I want to setup Private CA for internal services using Vault (HashiCorp). I am generating Root CA & Intermediate CA certificate outside of Vault. Vault will be generating short-lived (30 days) certificate based on request.

I followed this guid https://jamielinux.com/docs/openssl-certificate-authority/introduction.html and generated Root CA Certificate example.com & dev.example.com, but do I need wildcard intermediate certificate *.dev.example.com for Vault to generate further subdomain certificate like one.dev.example.com, two.dev.example.com ?

Appreciate any help on this ?


Solution 1:

I think you've misunderstood some terms here, copied from your source

Intermediate CA

An intermediate certificate authority (CA) is an entity that can sign certificates on behalf of the root CA. The root CA signs the intermediate certificate, forming a chain of trust.

The intermediate certificate SIGNS other certificates, it does not provide the encryption for a site such as *.example.com or subdomains like *.dev.exmaple.com

The only purpose of an Intermediate is to provide protection for the certificate root, in the instances the intermediate's private key is compromised and you must revoke it (at the root level) and regenerate your certs, whereas if you didn't have this, you would need to manually remove the CA from ALL endpoints!

What it seems you are trying to do is generate a wildcard certificate which you will sign with the intermediate CA certificate to be trusted by systems in your control which you have trusted the root certificate.

The website you mentioned does not seem to give clear instructions of using subject alternative names.

copy the intermediate/openssl.cnf and append these lines.


req_extensions = v3_req
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.example.com
DNS.2 = *.m.example.com
DNS.3 = example.com

$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out keypair.csr -keyout keypair.key -config req.conf