Test PKI operations

7min

This section shows how to initialize the vault and then test the PKI operations.
Initialize Vault
Before performing PKI operations, you must initialize, unseal (if required), and log in to Vault.
1
In a different terminal window from where Vault is running, set the VAULT_ADDR and PIN environment variables.
Shell
$ export VAULT_ADDR='http://127.0.0.1:8200'

$ export PIN='identity_password'
$ export VAULT_ADDR='http://127.0.0.1:8200'

$ export PIN='identity_password'
﻿
Set the PIN value to the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
2
Check the Vault status.
Shell
$ vault status
$ vault status
﻿
The output should look similar to the following example:
Text
Key                      Value
---                      -----
Recovery Seal Type       pkcs11
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  n/a
HA Enabled               false
Key                      Value
---                      -----
Recovery Seal Type       pkcs11
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  n/a
HA Enabled               false
﻿
3
Initialize Vault.
We do not recommend using 1 for both the key shares and the key threshold in production.
Shell
$ vault operator init -key-shares=1 -key-threshold=1
$ vault operator init -key-shares=1 -key-threshold=1
﻿
The output should look similar to the following example:
Text
Unseal Key 1: qK4pHBY46Zxg2nt/cMgeLGh01Kh9SQ1ChOIDHPe/kmg=

Initial Root Token: hvs.iYjhzPiwz00bpqX6rmzSe7yj

Success! Vault is initialized

Recovery key initialized with 1 key shares and a key threshold of 1. Please securely distribute the key shares printed above.
Unseal Key 1: qK4pHBY46Zxg2nt/cMgeLGh01Kh9SQ1ChOIDHPe/kmg=

Initial Root Token: hvs.iYjhzPiwz00bpqX6rmzSe7yj

Success! Vault is initialized

Recovery key initialized with 1 key shares and a key threshold of 1. Please securely distribute the key shares printed above.
﻿
4
If you did not configure HSM auto unseal, you must unseal Vault manually:
Shell
$ vault operator unseal <Unseal Key 1 provided from above>
$ vault operator unseal <Unseal Key 1 provided from above>
﻿
5
Log in to Vault.
Shell
$ vault login <Initial Root Token provided from above>
$ vault login <Initial Root Token provided from above>
﻿
Generate managed keys on the  for the Root and Intermediate CA
1
Generate a managed key on the  for the Root CA.
Shell
$ vault write /sys/managed-keys/pkcs11/hsm-key-root library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-root" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
$ vault write /sys/managed-keys/pkcs11/hsm-key-root library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-root" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
﻿
You must always set the value specified in the token_label field to Futurex. 
The value specified in the library field must match the value set in the name field of the kms_library stanza in the following Vault configuration file.
Text
# Provide your Futurex HSM connection information
kms_library "pkcs11" {
    name="hsm1"
    library = "/usr/local/bin/fxpkcs11/libfxpkcs11-Debug.so"
}
# Provide your Futurex HSM connection information
kms_library "pkcs11" {
    name="hsm1"
    library = "/usr/local/bin/fxpkcs11/libfxpkcs11-Debug.so"
}
﻿
2
Generate a managed key on the  for the Intermediate CA.
Shell
$ vault write /sys/managed-keys/pkcs11/hsm-key-int library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-int" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
$ vault write /sys/managed-keys/pkcs11/hsm-key-int library=hsm1 token_label=Futurex pin=$PIN key_label="hsm-key-int" allow_generate_key=true allow_store_key=true mechanism=0x0001 key_bits=2048 any_mount=false
﻿
3
Verify that the key configuration has been written to Vault.
Shell
$ vault list /sys/managed-keys/pkcs11
$ vault list /sys/managed-keys/pkcs11
﻿
4
Verify that the key configurations are valid by test signing some data.
Shell
$ vault write -f /sys/managed-keys/pkcs11/hsm-key-root/test/sign

$ vault write -f /sys/managed-keys/pkcs11/hsm-key-int/test/sign
$ vault write -f /sys/managed-keys/pkcs11/hsm-key-root/test/sign

