As a Vault user, I want to easily set up and maintain my Public Key Infrastructure (PKI) by using YAML manifests to define and manage my Vault issuers. This would streamline the process, minimize errors, and speed up deployment.
Currently, setting up an intermediate certificate authority involves manually creating a Certificate Signing Request (CSR), signing it with the root issuer, and importing a signed CSR as an issuer. This process is time-consuming and prone to errors, especially when ensuring consistency across multiple environments.
With YAML manifests, we can solve these problems by declaring the issuer's configuration in a simple, human-readable format. Users can create a YAML file that specifies the issuer's settings, then use that file to automatically provision and configure the Vault issuer. This eliminates manual setup, reduces errors, and makes maintenance easier across different environments.
Here are some examples of what the YAML manifests might look like for different types of issuers:
In this example, we are declaring a root issuer with the name root-2023. The secretEngine field specifies the engine that will be used to generate the certificates, and the certificate field contains the parameters for generating the Certificate Signing Request (CSR).
Example 2: Declaring an intermediate issuer
kind: "Issuer"
spec:
name: "example-dot-com-intermediate"
secretEngine: "pki_int"
certificate:
type: "internal"
commonName: "example.com Intermediate Authority"
chaining:
# Provide the reference to the root issuer that this issuer will chain to
upstreamIssuerRef: "pki/root-2023"
In this example, we're creating an intermediate issuer with the name example-dot-com-intermediate. We provide the reference to the root issuer that this issuer will chain to using the upstreamIssuerRef field. This tells Vault Autopilot that this intermediate issuer should chain to the root issuer when issuing certificates.
Feature Request
As a Vault user, I want to easily set up and maintain my Public Key Infrastructure (PKI) by using YAML manifests to define and manage my Vault issuers. This would streamline the process, minimize errors, and speed up deployment.
Currently, setting up an intermediate certificate authority involves manually creating a Certificate Signing Request (CSR), signing it with the root issuer, and importing a signed CSR as an issuer. This process is time-consuming and prone to errors, especially when ensuring consistency across multiple environments.
With YAML manifests, we can solve these problems by declaring the issuer's configuration in a simple, human-readable format. Users can create a YAML file that specifies the issuer's settings, then use that file to automatically provision and configure the Vault issuer. This eliminates manual setup, reduces errors, and makes maintenance easier across different environments.
Here are some examples of what the YAML manifests might look like for different types of issuers:
Example 1: Declaring a root issuer
In this example, we are declaring a root issuer with the name
root-2023. ThesecretEnginefield specifies the engine that will be used to generate the certificates, and thecertificatefield contains the parameters for generating the Certificate Signing Request (CSR).Example 2: Declaring an intermediate issuer
In this example, we're creating an intermediate issuer with the name
example-dot-com-intermediate. We provide the reference to the root issuer that this issuer will chain to using theupstreamIssuerReffield. This tells Vault Autopilot that this intermediate issuer should chain to the root issuer when issuing certificates.