Skip to main content

HashiCorp Vault setup - Common environment

The DigiCert​​®​​ HashiCorp Vault integration provides a seamless solution for the enrollment, collection, and revocation of SSL/TLS certificates issued through DigiCert​​®​​ Trust Lifecycle Manager. This integration is distributed as a custom HashiCorp Vault PKI plugin. The plugin provides:

  • Certificate Signing Request (CSR) generation and signing.

  • Storage and state tracking of certificates issued through DigiCert​​®​​ Trust Lifecycle Manager in Vault

The DigiCert​​®​​ Vault integration supports both the generation and storage of new TLS/SSL certificates in Vault. Various types of TLS/SSL can be requested by providing the appropriate configuration options.

Before you begin

Prerequisites

  • Active, self-hosted Vault instance. DigiCert​​®​​ Trust Lifecycle Manager does not support cloud-hosted instances of Vault.

  • DigiCert​​®​​Vault PKI plugin binary for the required OS and chipset.

  • Directory where Vault looks for plugins.

  • URL pointing to DigiCert ONE platform.

  • At least one service user and API token with access to:

    • Trust Lifecycle Manager.

    • Account-level permissions.

    • Necessary accounts for certificate requests and provisioning.

  • Certificate profile ID (GUID) for the default certificate profile you want to assign to a configuration.

    1. In Trust Lifecycle Manager, choose Policies > Certificate profiles.

    2. Find and choose the certificate profile you want to use.

    3. Copy the GUID value found at the top of the profile description.

For detailed instructions on configuring HashiCorp Vault beyond what is described here, refer to HashiCorp's documentation.

Integration workflow

Get the plug-in from DigiCert​​®​​ Trust Lifecycle Manager:

  1. Sign in to DigiCert​​®​​ Trust Lifecycle Manager.

  2. Go to Integrations > Connectors.

  3. In the Vaults section, choose HashiCorp.

  4. Follow the steps to download the plugin binary.

  5. Move the plugin to the plugin_directory defined in the next procedure.

  1. Vault servers are configured with a file in .HCL or .JSON format. Because the DigiCert plugin is an external plugin, the Vault config file must include the plugin_directory details. Example:

    storage "raft" {
      path    = "/Users/user.name/Downloads/hashicorp/vault/data"
      node_id = "node1"
    }
    listener "tcp" {
      address     = "127.0.0.1:8200"
      tls_disable = "true"
    }
    plugin_directory="/Users/user.name/Downloads/hashicorp"
    api_addr = "http://127.0.0.1:8200"
    cluster_addr = "https://127.0.0.1:8201"
    ui = true
  2. Initialize and unseal the Vault. Refer to HashiCorp's documentation.

  3. Authenticate as the initial root token.

  4. Get the SHA-256 checksum of the plugin and register it to the Vault system catalog.

    export SHA256=$(shasum -a 256 digicert-plugin| cut -d' ' -f1)
    vault plugin register -sha256=$SHA256 secret digicert-plugin                                                       
    

    Response:

    Success! Registered plugin: digicert-plugin
  5. Enable the DigiCert PKI secrets engine.

    vault secrets enable -path=digicert-pki digicert-plugin
    

    Response:

    Success! Enabled the digicert-plugin secrets engine at: digicert-pki/
  6. Create a configuration.

    vault write digicert-pki/configs/stage-dcone url="https://stage.one.digicert.com/" api_key="01aad362f1610f7d9e171f0fa2_80995e78c63a8e7d474c41dbecb2a165f049aa47799ad42f90fc386b1edb680c"
    

    Response:

    Success! Data written to: digicert-pki/configs/stage-dcone
  7. Create a role to define the default profile_id.

    Notice

    The profile_id defined for the role is the default and can be overridden by passing a different ID with the certificate request.

    vault write digicert-pki/roles/stage config_name="stage-dcone" profile_id="017e05b0-fedc-4a9a-88f7-1fd759f20f37"
    

    Response:

    Success! Data written to: digicert-pki/roles/stage

    Configuration is done. You can now request a certificate through Vault.

Request

vault write digicert-pki/issue/stage common_name="test16thsept.winthecustomer.com"

Response

Key              Value
---              -----
certificate      -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----
common_name      test16thsept.winthecustomer.com
private_key      -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY-----
serial_number    748B6C3B014C48A1F3FF0C17C4764428360F68F5

What's next

After Vault is successfully configured, refer to configuration and certificate operations for all other activities.