Create this destination to store the issued certificates on HashiCorp Vault.
HashiCorp Vault is a tool to manage secrets and encryption keys securely.
To create a Hashicorp Vault destination in Certificate Hub
- Log in as an administrator with one of the following roles:
- The global_admin role.
- A <user_defined> role with permission to create destinations.
- Go to Automate > Destinations.
- Click Create to configure the following settings.
- Click Verify to check the connection with the destination.
Label
A descriptive name of the destination.
Owner
The username of the destination owner.
The user who adds the destination is automatically made the owner. You can later edit this field and assign ownership to someone else.
Description
A description of the destination purpose.
Authorization Tags
A list of authorization tags. The Custom Roles with any of these tags will grant permissions on the source.
Select Destination Type
Select the following value.
Hashicorp-Vault-Destination-PluginVault URL
The URL of the vault instance.
Vault SSL CA Bundle (PEM)
The certification chain of the Vault's SSL certificate, as a bundle in PEM format.
Vault KV API Version
The version of the Vault KV mount point.
Authentication Method
The authentication method. Only the token method is supported.
Token
A Vault authentication token with "Vault Mount" write privileges.
Vault Mount
The path of the Vault KV secrets engine. For example, a certificate with this distinguished name:
"C=CA,S=Ontario,L=Kanata,O=Entrust,OU=Sales,CN=vaultcert"Is stored with the corresponding private key in this path:
dev/vaultcert/Sales/Entrust/Ontario/Kanata/CA/vaultcert_Sales_Entrust_Ontario_Kanata_CAWhen setting the following configuration.
Setting | Value |
|---|---|
Vault Mount | dev |
Vault Path | "{CN}/{OU}/{O}/{S}/{L}/{C}" |
Object Name | "{CN}{OU}{O}{S}{L}_{C}" |
Vault Path
A template for generating certificate paths from the following fields of the certificate distinguished names: CN, OU, O, S, L, C.
Object Name
A template for generating certificate entries from the following fields of the certificate distinguished names: CN, OU, O, S, L, C.
Bundle Chain
The storage format for the private key, the certificate, and the certificate chain. See below for a description of each supported format.
crt: <certificate> + "\n" + <cert_chain>key: <private_key>crt: <certificate>chain: <cert_chain>key: <private_key>pem: <certificate>+ "\n" + <cert_chain> + "\n" + <private_key>crt: <certificate>key: <private_key>SAN Filter
A regular expression to filter out certificates by subject alternative name (SAN). Certificate Hub will discard a certificate when the certificate SAN does not match this regular expression.