DEPLOY-2026-02-15 HashiCorp Vault PKI Platform

1. Executive Summary

Deployment Type: Secrets Management Platform

Problem Statement: Need centralized secrets management, internal PKI for 802.1X certificates, and SSH certificate authority for passwordless authentication.

Solution: HashiCorp Vault with PKI secrets engine (root + intermediate CA), SSH CA, KV secrets store. Evolved to 3-node Raft HA cluster.

Environment	Production (Home Lab)
Runbooks	PKI Certificate Issuance, SSH CA, HA Deployment
Risk Level	High (secrets infrastructure)

Environment

Production (Home Lab)

Runbooks

PKI Certificate Issuance, SSH CA, HA Deployment

Risk Level

High (secrets infrastructure)

2. Deployment Information

Field	Value
Initial Deployment	2026-02-15 (single node, file storage)
HA Migration	2026-03-09 (file → Raft, 3-node cluster)
Previous State	No centralized secrets, manual certificate management
Target State	Vault with PKI, SSH CA, KV, Raft HA
Rollback Plan	Restore from file backend backup
Affected Systems	All secrets, certificates, SSH authentication

Field

Value

Initial Deployment

2026-02-15 (single node, file storage)

HA Migration

2026-03-09 (file → Raft, 3-node cluster)

Previous State

No centralized secrets, manual certificate management

Target State

Vault with PKI, SSH CA, KV, Raft HA

Rollback Plan

Restore from file backend backup

Affected Systems

All secrets, certificates, SSH authentication

3. Infrastructure Deployed

3.1. Evolution Timeline

Date	State	Changes
2026-02-15	Single node (file storage)	vault-01 on kvm-01, PKI + SSH CA + KV
2026-03-09	Raft migration	File → Raft storage backend
2026-03-10	HA cluster	vault-02, vault-03 joined on kvm-02

Date

State

Changes

2026-02-15

Single node (file storage)

vault-01 on kvm-01, PKI + SSH CA + KV

2026-03-09

Raft migration

File → Raft storage backend

2026-03-10

HA cluster

vault-02, vault-03 joined on kvm-02

3.2. Cluster Nodes

Node	IP	Hypervisor	Role
vault-01	10.50.1.60	kvm-01	Leader (original)
vault-02	10.50.1.61	kvm-02	Follower
vault-03	10.50.1.62	kvm-02	Follower

Node

Hypervisor

Role

vault-01

10.50.1.60

kvm-01

Leader (original)

vault-02

10.50.1.61

kvm-02

Follower

vault-03

10.50.1.62

kvm-02

Follower

4. Secrets Engines Deployed

Engine	Path	Function
PKI (Root)	pki/	Root CA (20-year, offline)
PKI (Intermediate)	pki_int/	Issuing CA for 802.1X, TLS
SSH CA	ssh/	User certificate signing
KV v2	secret/	Static secrets storage

Engine

Path

Function

PKI (Root)

pki/

Root CA (20-year, offline)

PKI (Intermediate)

pki_int/

Issuing CA for 802.1X, TLS

SSH CA

ssh/

User certificate signing

KV v2

secret/

Static secrets storage

5. PKI Hierarchy

Domus Root CA (pki/)
└── Domus Intermediate CA (pki_int/)
    ├── 802.1X Client Certificates
    ├── Server TLS Certificates
    └── Internal Service Certificates

Table 1. Certificate Roles
Role	TTL	Use Case
domus-client	8 hours	SSH user certificates
802.1x-client	365 days	Wired/wireless EAP-TLS
server-tls	90 days	Internal server certificates

6. SSH CA Configuration

Setting	Value
Role	domus-client
Max TTL	8 hours
Principals	admin, ansible, evanusmodestus, root
Key Type	ed25519
Extensions	permit-pty, permit-user-rc

Setting

Value

Role

domus-client

Max TTL

8 hours

Principals

admin, ansible, evanusmodestus, root

Key Type

ed25519

Extensions

permit-pty, permit-user-rc

7. Validation Results

Test Result Evidence

Test	Result	Evidence
PKI certificate issuance	✅ PASS	`vault write pki_int/issue/domus-client`
SSH certificate signing	✅ PASS	`vault write ssh/sign/domus-client`
KV secrets read/write	✅ PASS	`vault kv put/get secret/test`
Raft cluster status	✅ PASS	`vault operator raft list-peers` (3 nodes)
Leader election	✅ PASS	Killed leader, follower promoted
Unseal recovery	✅ PASS	Reboot recovery successful

PKI certificate issuance

✅ PASS

vault write pki_int/issue/domus-client

SSH certificate signing

✅ PASS

vault write ssh/sign/domus-client

KV secrets read/write

✅ PASS

vault kv put/get secret/test

Raft cluster status

✅ PASS

vault operator raft list-peers (3 nodes)

Leader election

✅ PASS

Killed leader, follower promoted

Unseal recovery

✅ PASS

Reboot recovery successful

8. Lessons Learned

Category Lesson

Category	Lesson
SSH CA Principals	`valid_principals` MUST be specified on every signing request. `default_principals` is silently ignored.
File → Raft Migration	Use `vault operator migrate` with proper cluster_addr before starting HA.
Certificate TTLs	8-hour SSH certs force regular renewal (security) while 365-day 802.1X certs reduce endpoint churn.
Unseal Keys	Store unseal keys in separate locations (gopass, physical backup). Auto-unseal planned for future.
TLS Bootstrap	First node needs self-signed cert, then issue proper cert after PKI is running.

SSH CA Principals

valid_principals MUST be specified on every signing request. default_principals is silently ignored.

File → Raft Migration

Use vault operator migrate with proper cluster_addr before starting HA.

Certificate TTLs

8-hour SSH certs force regular renewal (security) while 365-day 802.1X certs reduce endpoint churn.

Unseal Keys

Store unseal keys in separate locations (gopass, physical backup). Auto-unseal planned for future.

TLS Bootstrap

First node needs self-signed cert, then issue proper cert after PKI is running.

9. Post-Deployment Status

Item Status

Item	Status
HA Cluster	Operational (3 nodes)
PKI	Root CA (20-year), Intermediate CA (10-year)
SSH CA	Active, `vault-ssh-sign` script deployed
KV Store	In use for dsec/gopass integration
Monitoring	Wazuh audit events configured

HA Cluster

Operational (3 nodes)

PKI

Root CA (20-year), Intermediate CA (10-year)

SSH CA

Active, vault-ssh-sign script deployed

KV Store

In use for dsec/gopass integration

Monitoring

Wazuh audit events configured