I’ve been using StepCA in the GDC for a little while now, you can see how I set it up here. While StepCA was great I’ve decided to step away from it for a couple of reasons.

1. StepCA was falling over way too often and I’d have to restart the container, then re-issue all the expired certs.
2. I wanted to implement HashiCorp Vault for application secrets.

Vault has PKI capability so it just made sense to consolidate the two.

Here’s a quick guide on how I got PKI set up in Vault to replace StepCA.

Prepare Certificate Bundle

To import the certificate into Vault, we need to get it out of StepCA. I just executed into the container and did the following.

1. Retrieve the password:

   cat /home/step/secrets/password
   

2. Use the password to decrypt the root CA key:

   openssl ec -in /home/secrets/root_ca_key -out /tmp/root_ca_key.pem
   

3. Create the PEM bundle:

   cat /tmp/root_ca_key.pem /home/step/certs/root_ca.crt > /tmp/root_ca_bundle.pem
   

4. Import the bundle into Vault:

   • Go to Secrets Engines > PKI > Save.
   • Navigate to PKI Engine > Import Issuer > Toggle Text > Paste the content from /tmp/root_ca_bundle.pem.

Step 2: Configure Vault for ACME

Now that we’ve got the CA loaded, we need to configure some Vault stuff like the role and enable ACME so we can automate cert issuance like we had with StepCA.

1. Enable ACME and create role:

   vault write pki/config/cluster path="https://vmpvault01.lab.home:8200/v1/pki"
   vault write pki/config/acme enabled=true allowed_roles="homelab-ca-role"
   
   vault write pki/roles/homelab-ca-role \
     allowed_domains="lab.home" \
     allow_subdomains=true \
     require_cn=false \
     allow_acme=true
   

2. Tune the secrets engine:

I had a hard time getting certbot to issue certs without these settings. It has something to do with the way Vault’s HTTP responses are sent.

vault secrets tune \
  -passthrough-request-headers=If-Modified-Since \
  -allowed-response-headers=Last-Modified \
  -allowed-response-headers=Location \
  -allowed-response-headers=Replay-Nonce \
  -allowed-response-headers=Link \
  pki

3. Issue a certificate with ACME:

Now that the CA and ACME is set up, we should be able to use certbot to issue a cert. I thought this was going to be a nightmare on servers that already had a certificate from StepCA but actually it was really easy. I literally just re-ran the issue command and it replaced/updated the configurations no worries.

certbot -d vmptest01.lab.home \
  --server https://vmpvault01.lab.home:8200/v1/pki/acme/directory \
  --nginx \
  --register-unsafely-without-email

To wrap up, it was actually pretty easy to migrate over. As a result of this migration I’ve been able to finally get around to implementing Vault and decommission the last “Docker server”. In the next one I’ll set up Vault Secrets Operator to sync secrets between Vault and Kubernetes.