operator init -key-shares=1 -key-threshold=1
We do not recommend using 1 for both the key shares and the key threshold in production.
If the operation succeeds, the output should be similar to the following example:
Shell
Unseal Key 1: qK4pHBY46Zxg2nt/cMgeLGh01Kh9SQ1ChOIDHPe/kmg=

Initial Root Token: hvs.iYjhzPiwz00bpqX6rmzSe7yj

Success! Vault is initialized

Recovery key initialized with 1 key shares and a key threshold of 1. Please
securely distribute the key shares printed above.
4
If the HSM auto unseal is not configured, run the following command to unseal Vault manually:
Shell
vault operator unseal <Unseal Key 1 provided from above>
5
Run the following command to log in to Vault:
Shell
vault login <Initial Root Token provided from above>

Generate managed keys

Perform the following steps to generate managed keys on the KMES Series 3 for the Root and intermediate CA:
1
Run the following command to generate a managed key on the KMES Series 3 for the Root CA:
Shell
vault write /sys/managed-keys/pkcs11/hsm-key-root library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-root" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
The value specified in the library field in the preceding command must match the value set in the name field of the kms_library stanza in the Vault configuration file (shown in the following example). The value specified in the token_label field in the preceding command must be Futurex.
None
# Provide your Futurex HSM connection information
kms_library "pkcs11" {
  name="hsm1"
  library = "/usr/local/bin/fxpkcs11/libfxpkcs11-Debug.so"
}
2
Run the following command to generate a managed key on the KMES for the intermediate CA:
Shell
vault write /sys/managed-keys/pkcs11/hsm-key-int library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-int" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
3
Run the following command to verify that the key configurations have been written to Vault:
Shell
vault list /sys/managed-keys/pkcs11
4
Run the following commands to verify that the key configurations are valid by test signing some data:
Shell
vault write -f /sys/managed-keys/pkcs11/hsm-key-root/test/sign
vault write -f /sys/managed-keys/pkcs11/hsm-key-int/test/sign

Enable the PKI Secrets Engine

Perform the following steps to enable the PKI Secrets Engine for the Root and intermediate CA:
1
Run the following command to enable the PKI secrets engine for the Root CA:
Shell
vault secrets enable -path=pki -allowed-managed-keys=hsm-key-root pki
2
Run the following command to enable the PKI secrets engine for the Intermediate CA:
Shell
vault secrets enable -path=pki_int -allowed-managed-keys=hsm-key-int pki

Create a Root CA certificate

Perform the following steps to create a Root CA certificate with the corresponding managed key that you generated and stored on the KMES Series 3:
1
Run the following command to create a Root CA certificate with its corresponding managed key and output it to a file:
Shell
vault write -field=certificate pki/root/generate/kms managed_key_name=hsm-key-root common_name=example.com ttl=8760h > /tmp/CA_cert.crt
2
Run the following command to verify that the certificate looks correct:
None
cat /tmp/CA_cert.crt

Create a CSR

Perform the following steps to create a CSR for the intermediate CA with the managed key that you generated and stored on the KMES Series 3
1
Run the following command to create an Intermediate CA certificate with its corresponding managed key and output it to a file:
The following command requires you to install the jq package on your system. This package processes JSON output.
Shell
vault write -format=json pki_int/intermediate/generate/kms managed_key_name=hsm-key-int common_name="example.com" | jq -r '.data.csr' > /tmp/pki_intermediate.csr
2
Run the following command to verify that the certificate looks correct:
Shell
cat /tmp/pki_intermediate.csr

Sign the CA certificate

Perform the following steps to sign the intermediate CA certificate with the managed Root CA:
1
Run the following command to sign the intermediate CA certificate with the managed Root CA and output it to a file:
The following command requires you to install the jq package on your system. This package processes JSON output.
Shell
vault write -format=json pki/root/sign-intermediate csr=@/tmp/pki_intermediate.csr format=pem_bundle ttl="43800h" | jq -r '.data.certificate' > /tmp/intermediate.cert.pem
2
Run the following command to write the signed Intermediate CA certificate to Vault:
Shell
vault write pki_int/intermediate/set-signed certificate=@/tmp/intermediate.cert.pem

Issue a leaf certificate

Perform the following steps to issue a leaf certificate from the intermediate CA:
1
Run the following command to create a new role:
Shell
vault write pki_int/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"
2
Run the following command to issue a leaf certificate:
Shell
vault write -format=json pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"