Создание СА для работы кластера etcd

Эта страница - часть большой статьи про CA используемые в k8s: Vault_PKI_Kubernetes_the_hard_way_v2
Задача - настроить промежуточный СА для работы сервиса etcd

Конфигурация Vault

• Стараюсь именовать path более-менее осмысленно (k8s_pki_intermediate_ca_for_service_etcd)
• PKI (последняя строка) здесь - это тип секрета

vault \
  secrets \
    enable \
      -path=k8s_pki_intermediate_ca_for_service_etcd \
      -description="PKI Intermediate CA for ETCd service" \
      -max-lease-ttl="175200h" \
    pki

Success! Enabled the pki secrets engine at: k8s_pki_intermediate_ca_for_service_etcd/

Генерация запроса на сертификат для промежуточного CA

vault \
  write \
    -format=json pki_intermediate_ca/intermediate/generate/internal \
     common_name="Intermediate CA for service ETCd" \
     country="Ukraine" \
     locality="Kharkov" \
     street_address="Lui Pastera st. 322 app. 131" \
     postal_code="61172" \
     organization="K8s The Hardest Way Labs" \
     ou="IT" \
     ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_csr.json

Просмотр результатов

Сырой вывод

cat k8s_pki_intermediate_ca_for_service_etcd_csr.json

{
  "request_id": "a58aadd1-d006-6de4-adf1-b0c3f7d4e02a",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC/DCCAeQCAQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr\nb3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNV\nBBETBTYxMTcyMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJ\nBgNVBAsTAklUMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2Ug\nRVRDZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPgSl8BYUCkDzdq\nMnJx89TlWirdsDv40sJcCIC/FKobMpdWlbBMDhmZeFkoPvDulmWIzMzpPF7+Q1Tb\npRxHnNkW83wsnnoxPTeR0ym+ixDeUl//NVsjOmH40W2fuQZ6j3S/DLfGGxdOFc5T\ns+akRHTTyD5nfIsMwgxDtMDSaf9oN9ugx8EqnQtBn5pQzap1E1b58R5JPhrJ+2ce\noH4NqXKbu4ZaWpzVH7RjTrf1AOpknCBjR9Zpxl+DjBch2qgJY0lnD373qaFKntGT\nDoZKRJeqCNBIYoB8o8KczFC46dSYTzBokwQQU4R9woAk+yMZI2v8I0EJCnFtsYF7\nnrkNuxcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAciGGKja/BVKEfe0qwvl7u\nitik2Evmp0pOFbxaajgEOztIms/a9GEanFM1HOLVlvehZWBjYUv/D5E1SNNfyIrV\nYCVvq0PViXB92el98sI9CYI7BkHQT8l7EMepehVgZbJ6pHzic7S4fxNB9Gcza10O\nFsuallqiCYndR2Ps/fOXbm40OAP+BndIuvjVcIRlXSIWTl910DORxysyP9otf3PG\ncW8kWMbAcHeMtlgPdS/ebG65WNzjSOws+ty9t4+wWMO6xI5rDTEhCdObsIJdhGaZ\nNPi9bcG017rJUwrNz7dHvpAFv0k+tsbJLmUaRwut+Gpk5Wr4pu4YAXhwuwwpdf64\n-----END CERTIFICATE REQUEST-----"
  },
  "warnings": null
}

Сохранить запрос в файл

• Проверить что вышло в более-менее читаемом формате (на первый взгляд выглядит корректно)

