Key management
HashiCorp Vault Managed Keys
Test PKI operations
8min
perform the following tasks to initialize the vault and then test the pki operations initialize vault generate managed keys on the {{ch}} for the root and intermediate ca enable the pki secrets engine for the root and intermediate ca create a root ca certificate from the managed key generated on the {{ch}} create a csr for the intermediate ca from the managed key generated on the {{ch}} use the managed root ca to issue the intermediate ca certificate from a csr issue a leaf certificate from the managed intermediate ca initialize vault before performing pki operations, you must initialize, unseal (if required), and log in to vault in a different terminal window from where vault is running, set the vault addr and pin environment variables $ export vault addr='http //127 0 0 1 8200' $ export pin='identity password' set the pin value to the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file check the vault status $ vault status the output should look similar to the following example key value \ recovery seal type pkcs11 initialized false sealed true total recovery shares 0 threshold 0 unseal progress 0/0 unseal nonce n/a version n/a ha enabled false initialize vault we do not recommend using 1 for both the key shares and the key threshold in production $ vault operator init key shares=1 key threshold=1 the output should look similar to the following example unseal key 1 qk4phby46zxg2nt/cmgelgh01kh9sq1choidhpe/kmg= initial root token hvs iyjhzpiwz00bpqx6rmzse7yj success! vault is initialized recovery key initialized with 1 key shares and a key threshold of 1 please securely distribute the key shares printed above if you did not configure hsm auto unseal, you must unseal vault manually $ vault operator unseal \<unseal key 1 provided from above> log in to vault $ vault login \<initial root token provided from above> generate managed keys perform the following steps to generate managed keys on the {{ch}} for the root and intermediate ca generate a managed key on the {{ch}} for the root ca $ vault write /sys/managed keys/pkcs11/hsm key root library=hsm1 token label=futurex pin=$pin key label="hsm key root" allow generate key=true allow store key=true mechanism=0x0001 key bits=2048 any mount=false you must always set the value specified in the token label field to futurex the value specified in the library field must match the value set in the name field of the kms library stanza in the following vault configuration file # provide your futurex hsm connection information kms library "pkcs11" { name="hsm1" library = "/usr/local/bin/fxpkcs11/libfxpkcs11 debug so" } generate a managed key on the {{ch}} for the intermediate ca $ vault write /sys/managed keys/pkcs11/hsm key int library=hsm1 token label=futurex pin=$pin key label="hsm key int" allow generate key=true allow store key=true mechanism=0x0001 key bits=2048 any mount=false verify that the key configuration has been written to vault $ vault list /sys/managed keys/pkcs11 verify that the key configurations are valid by test signing some data $ vault write f /sys/managed keys/pkcs11/hsm key root/test/sign $ vault write f /sys/managed keys/pkcs11/hsm key int/test/sign enable the pki secrets engine perform the following steps to enable the pki secrets engine for the root and intermediate ca enable the pki secrets engine for the root ca $ vault secrets enable path=pki allowed managed keys=hsm key root pki enable the pki secrets engine for the intermediate ca $ vault secrets enable path=pki int allowed managed keys=hsm key int pki create a root certificate perform the following steps to create a root ca certificate from the managed key generated on the {{ch}} create a root ca certificate with its corresponding managed key and output it to a file $ vault write field=certificate pki/root/generate/kms managed key name=hsm key root common name=example com ttl=8760h > /tmp/ca cert crt verify the certificate looks correct $ cat /tmp/ca cert crt create a csr perform the following steps to create a certificate signing request (csr) for the intermediate ca from the managed key generated on the {{ch}} create a csr for the intermediate ca with its corresponding managed key and output it to a file the following command requires installing the jq package, which processes json output, on your system $ vault write format=json pki int/intermediate/generate/kms managed key name=hsm key int common name="example com" | jq r ' data csr' > /tmp/pki intermediate csr verify the csr looks correct $ cat /tmp/pki intermediate csr use the root ca to issue the certificate perform the following steps to use the managed root ca to issue the intermediate ca certificate from a csr issue the intermediate ca certificate from the csr by using the managed root ca and output it to a file the following command requires installing the jq package, which processes json output, on your system $ vault write format=json pki/root/sign intermediate csr=@/tmp/pki intermediate csr format=pem bundle ttl="43800h" | jq r ' data certificate' > /tmp/intermediate cert pem write the signed intermediate ca certificate to vault $ vault write pki int/intermediate/set signed certificate=@/tmp/intermediate cert pem issue a leaf certificate perform the following steps to issue a leaf certificate from the managed intermediate ca create a new role $ vault write pki int/roles/example dot com allowed domains="example com" allow subdomains=true max ttl="720h" issue a leaf certificate $ vault write format=json pki int/issue/example dot com common name="test example com" ttl="24h"