$ vault write -f /sys/managed-keys/pkcs11/hsm-key-int/test/sign
﻿
Enable the PKI secrets engine for the Root and Intermediate CA
1
Enable the PKI secrets engine for the Root CA.
Shell
$ vault secrets enable -path=pki -allowed-managed-keys=hsm-key-root pki
$ vault secrets enable -path=pki -allowed-managed-keys=hsm-key-root pki
﻿
2
Enable the PKI secrets engine for the Intermediate CA.
Shell
$ vault secrets enable -path=pki_int -allowed-managed-keys=hsm-key-int pki
$ vault secrets enable -path=pki_int -allowed-managed-keys=hsm-key-int pki
﻿
Create a Root CA certificate from the managed key generated on the ﻿
1
Create a Root CA certificate with its corresponding managed key and output it to a file.
Shell
$ vault write -field=certificate pki/root/generate/kms managed_key_name=hsm-key-root common_name=example.com ttl=8760h > /tmp/CA_cert.crt
$ vault write -field=certificate pki/root/generate/kms managed_key_name=hsm-key-root common_name=example.com ttl=8760h > /tmp/CA_cert.crt
﻿
2
Verify the certificate looks correct.
Shell
$ cat /tmp/CA_cert.crt
$ cat /tmp/CA_cert.crt
﻿
Create a Certificate Signing Request (CSR) for the Intermediate CA from the managed key generated on the ﻿
1
Create a CSR for the Intermediate CA with its corresponding managed key and output it to a file.
The following command requires installing the jq package, which processes JSON output, on your system. 
Shell
$ vault write -format=json pki_int/intermediate/generate/kms managed_key_name=hsm-key-int common_name="example.com" | jq -r '.data.csr' > /tmp/pki_intermediate.csr
$ vault write -format=json pki_int/intermediate/generate/kms managed_key_name=hsm-key-int common_name="example.com" | jq -r '.data.csr' > /tmp/pki_intermediate.csr
﻿
2
Verify the CSR looks correct.
Shell
$ cat /tmp/pki_intermediate.csr
$ cat /tmp/pki_intermediate.csr
﻿
Use the managed Root CA to issue the Intermediate CA certificate from a CSR
1
Issue the Intermediate CA certificate from the CSR by using the managed Root CA and output it to a file.
The following command requires installing the jq package, which processes JSON output, on your system. 
Shell
$ vault write -format=json pki/root/sign-intermediate csr=@/tmp/pki_intermediate.csr format=pem_bundle ttl="43800h" | jq -r '.data.certificate' > /tmp/intermediate.cert.pem
$ vault write -format=json pki/root/sign-intermediate csr=@/tmp/pki_intermediate.csr format=pem_bundle ttl="43800h" | jq -r '.data.certificate' > /tmp/intermediate.cert.pem
﻿
2
Write the signed Intermediate CA certificate to Vault.
Shell
$ vault write pki_int/intermediate/set-signed certificate=@/tmp/intermediate.cert.pem
$ vault write pki_int/intermediate/set-signed certificate=@/tmp/intermediate.cert.pem
﻿
Issue a leaf certificate from the managed Intermediate CA
1
Create a new role.
Shell
$ vault write pki_int/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"
$ vault write pki_int/roles/example-dot-com allowed_domains="example.com" allow_subdomains=true max_ttl="720h"
﻿
2
Issue a leaf certificate.
Shell
$ vault write -format=json pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"
$ vault write -format=json pki_int/issue/example-dot-com common_name="test.example.com" ttl="24h"
﻿
﻿
﻿
﻿

Updated 04 Dec 2024

Did this page help you?

Install and configure HashiCorp Vault

Key Lifecycle Management

Test PKI operations

Initialize Vault

Generate managed keys on the for the Root and Intermediate CA

Enable the PKI secrets engine for the Root and Intermediate CA

Create a Root CA certificate from the managed key generated on the ﻿

Create a Certificate Signing Request (CSR) for the Intermediate CA from the managed key generated on the ﻿

Use the managed Root CA to issue the Intermediate CA certificate from a CSR

Issue a leaf certificate from the managed Intermediate CA

Create a Root CA certificate from the managed key generated on the

Create a Certificate Signing Request (CSR) for the Intermediate CA from the managed key generated on the