cat k8s_pki_intermediate_ca_for_service_etcd_csr.json | jq -r .data.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC/DCCAeQCAQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr
b3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNV
BBETBTYxMTcyMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJ
BgNVBAsTAklUMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2Ug
RVRDZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPgSl8BYUCkDzdq
MnJx89TlWirdsDv40sJcCIC/FKobMpdWlbBMDhmZeFkoPvDulmWIzMzpPF7+Q1Tb
pRxHnNkW83wsnnoxPTeR0ym+ixDeUl//NVsjOmH40W2fuQZ6j3S/DLfGGxdOFc5T
s+akRHTTyD5nfIsMwgxDtMDSaf9oN9ugx8EqnQtBn5pQzap1E1b58R5JPhrJ+2ce
oH4NqXKbu4ZaWpzVH7RjTrf1AOpknCBjR9Zpxl+DjBch2qgJY0lnD373qaFKntGT
DoZKRJeqCNBIYoB8o8KczFC46dSYTzBokwQQU4R9woAk+yMZI2v8I0EJCnFtsYF7
nrkNuxcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAciGGKja/BVKEfe0qwvl7u
itik2Evmp0pOFbxaajgEOztIms/a9GEanFM1HOLVlvehZWBjYUv/D5E1SNNfyIrV
YCVvq0PViXB92el98sI9CYI7BkHQT8l7EMepehVgZbJ6pHzic7S4fxNB9Gcza10O
FsuallqiCYndR2Ps/fOXbm40OAP+BndIuvjVcIRlXSIWTl910DORxysyP9otf3PG
cW8kWMbAcHeMtlgPdS/ebG65WNzjSOws+ty9t4+wWMO6xI5rDTEhCdObsIJdhGaZ
NPi9bcG017rJUwrNz7dHvpAFv0k+tsbJLmUaRwut+Gpk5Wr4pu4YAXhwuwwpdf64
-----END CERTIFICATE REQUEST-----

Сохранить в файл только нужную часть:

cat k8s_pki_intermediate_ca_for_service_etcd_csr.json | jq -r .data.csr > k8s_pki_intermediate_ca_for_service_etcd.csr

