Key management
Managed Keys

Test PKI operations

7min

This section shows several PKI operations to demonstrate how to create Root and Intermediate CAs, which can then issue leaf certificates under them.

Initialize Vault

Before performing the test PKI operations, perform the following steps to initialize, unseal (if required), and log in to Vault:

1

In a different terminal window from where Vault is running, run the following commands to set the VAULT_ADDR and PIN environment variables.

Shell

2

Run the following command to check the Vault status.

Shell


If the operation succeeds, the output should be similar to the following example:

Shell

3

Run the following command to initialize Vault:

Shell


We do not recommend using 1 for both the key shares and the key threshold in production.

If the operation succeeds, the output should be similar to the following example:

Shell

4

If HSM auto unseal is not configured, run the following command to unseal Vault manually:

Shell

5

Run the following command to log in to Vault:

Shell


Generate managed keys on the KMES Series 3 for the Root and intermediate CA

1

Run the following command to generate a managed key on the KMES Series 3 for the Root CA:

Shell


The value specified in the library field in the preceding command must match the value set in the name field of the kms_library stanza in the Vault configuration file (shown in the following example). The value specified in the token_label field in the preceding command must be Futurex.

Text

2

Run the following command to generate a managed key on the KMES for the intermediate CA:

Shell

3

Run the following command to verify that the key configurations have been written to Vault:

Shell

4

Run the following commands to verify that the key configurations are valid by test signing some data:

Shell


Enable the PKI Secrets Engine for the Root and intermediate CA

1

Run the following command to enable the PKI secrets engine for the Root CA:

Shell

2

Run the following command to enable the PKI secrets engine for the Intermediate CA:

Shell


Create a Root CA certificate with the corresponding managed key that you generated and stored on the KMES Series 3

1

Run the following command to create a Root CA certificate with its corresponding managed key and output it to a file:

Shell

2

Run the following command to verify that the certificate looks correct:

Text


Create a CSR for the intermediate CA with the managed key that you generated and stored on the KMES Series 3

1

Run the following command to create an Intermediate CA certificate with its corresponding managed key and output it to a file:

The following command requires you to install the jq package on your system. This package processes JSON output.

Shell

2

Run the following command to verify that the certificate looks correct:

Shell


Sign the intermediate CA certificate with the managed Root CA

1

Run the following command to sign the intermediate CA certificate with the managed Root CA and output it to a file:

The following command requires you to install the jq package on your system. This package processes JSON output.

Shell

2

Run the following command to write the signed Intermediate CA certificate to Vault:

Shell


Issue a leaf certificate from the intermediate CA

1

Run the following command to create a new role:

Shell

2

Run the following command to issue a leaf certificate:

Shell