Testing PKI operations

7 min

this section demonstrates through several pki operations how to create root and intermediate cas, which can then issue leaf certificates under them initialize vault before performing the test pki operations, perform the following steps to initialize, unseal (if required), and log in to vault in a different terminal window from where vault is running, run the following commands to set the vault addr and pin environment variables export vault addr='http //127 0 0 1 8200' export pin='safest' run the following command to check the vault status vault status if the operation succeeds, the output should be similar to the following example key value \ recovery seal type pkcs11 initialized false sealed true total recovery shares 0 threshold 0 unseal progress 0/0 unseal nonce n/a version n/a ha enabled false run the following command to initialize vault vault operator init key shares=1 key threshold=1 we do not recommend using 1 for both the key shares and the key threshold in production if the operation succeeds, the output should be similar to the following example unseal key 1 qk4phby46zxg2nt/cmgelgh01kh9sq1choidhpe/kmg= initial root token hvs iyjhzpiwz00bpqx6rmzse7yj success! vault is initialized recovery key initialized with 1 key shares and a key threshold of 1 please securely distribute the key shares printed above optionally, if hsm auto unseal is not configured, run the following command to unseal vault manually vault operator unseal \<unseal key 1 provided from above> run the following command to log in to vault vault login \<initial root token provided from above> generate managed keys on the hsm for the root and intermediate ca run the following command to generate a managed key on the hsm for the root ca the value specified in the library field in the preceding command must match the value set in the name field of the kms library stanza in the vault configuration file (shown in the following example) # provide your futurex hsm connection information kms library "pkcs11" { name="hsm1" library = "/usr/local/bin/fxpkcs11/libfxpkcs11 debug so" } the value specified in the token label field in the preceding command must be futurex vault write /sys/managed keys/pkcs11/hsm key root library=hsm1 token label=futurex pin=$pin key label="hsm key root" allow generate key=true allow store key=true mechanism=0x0001 key bits=2048 any mount=false run the following command to generate a managed key on the hsm for the intermediate ca vault write /sys/managed keys/pkcs11/hsm key int library=hsm1 token label=futurex pin=$pin key label="hsm key int" allow generate key=true allow store key=true mechanism=0x0001 key bits=2048 any mount=false run the following command to verify that the key configurations were written to vault vault list /sys/managed keys/pkcs11 run the following commands to verify that the key configurations are valid by test signing some data vault write f /sys/managed keys/pkcs11/hsm key root/test/sign vault write f /sys/managed keys/pkcs11/hsm key int/test/sign enable the pki secrets engine for the root and intermediate ca run the following command to enable the pki secrets engine for the root ca vault secrets enable path=pki allowed managed keys=hsm key root pki run the following command to enable the pki secrets engine for the intermediate ca vault secrets enable path=pki int allowed managed keys=hsm key int pki create a root ca certificate with the corresponding managed key that you generated and stored on the hsm run the following command to create a root ca certificate with its corresponding managed key and output it to a file vault write field=certificate pki/root/generate/kms managed key name=hsm key root common name=example com ttl=8760h > /tmp/ca cert crt run the following command to verify that the certificate looks correct cat /tmp/ca cert crt create a csr for the intermediate ca with the managed key that you generated and stored on the hsm run the following command to create an intermediate ca certificate with its corresponding managed key and output it to a file the following command requires you to install the jq package on your system this package processes json output vault write format=json pki int/intermediate/generate/kms managed key name=hsm key int common name="example com" | jq r ' data csr' > /tmp/pki intermediate csr run the following command to verify that the certificate looks correct cat /tmp/pki intermediate csr sign the intermediate ca certificate with the managed root ca run the following command to sign the intermediate ca certificate with the managed root ca and output it to a file the following command requires you to install the jq package on your system this package processes json output vault write format=json pki/root/sign intermediate csr=@/tmp/pki intermediate csr format=pem bundle ttl="43800h" | jq r ' data certificate' > /tmp/intermediate cert pem run the following command to write the signed intermediate ca certificate to vault vault write pki int/intermediate/set signed certificate=@/tmp/intermediate cert pem issue a leaf certificate from the intermediate ca run the following command to create a new role vault write pki int/roles/example dot com allowed domains="example com" allow subdomains=true max ttl="720h" run the following command to issue a leaf certificate vault write format=json pki int/issue/example dot com common name="test example com" ttl="24h"

Configure the Futurex PKCS #11 Library with HashiCorp Vault

Appendix: Configuring Vault to use a key manually generated on the HSM