• Проверить более подробно

openssl req  -in k8s_pki_intermediate_ca_for_service_etcd.csr -text

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = K8s The Hardest Way Labs, OU = IT, CN = Intermediate CA for service ETCd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c3:e0:4a:5f:01:61:40:a4:0f:37:6a:32:72:71:
                    f3:d4:e5:5a:2a:dd:b0:3b:f8:d2:c2:5c:08:80:bf:
                    14:aa:1b:32:97:56:95:b0:4c:0e:19:99:78:59:28:
                    3e:f0:ee:96:65:88:cc:cc:e9:3c:5e:fe:43:54:db:
                    a5:1c:47:9c:d9:16:f3:7c:2c:9e:7a:31:3d:37:91:
                    d3:29:be:8b:10:de:52:5f:ff:35:5b:23:3a:61:f8:
                    d1:6d:9f:b9:06:7a:8f:74:bf:0c:b7:c6:1b:17:4e:
                    15:ce:53:b3:e6:a4:44:74:d3:c8:3e:67:7c:8b:0c:
                    c2:0c:43:b4:c0:d2:69:ff:68:37:db:a0:c7:c1:2a:
                    9d:0b:41:9f:9a:50:cd:aa:75:13:56:f9:f1:1e:49:
                    3e:1a:c9:fb:67:1e:a0:7e:0d:a9:72:9b:bb:86:5a:
                    5a:9c:d5:1f:b4:63:4e:b7:f5:00:ea:64:9c:20:63:
                    47:d6:69:c6:5f:83:8c:17:21:da:a8:09:63:49:67:
                    0f:7e:f7:a9:a1:4a:9e:d1:93:0e:86:4a:44:97:aa:
                    08:d0:48:62:80:7c:a3:c2:9c:cc:50:b8:e9:d4:98:
                    4f:30:68:93:04:10:53:84:7d:c2:80:24:fb:23:19:
                    23:6b:fc:23:41:09:0a:71:6d:b1:81:7b:9e:b9:0d:
                    bb:17
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         1c:88:61:8a:8d:af:c1:54:a1:1f:7b:4a:b0:be:5e:ee:8a:d8:
         a4:d8:4b:e6:a7:4a:4e:15:bc:5a:6a:38:04:3b:3b:48:9a:cf:
         da:f4:61:1a:9c:53:35:1c:e2:d5:96:f7:a1:65:60:63:61:4b:
         ff:0f:91:35:48:d3:5f:c8:8a:d5:60:25:6f:ab:43:d5:89:70:
         7d:d9:e9:7d:f2:c2:3d:09:82:3b:06:41:d0:4f:c9:7b:10:c7:
         a9:7a:15:60:65:b2:7a:a4:7c:e2:73:b4:b8:7f:13:41:f4:67:
         33:6b:5d:0e:16:cb:9a:96:5a:a2:09:89:dd:47:63:ec:fd:f3:
         97:6e:6e:34:38:03:fe:06:77:48:ba:f8:d5:70:84:65:5d:22:
         16:4e:5f:75:d0:33:91:c7:2b:32:3f:da:2d:7f:73:c6:71:6f:
         24:58:c6:c0:70:77:8c:b6:58:0f:75:2f:de:6c:6e:b9:58:dc:
         e3:48:ec:2c:fa:dc:bd:b7:8f:b0:58:c3:ba:c4:8e:6b:0d:31:
         21:09:d3:9b:b0:82:5d:84:66:99:34:f8:bd:6d:c1:b4:d7:ba:
         c9:53:0a:cd:cf:b7:47:be:90:05:bf:49:3e:b6:c6:c9:2e:65:
         1a:47:0b:ad:f8:6a:64:e5:6a:f8:a6:ee:18:01:78:70:bb:0c:
         29:75:fe:b8
-----BEGIN CERTIFICATE REQUEST-----
MIIC/DCCAeQCAQAwgbYxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJr
b3YxJTAjBgNVBAkTHEx1aSBQYXN0ZXJhIHN0LiAzMjIgYXBwLiAxMzExDjAMBgNV
BBETBTYxMTcyMSEwHwYDVQQKExhLOHMgVGhlIEhhcmRlc3QgV2F5IExhYnMxCzAJ
BgNVBAsTAklUMSkwJwYDVQQDEyBJbnRlcm1lZGlhdGUgQ0EgZm9yIHNlcnZpY2Ug
RVRDZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMPgSl8BYUCkDzdq
MnJx89TlWirdsDv40sJcCIC/FKobMpdWlbBMDhmZeFkoPvDulmWIzMzpPF7+Q1Tb
pRxHnNkW83wsnnoxPTeR0ym+ixDeUl//NVsjOmH40W2fuQZ6j3S/DLfGGxdOFc5T
s+akRHTTyD5nfIsMwgxDtMDSaf9oN9ugx8EqnQtBn5pQzap1E1b58R5JPhrJ+2ce
oH4NqXKbu4ZaWpzVH7RjTrf1AOpknCBjR9Zpxl+DjBch2qgJY0lnD373qaFKntGT
DoZKRJeqCNBIYoB8o8KczFC46dSYTzBokwQQU4R9woAk+yMZI2v8I0EJCnFtsYF7
nrkNuxcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAciGGKja/BVKEfe0qwvl7u
itik2Evmp0pOFbxaajgEOztIms/a9GEanFM1HOLVlvehZWBjYUv/D5E1SNNfyIrV
YCVvq0PViXB92el98sI9CYI7BkHQT8l7EMepehVgZbJ6pHzic7S4fxNB9Gcza10O
FsuallqiCYndR2Ps/fOXbm40OAP+BndIuvjVcIRlXSIWTl910DORxysyP9otf3PG
cW8kWMbAcHeMtlgPdS/ebG65WNzjSOws+ty9t4+wWMO6xI5rDTEhCdObsIJdhGaZ
NPi9bcG017rJUwrNz7dHvpAFv0k+tsbJLmUaRwut+Gpk5Wr4pu4YAXhwuwwpdf64
-----END CERTIFICATE REQUEST-----

