The latest articles on DEV Community by Mo (@ingeniumcode). https://dev.to/ingeniumcode https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2602835%2Fbee076af-c9d8-49b1-9d3c-da908d59c31e.jpeg https://dev.to/ingeniumcode en Mo Tue, 29 Apr 2025 13:10:32 +0000 https://dev.to/ingeniumcode/secure-http-traffic-with-hashicorp-vault-as-your-pki-cert-manager-in-kubernetes-deep-dive-part-585a https://dev.to/ingeniumcode/secure-http-traffic-with-hashicorp-vault-as-your-pki-cert-manager-in-kubernetes-deep-dive-part-585a <h1> HashiCorp Vault as a Private Certificate Authority (PKI) with Kubernetes Integration </h1> <h2> Introduction </h2> <p>This technical guide walks through the first part of configuring HashiCorp Vault as a Private Certificate Authority (PKI) and integrating it with cert-manager in Kubernetes to automate certificate management. This setup enables internal applications to have HTTPS encryption in transit within a private network environment. The next article will cover the kubernetes part.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpak3nt32lf259yaeslv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpak3nt32lf259yaeslv.png" alt="Minio With Local HTTPS Certificate" width="800" height="403"></a></p> <h2> Main Benefits </h2> <h3> Centralized PKI Infrastructure </h3> <p>Vault provides a centralized solution for managing your entire certificate lifecycle. Instead of managing certificates across different applications and services, Vault acts as a single source of truth for all your PKI needs. This centralization simplifies management, improves security posture, and ensures consistent certificate policies across your organization.</p> <h3> Dynamic Certificate Issuance and Rotation </h3> <p>Vault can automatically issue short-lived certificates and rotate them before expiration. When integrated with cert-manager in Kubernetes, this automation eliminates the manual certificate renewal process that often leads to outages from expired certificates. The system can continuously issue, renew, and rotate certificates without human intervention.</p> <h3> Fine-grained Access Control </h3> <p>Vault's advanced policy system allows you to implement precise access controls around who can issue what types of certificates. You can limit which teams or services can request certificates for specific domains, restrict certificate lifetimes based on risk profiles, and implement comprehensive audit logging. This helps enforce the principle of least privilege across your certificate infrastructure.</p> <p>An additional benefit is Vault's broader secret management capabilities – the same tool managing your certificates can also handle database credentials, API keys, and other sensitive information, giving you a unified approach to secrets management.</p> <h2> Prerequisites </h2> <ul> <li>A DNS Server (I use my firewall)</li> <li>A running Kubernetes cluster (I am using microk8s)</li> <li>Vault server installed and initialized (vault 0.30.0 · hashicorp/hashicorp)</li> <li>cert-manager installed in your Kubernetes cluster (microk8s addon)</li> <li>Administrative access to both Vault and Kubernetes</li> </ul> <p>See my homelab diagram in GitHub: <a href="https://github.com/mdf-ido/mdf-ido" rel="noopener noreferrer">mdf-ido/mdf-ido: Config files for my GitHub profile</a>.</p> <h2> 1. Configure Vault as a PKI </h2> <h3> 1.1. Enable the PKI Secrets Engine </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable the PKI secrets engine</span> vault secrets <span class="nb">enable </span>pki </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtqb0eaujy75sj3z0h20.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frtqb0eaujy75sj3z0h20.png" alt="Image description" width="800" height="399"></a><br> <em>PKI in Hashicorp Vault</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure the PKI secrets engine with a longer max lease time (e.g., 1 year)</span> vault secrets tune <span class="nt">-max-lease-ttl</span><span class="o">=</span>8760h pki </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3vft7iwar7w0vsgiz3a1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3vft7iwar7w0vsgiz3a1.png" alt="Image description" width="800" height="558"></a><br> <em>PKI 1 year Expiration</em></p> <h3> 1.2. Generate or Import Root CA </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate a new