create a ssl cert for vault

Posted on August 21, 2024 by Tom Hamilton
Reading Time: 3 minutes

Last Updated: 8/21/2024

We are going to do this in a few steps.

Step 1: Create request for easy-rsa

First this we will do is create a text file some where, anywhere.. in this case I am naming the file request.cnf. That is important for creating the CSR file.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no
[ req_distinguished_name ]
countryName                = US
stateOrProvinceName        = Somestate
localityName               = Boomtown
organizationName           = Sparelabs Inc.
commonName                 = vault.sparelab.net
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = vault.sparelab.net
IP.1    = 192.168.160.24

Now we use the request.cnf file and we make an initial-request. Through this we end up with a private key.

root@vault:~# openssl req -out request.csr -newkey rsa:2048 -nodes -keyout private.key -config request.cnf
...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.+..............+......+.+...+...............+............+..+.+...........+.+++++++

Now we have the CSR file. We can feed this to easy-rsa.

Step 2:enter the request

root@easy-rsa:/home/ubuntu/easy-rsa# ./easyrsa import-req /tmp/request.csr vault
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The request has been successfully imported with a short name of: vault
You may now use this name to perform signing operations on this request.

Step 3: Sign the request

We copy the request to the easy-rsa server. I would put the csr in the /tmp directory. Then we can begin to sign the request.

root@easy-rsa:/home/ubuntu/easy-rsa# ./easyrsa sign-req server vault
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    countryName               = US
    stateOrProvinceName       = Somestate
    localityName              = Boomtown
    organizationName          = Sparelabs Inc.
    commonName                = vault.sparelab.net

X509v3 Subject Alternative Name:
    DNS:vault.sparelab.net,IP:192.168.160.24


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /home/ubuntu/easy-rsa/pki/easy-rsa-50749.wyqR5k/tmp.RXdgm3
Enter pass phrase for /home/ubuntu/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'Somestate'
localityName          :ASN.1 12:'Boomtown'
organizationName      :ASN.1 12:'Sparelabs Inc.'
commonName            :ASN.1 12:'vault.sparelab.net'
Certificate is to be certified until Nov 24 20:18:16 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/ubuntu/easy-rsa/pki/issued/vault.crt
./easyrsa sign-req server vault

What just happened. We used the easy-rsa utility to sign the cert. It created the cert and stuck it (in my case) in /home/ubuntu/easy-rsa/pki/issued/vault.crt

Step 4: Put key and cert into place.

Now we place everything we have gathered into place.

Vault would have created self signed certs when it started. That might be a very bad idea.

root@vault:/opt/vault/tls# ls -la
total 16
drwx------ 2 vault vault 4096 Aug 21 18:58 .
drwxr-xr-x 4 vault vault 4096 Aug 21 18:58 ..
-rw------- 1 vault vault 1850 Aug 21 18:58 tls.crt
-rw------- 1 vault vault 3272 Aug 21 18:58 tls.key

Important: Don’t Forget to add the Easy-Rsa Cert to the servers list of ca=certificates in order for the server to trust the “vault” cert which was signed by easy-rsa.

root@vault:/usr/local/share/ca-certificates# ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 21 21:32 .
drwxr-xr-x 7 root root 4096 Aug 21 18:03 ..
-rw-r--r-- 1 root root 1205 Aug 21 21:32 easy-rsa.crt

Now you can run “update-ca-certificates” so that your server learns and trusts the local on prem CA (Easy-Rsa)

root@vault:/usr/local/share/ca-certificates# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

We can edit the tls.cert file and put into it’s place the output from above. The /home/ubuntu/easy-rsa/pki/issued/vault.crt file.

This entry was posted in Certificate, Linux, Vault. Bookmark the permalink.