Генерация сертификата по запросу

• @ k8s_pki_intermediate_ca_for_service_etcd.csr - имя файла (с префиксом @) в котором сохранен запрос на создание сертификата с предыдущего шага

Создание сертефиката CA на основании запроса

vault \
  write \
    -format=json \
    k8s_pki_root_ca/root/sign-intermediate \
    csr=@k8s_pki_intermediate_ca_for_service_etcd.csr \
    country="Ukraine" \
    locality="Kharkov" \
    street_address="Lui Pastera st. 322 app. 131" \
    postal_code="61172" \
    organization="K8s The Hardest Way Labs" \
    ou="IT" \
    format=pem_bundle \
    ttl="175200h" > k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json

"Сырой" результат

cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json

{
  "request_id": "fbf7b67a-4301-86d0-4d3c-08f227ef8e9f",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIE9TCCA92gAwIBAgIUT+T1Nm5/8WjEJmyXwSG7RlRtmJMwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwHhcNMjIxMDAyMTYxNjU1WhcNNDIwOTI3MTYxNzI1WjCBtjEQMA4GA1UE\nBhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl\ncmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4\ncyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu\ndGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAw+BKXwFhQKQPN2oycnHz1OVaKt2wO/jSwlwIgL8Uqhsy\nl1aVsEwOGZl4WSg+8O6WZYjMzOk8Xv5DVNulHEec2RbzfCyeejE9N5HTKb6LEN5S\nX/81WyM6YfjRbZ+5BnqPdL8Mt8YbF04VzlOz5qREdNPIPmd8iwzCDEO0wNJp/2g3\n26DHwSqdC0GfmlDNqnUTVvnxHkk+Gsn7Zx6gfg2pcpu7hlpanNUftGNOt/UA6mSc\nIGNH1mnGX4OMFyHaqAljSWcPfvepoUqe0ZMOhkpEl6oI0EhigHyjwpzMULjp1JhP\nMGiTBBBThH3CgCT7Ixkja/wjQQkKcW2xgXueuQ27FwIDAQABo4HuMIHrMA4GA1Ud\nDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRAf2zV00Ozzw9c\nludrrD8ZTYtJNDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr\nBgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv\ndjEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92\nYXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B\nAQsFAAOCAQEAAGRmGgzdHM5w00Xos03Be0jat24CSQskVCAHFhV9dJN7v4YVuZUG\nHVsb2m0MQmw5b3WGo2J9lNqIO0ETgnzqvye+Zj3DcetYaHZ300Rpv5QFqQNdebQY\nO8MP03NvqPrlsscGmjWQ8swKRKIBjsIgVlQuWMK/30k5QXEX9Nys/p3gl+OfK6MA\nnhKE6vYOneNpXTHJOly/0boyNf+/+MkFgFeLbe/gxNgyJu8CVYfaGjQ4FQNqDoy3\nlMdepwKstmOo05m3/6qs6jEfVVjSf90hMbBbdelzpe3/ectYEc5ZqRdqNfeo5luR\nMYmvkBormMQyOa3qsXCOjcyxQZ4hvXIVJA==\n-----END CERTIFICATE-----",
