Skip to main content

HashiCorp Vault setup - Common environment

The DigiCert​​®​​ HashiCorp Vault integration provides a seamless solution for the enrollment, collection, and revocation of SSL/TLS certificates issued through DigiCert​​®​​ Trust Lifecycle Manager. This integration is distributed as a custom HashiCorp Vault PKI plugin. The plugin provides:

  • Certificate Signing Request (CSR) generation and signing.

  • Storage and state tracking of certificates issued through DigiCert​​®​​ Trust Lifecycle Manager in Vault

The DigiCert​​®​​ Vault integration supports both the generation and storage of new TLS/SSL certificates in Vault. Various types of TLS/SSL can be requested by providing the appropriate configuration options.

Before you begin

Prerequisites

  • Active Vault instance

  • Directory where Vault looks for plugins

  • Trust Lifecycle Manager credentials

  • URL pointing to DigiCert ONE platform

  • API token

  • DigiCert​​®​​Vault PKI plugin binary for the required OS and chipset

For detailed instructions on configuring HashiCorp Vault beyond what is described here, refer to HashiCorp's documentation.

Integration workflow

Step 1: Download HashiCorp Vault plug-in

Get the plug-in from DigiCert​​®​​ Trust Lifecycle Manager:

  1. Sign in to DigiCert​​®​​ Trust Lifecycle Manager.

  2. Go to Integrations > Connectors.

  3. In the Vaults section, choose HashiCorp.

  4. Follow the steps to download the plugin binary.

  5. Move the plugin to the plugin_directory defined in the next procedure.

Step 2: Configure HashiCorp Vault with your TLM assets

  1. Vault servers are configured with a file in .HCL or .JSON format. Because the DigiCert plugin is an external plugin, the Vault config file must include the plugin_directory details. Example:

    storage "raft" {
  path    = "/Users/user.name/Downloads/hashicorp/vault/data"
  node_id = "node1"
}
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
}
plugin_directory="/Users/user.name/Downloads/hashicorp"
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
ui = true

  2. Initialize and unseal the Vault. Refer to HashiCorp's documentation.

  3. Authenticate as the initial root token.

  4. Get the SHA-256 checksum of the plugin and register it to the Vault system catalog.

    export SHA256=$(shasum -a 256 digicert-plugin| cut -d' ' -f1)
vault plugin register -sha256=$SHA256 secret digicert-plugin

    Response:

    Success! Registered plugin: digicert-plugin

  5. Enable the DigiCert PKI secrets engine.

    vault secrets enable -path=digicert-pki digicert-plugin

    Response:

    Success! Enabled the digicert-plugin secrets engine at: digicert-pki/

  6. Create a configuration.

    vault write digicert-pki/configs/stage-dcone url="https://stage.one.digicert.com/" api_key="01aad362f1610f7d9e171f0fa2_80995e78c63a8e7d474c41dbecb2a165f049aa47799ad42f90fc386b1edb680c"

    Response:

    Success! Data written to: digicert-pki/configs/stage-dcone

  7. Create a role.

    vault write digicert-pki/roles/stage config_name="stage-dcone" profile_id="017e05b0-fedc-4a9a-88f7-1fd759f20f37"

    Response:

    Success! Data written to: digicert-pki/roles/stage

    Configuration is done. You can now request a certificate through Vault.

Step 3: Request a certificate

Request

vault write digicert-pki/issue/stage common_name="test16thsept.winthecustomer.com"

Response

Key              Value
---              -----
certificate      -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----
common_name      test16thsept.winthecustomer.com
private_key      -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY-----
serial_number    748B6C3B014C48A1F3FF0C17C4764428360F68F5

What's next

After Vault is successfully configured, refer to configuration and certificate operations for all other activities.

: