HashiCorp Vault setup - Common environment
The DigiCert® HashiCorp Vault integration provides a seamless solution for the enrollment, collection, and revocation of SSL/TLS certificates issued through DigiCert® Trust Lifecycle Manager. This integration is distributed as a custom HashiCorp Vault PKI plugin. The plugin provides:
Certificate Signing Request (CSR) generation and signing.
Storage and state tracking of certificates issued through DigiCert® Trust Lifecycle Manager in Vault
The DigiCert® Vault integration supports both the generation and storage of new TLS/SSL certificates in Vault. Various types of TLS/SSL can be requested by providing the appropriate configuration options.
Before you begin
Prerequisites
Active, self-hosted Vault instance
Important
DigiCert® Trust Lifecycle Manager. does not support cloud-hosted instances of Vault.
DigiCert®Vault PKI plugin binary for the required OS and chipset
Directory where Vault looks for plugins
URL pointing to DigiCert ONE platform
At least one service user and API token with access to:
Trust Lifecycle Manager.
Account-level permissions.
Necessary accounts for certificate requests and provisioning.
For detailed instructions on configuring HashiCorp Vault beyond what is described here, refer to HashiCorp's documentation.
Integration workflow
Get the plug-in from DigiCert® Trust Lifecycle Manager:
Sign in to DigiCert® Trust Lifecycle Manager.
Go to Integrations > Connectors.
In the Vaults section, choose HashiCorp.
Follow the steps to download the plugin binary.
Move the plugin to the
plugin_directorydefined in the next procedure.
Vault servers are configured with a file in .HCL or .JSON format. Because the DigiCert plugin is an external plugin, the Vault config file must include the
plugin_directorydetails. Example:storage "raft" { path = "/Users/user.name/Downloads/hashicorp/vault/data" node_id = "node1" } listener "tcp" { address = "127.0.0.1:8200" tls_disable = "true" } plugin_directory="/Users/user.name/Downloads/hashicorp" api_addr = "http://127.0.0.1:8200" cluster_addr = "https://127.0.0.1:8201" ui = trueInitialize and unseal the Vault. Refer to HashiCorp's documentation.
Authenticate as the initial root token.
Get the SHA-256 checksum of the plugin and register it to the Vault system catalog.
export SHA256=$(shasum -a 256 digicert-plugin| cut -d' ' -f1) vault plugin register -sha256=$SHA256 secret digicert-plugin
Response:
Success! Registered plugin: digicert-plugin
Enable the DigiCert PKI secrets engine.
vault secrets enable -path=digicert-pki digicert-plugin
Response:
Success! Enabled the digicert-plugin secrets engine at: digicert-pki/
Create a configuration.
vault write digicert-pki/configs/stage-dcone url="https://stage.one.digicert.com/" api_key="01aad362f1610f7d9e171f0fa2_80995e78c63a8e7d474c41dbecb2a165f049aa47799ad42f90fc386b1edb680c"
Response:
Success! Data written to: digicert-pki/configs/stage-dcone
Create a role to define the default
profile_id.Notice
The
profile_iddefined for role is the default and can be overridden by passing a different ID with the certificate request.vault write digicert-pki/roles/stage config_name="stage-dcone" profile_id="017e05b0-fedc-4a9a-88f7-1fd759f20f37"
Response:
Success! Data written to: digicert-pki/roles/stage
Configuration is done. You can now request a certificate through Vault.
Request
vault write digicert-pki/issue/stage common_name="test16thsept.winthecustomer.com"
Response
Key Value --- ----- certificate -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE----- common_name test16thsept.winthecustomer.com private_key -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY----- serial_number 748B6C3B014C48A1F3FF0C17C4764428360F68F5
What's next
After Vault is successfully configured, refer to configuration and certificate operations for all other activities.