    "expiration": 2295447445,
    "issuing_ca": "-----BEGIN CERTIFICATE-----\nMIIEdTCCA12gAwIBAgIUbJDrkNRfhm3Y+/j4oE0H+JkeYgIwDQYJKoZIhvcNAQEL\nBQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV\nBAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE\nERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1\nBgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv\ncmsgdjIwIBcNMjIxMDAyMTQ1NjMyWhgPMjA1MjA5MjQxNDU3MDBaMIHAMRAwDgYD\nVQQGEwdVa3JhaW5lMRAwDgYDVQQHEwdLaGFya292MS0wDwYDVQQJEwhhcHAuIDEz\nMTAaBgNVBAkTE0x1aSBQYXN0ZXJhIFN0LiAzMjIxDjAMBgNVBBETBTYxMTcyMRUw\nEwYDVQQKEwxIb21lIE5ldHdvcmsxCzAJBgNVBAsTAklUMTcwNQYDVQQDEy5Sb290\nIENlcnRpZmljYXRlIEF1dGhvcml0eSBmb3IgSG9tZSBOZXR3b3JrIHYyMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx299heF9ca7N4qaFLTaFxDEiyLwR\nHMW9EOxodl0W4f62AN5PxCNI1CqXhGSIgCO9Yzy6QLdm9m8PtbcQiITYbhkInKBU\ne7ruwoiZYfvpQyJhvQH+8rAzVjtRrWNXuQDPYTiYEpTycbM5mrDR3yBeOT85/bxH\nkgJ+g8V7mpgstA9IbDNZDEmg5eco0Hgwn/LC4RM815x+mJV3QDb2mNcFIck1/t58\nF8T0GQ+OothQfOwC7tC+1qvlJjb35RP+Q3CRaJ5G3dFTDqTb0h8xY4B65wceOnnk\nOH7uwWCGpHwm0/KHyfI79sGvMz7S+mJeR8rxK5NFSzBHmHv4zaIZ54rEZwIDAQAB\no2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU\nAviFK3X44RxpKDAyIS2Gca+r7DwwHwYDVR0jBBgwFoAUAviFK3X44RxpKDAyIS2G\nca+r7DwwDQYJKoZIhvcNAQELBQADggEBAKYfcKf2Pgpc7BH3pN/axbtCw1oU8q4p\n5/KkyT6Q5XVxSvkO6GRn1V+uouofFhuriudbyB0eQo7X5z2+AuE3+juz3w/YGUFJ\nU/fGt+1WemBuxf3qtPdD6HtyHLF6SnCTh1OlZpILiXPNF6zHMXq4fRRVyEVWmkB0\nObRXEq0z5Fq0NHVU9cyxP67h99V6+N3ILNskEGmDqGwCtDyr7xesd638qN7xOTQo\n+2M0eqCV6nOdw6Z1xGmVK91kqEYEbFMgGLBCq53An7Fg/H44ytiztJqKIgxt/zY2\nPWuXBPK0nssQ5D87CWL1VDQIIVHYLS8xPQ1APWTF5M53u4h6t9mrM/U=\n-----END CERTIFICATE-----",
    "serial_number": "4f:e4:f5:36:6e:7f:f1:68:c4:26:6c:97:c1:21:bb:46:54:6d:98:93"
  },
  "warnings": null
}