root CA</span> vault write <span class="nt">-field</span><span class="o">=</span>certificate pki/root/generate/internal <span class="se">\</span> <span class="nv">common_name</span><span class="o">=</span><span class="s2">"Root CA"</span> <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span>87600h <span class="o">&gt;</span> root_ca.crt </code></pre> </div> <p><em>Hashicorp Vault Root CA</em></p> <h3> 1.3. Configure PKI URLs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Configure the CA and CRL URLs</span> vault write pki/config/urls <span class="se">\</span> <span class="nv">issuing_certificates</span><span class="o">=</span><span class="s2">"http://vault.example.com:8200/v1/pki/ca"</span> <span class="se">\</span> <span class="nv">crl_distribution_points</span><span class="o">=</span><span class="s2">"http://vault.example.com:8200/v1/pki/crl"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8e19mtqidfar3kgqbl5s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8e19mtqidfar3kgqbl5s.png" alt="Image description" width="800" height="439"></a><br> <em>Issuing and Certificate Request Links</em></p> <h3> 1.4. Create an Intermediate CA </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypmfduyhnpzi71n1az5j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fypmfduyhnpzi71n1az5j.png" alt="Image description" width="800" height="412"></a><br> <em>Hashicorp Intermediate Certificate Authority</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Enable the intermediate PKI secrets engine</span> vault secrets <span class="nb">enable</span> <span class="nt">-path</span><span class="o">=</span>pki_int pki <span class="c"># Set the maximum TTL for the intermediate CA</span> vault secrets tune <span class="nt">-max-lease-ttl</span><span class="o">=</span>43800h pki_int <span class="c"># Generate a CSR for the intermediate CA</span> vault write <span class="nt">-format</span><span class="o">=</span>json pki_int/intermediate/generate/internal <span class="se">\</span> <span class="nv">common_name</span><span class="o">=</span><span class="s2">"Intermediate CA"</span> <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span>43800h <span class="o">&gt;</span> pki_intermediate.json <span class="c"># Extract the CSR</span> <span class="nb">cat </span>pki_intermediate.json | jq <span class="nt">-r</span> <span class="s1">'.data.csr'</span> <span class="o">&gt;</span> pki_intermediate.csr <span class="c"># Sign the intermediate CSR with the root CA</span> vault write <span class="nt">-format</span><span class="o">=</span>json pki/root/sign-intermediate <span class="se">\</span> <span class="nv">csr</span><span class="o">=</span>@pki_intermediate.csr <span class="se">\</span> <span class="nv">format</span><span class="o">=</span>pem_bundle <span class="se">\</span> <span class="nv">ttl</span><span class="o">=</span>43800h <span class="o">&gt;</span> intermediate_cert.json <span class="c"># Extract the signed certificate</span> <span class="nb">cat </span>intermediate_cert.json | jq <span class="nt">-r</span> <span class="s1">'.data.certificate'</span> <span class="o">&gt;</span> intermediate.cert.pem <span class="c"># Import the signed certificate back into Vault</span> vault write pki_int/intermediate/set-signed <span class="se">\</span> <span class="nv">certificate</span><span class="o">=</span>@intermediate.cert.pem </code></pre> </div> <h3> 1.5. Create a Role for Certificate Issuance </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a role for issuing certificates</span> vault write pki_int/roles/your-domain-role <span class="se">\</span> <span class="nv">allowed_domains</span><span class="o">=</span><span class="s2">"yourdomain.com"</span> <span class="se">\</span> <span class="nv">allow_subdomains</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nv">allow_bare_domains</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nv">allow_wildcard_certificates</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nv">max_ttl</span><span class="o">=</span>720h </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7tlg6stchi6stywrtlh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb7tlg6stchi6stywrtlh.png" alt="Image description" width="598" height="703"></a></p> <p>In the next article I'll cover the kubernetes configs. </p> devops kubernetes platformengineering security