PEM Файл

cat k8s_pki_intermediate_ca_for_service_etcd_pem_bundle.json | jq -r .data.certificate > k8s_pki_intermediate_ca_for_service_etcd_certificate.pem

-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIUT+T1Nm5/8WjEJmyXwSG7RlRtmJMwDQYJKoZIhvcNAQEL
BQAwgcAxEDAOBgNVBAYTB1VrcmFpbmUxEDAOBgNVBAcTB0toYXJrb3YxLTAPBgNV
BAkTCGFwcC4gMTMxMBoGA1UECRMTTHVpIFBhc3RlcmEgU3QuIDMyMjEOMAwGA1UE
ERMFNjExNzIxFTATBgNVBAoTDEhvbWUgTmV0d29yazELMAkGA1UECxMCSVQxNzA1
BgNVBAMTLlJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IGZvciBIb21lIE5ldHdv
cmsgdjIwHhcNMjIxMDAyMTYxNjU1WhcNNDIwOTI3MTYxNzI1WjCBtjEQMA4GA1UE
BhMHVWtyYWluZTEQMA4GA1UEBxMHS2hhcmtvdjElMCMGA1UECRMcTHVpIFBhc3Rl
cmEgc3QuIDMyMiBhcHAuIDEzMTEOMAwGA1UEERMFNjExNzIxITAfBgNVBAoTGEs4
cyBUaGUgSGFyZGVzdCBXYXkgTGFiczELMAkGA1UECxMCSVQxKTAnBgNVBAMTIElu
dGVybWVkaWF0ZSBDQSBmb3Igc2VydmljZSBFVENkMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAw+BKXwFhQKQPN2oycnHz1OVaKt2wO/jSwlwIgL8Uqhsy
l1aVsEwOGZl4WSg+8O6WZYjMzOk8Xv5DVNulHEec2RbzfCyeejE9N5HTKb6LEN5S
X/81WyM6YfjRbZ+5BnqPdL8Mt8YbF04VzlOz5qREdNPIPmd8iwzCDEO0wNJp/2g3
26DHwSqdC0GfmlDNqnUTVvnxHkk+Gsn7Zx6gfg2pcpu7hlpanNUftGNOt/UA6mSc
IGNH1mnGX4OMFyHaqAljSWcPfvepoUqe0ZMOhkpEl6oI0EhigHyjwpzMULjp1JhP
MGiTBBBThH3CgCT7Ixkja/wjQQkKcW2xgXueuQ27FwIDAQABo4HuMIHrMA4GA1Ud
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRAf2zV00Ozzw9c
ludrrD8ZTYtJNDAfBgNVHSMEGDAWgBQC+IUrdfjhHGkoMDIhLYZxr6vsPDBIBggr
BgEFBQcBAQQ8MDowOAYIKwYBBQUHMAKGLGh0dHA6Ly92YXVsdC5ob21lOjgyMDAv
djEvazhzX3BraV9yb290X2NhL2NhMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly92
YXVsdC5ob21lOjgyMDAvdjEvazhzX3BraV9yb290X2NhL2NybDANBgkqhkiG9w0B
AQsFAAOCAQEAAGRmGgzdHM5w00Xos03Be0jat24CSQskVCAHFhV9dJN7v4YVuZUG
HVsb2m0MQmw5b3WGo2J9lNqIO0ETgnzqvye+Zj3DcetYaHZ300Rpv5QFqQNdebQY
O8MP03NvqPrlsscGmjWQ8swKRKIBjsIgVlQuWMK/30k5QXEX9Nys/p3gl+OfK6MA
nhKE6vYOneNpXTHJOly/0boyNf+/+MkFgFeLbe/gxNgyJu8CVYfaGjQ4FQNqDoy3
lMdepwKstmOo05m3/6qs6jEfVVjSf90hMbBbdelzpe3/ectYEc5ZqRdqNfeo5luR
MYmvkBormMQyOa3qsXCOjcyxQZ4hvXIVJA==
-----END CERTIFICATE-----

Детали сертефиката

openssl x509 -in intermediateCA.cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:b2:aa:32:ee:ea:2f:84:75:bb:8f:ec:2e:98:56:70:1c:66:f6:0d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = Ukraine, L = Kharkov, street = app. 131 + street = Lui Pastera St. 322, postalCode = 61172, O = Home Network, OU = IT, CN = Root Certificate Authority for Home Network
        Validity
            Not Before: Oct 11 09:22:37 2021 GMT
            Not After : Oct  6 09:23:07 2041 GMT
        Subject: C = Ukraine, L = Kharkov, street = Lui Pastera st. 322 app. 131, postalCode = 61172, O = Home Network, OU = IT, CN = Intermediate CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c8:26:59:96:45:90:57:2e:03:32:99:6b:65:50:
                    29:fd:fb:72:35:05:2d:56:f8:ac:b2:6b:64:e0:b9:
                    cf:51:6e:58:5c:ca:3c:db:d4:3b:21:b6:42:40:76:
                    88:66:dd:bc:0f:9c:40:82:3f:20:b7:01:12:8e:c8:
                    df:31:ad:ea:58:3a:5a:61:b2:7d:fe:2f:7b:69:8c:
                    e7:ef:ab:b4:d2:25:79:75:f7:88:23:91:44:46:ec:
                    08:73:d8:50:7f:a0:fa:b4:f9:df:58:2d:80:7f:4d:
                    30:a1:d8:7d:ab:fb:79:17:31:7f:81:c8:94:dc:20:
                    74:3e:d3:7f:ba:12:be:f7:f9:fd:2a:3a:66:32:cb:
                    f5:3a:d6:59:a3:60:64:13:ce:58:4b:c7:30:56:67:
                    5c:6f:2c:d2:4a:68:c1:a8:64:78:03:c8:9d:79:6c:
                    bc:82:72:e4:a9:d0:66:05:9c:18:6d:c2:f4:b7:04:
                    be:b0:be:e8:68:9f:93:41:4e:32:dd:9c:f4:73:60:
                    0f:2c:6c:fa:b4:49:5a:69:51:0c:9d:69:56:37:bd:
                    d0:46:dc:7b:28:5a:ad:9d:f6:14:2c:e9:ce:7a:53:
                    2b:29:6b:1a:6c:90:a8:e9:11:da:52:a7:ff:ff:8d:
                    f4:36:70:70:2e:a7:80:1e:40:14:1a:8a:77:be:11:
                    fc:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                57:CC:17:CF:CF:21:94:71:42:B8:AB:06:7C:FD:FC:45:6D:F9:6A:4F
            X509v3 Authority Key Identifier:
                keyid:DB:3A:73:7A:03:25:2E:17:48:46:58:67:19:AD:86:2E:04:3D:EB:EC

    Signature Algorithm: sha256WithRSAEncryption
         88:e6:3d:6f:b3:11:a6:6f:6c:e1:77:5a:7b:ac:b2:62:6e:7b:
         69:24:7c:53:83:4a:86:f6:90:ca:cc:ed:de:ad:40:e2:6b:9d:
         e2:7d:34:5c:85:18:cd:aa:07:1d:4c:93:bc:f4:c6:c2:56:93:
         1c:2b:cf:3e:13:4d:57:dc:ab:46:64:c1:51:dd:5e:08:d4:69:
         a9:b5:d8:38:96:e8:9c:63:3a:ce:f7:64:b8:d0:28:91:1e:bf:
         54:17:3f:02:7e:d8:3d:27:11:99:02:4d:0c:37:74:9c:a6:3b:
         71:3c:cd:5f:66:ce:1d:d8:83:6d:42:dc:a3:b5:9f:c8:f3:a8:
         ad:a2:03:ec:28:7a:3b:86:b2:1d:a3:d2:06:98:56:bb:38:7b:
         ae:97:fb:98:97:76:7d:70:d2:ce:00:41:dc:04:56:ab:43:d5:
         67:bd:09:8f:a5:d6:aa:de:de:00:af:01:47:46:b9:f9:64:c8:
         0c:f4:76:ef:45:b8:2b:de:7b:39:53:8b:97:f5:37:52:79:f1:
         da:b2:1a:00:b9:51:af:20:5a:ae:32:95:63:d1:a8:d4:01:e7:
         75:ca:e5:5d:ed:2d:94:48:4d:6c:f1:1c:8d:ee:3d:ed:d0:3e:
         c5:1b:ba:51:10:24:c1:9d:96:0a:a8:17:3b:38:8d:98:76:2c:
         1d:3e:f4:07

Валидация с помошью корневого CA

openssl verify -verbose -CAfile rootCA.pem intermediateCA.cert.pem
intermediateCA.cert.pem: OK

Конфигурация Vault для использования промежуточного CA

Загрузка промежуточного сертефиката

vault write pki_intermediate_ca/intermediate/set-signed \
    certificate=@intermediateCA.cert.pem

Configure URLs

vault write pki_intermediate_ca/config/urls \
    issuing_certificates="http://vault.home:8200/v1/pki_intermediate_ca/ca" \
    crl_distribution_points="http://vault.home:8200/v1/pki_intermediate_ca/crl"