DEPLOY-2026-02-15 HashiCorp Vault PKI Platform

Executive Summary

Deployment Type: Secrets Management Platform

Problem Statement: Need centralized secrets management, internal PKI for 802.1X certificates, and SSH certificate authority for passwordless authentication.

Solution: HashiCorp Vault with PKI secrets engine (root + intermediate CA), SSH CA, KV secrets store. Evolved to 3-node Raft HA cluster.

Environment	Production (Home Lab)
Runbooks	PKI Certificate Issuance, SSH CA, HA Deployment
Risk Level	High (secrets infrastructure)

Environment

Production (Home Lab)

Runbooks

PKI Certificate Issuance, SSH CA, HA Deployment

Risk Level

High (secrets infrastructure)

Deployment Information

Field	Value
Initial Deployment	2026-02-15 (single node, file storage)
HA Migration	2026-03-09 (file → Raft, 3-node cluster)
Previous State	No centralized secrets, manual certificate management
Target State	Vault with PKI, SSH CA, KV, Raft HA
Rollback Plan	Restore from file backend backup
Affected Systems	All secrets, certificates, SSH authentication

Field

Value

Initial Deployment

2026-02-15 (single node, file storage)

HA Migration

2026-03-09 (file → Raft, 3-node cluster)

Previous State

No centralized secrets, manual certificate management

Target State

Vault with PKI, SSH CA, KV, Raft HA

Rollback Plan

Restore from file backend backup

Affected Systems

All secrets, certificates, SSH authentication

Infrastructure Deployed

Evolution Timeline

Date	State	Changes
2026-02-15	Single node (file storage)	vault-01 on kvm-01, PKI + SSH CA + KV
2026-03-09	Raft migration	File → Raft storage backend
2026-03-10	HA cluster	vault-02, vault-03 joined on kvm-02

Date

State

Changes

2026-02-15

Single node (file storage)

vault-01 on kvm-01, PKI + SSH CA + KV

2026-03-09

Raft migration

File → Raft storage backend

2026-03-10

HA cluster

vault-02, vault-03 joined on kvm-02

Cluster Nodes

Node	IP	Hypervisor	Role
vault-01	10.50.1.60	kvm-01	Leader (original)
vault-02	10.50.1.61	kvm-02	Follower
vault-03	10.50.1.62	kvm-02	Follower

Node

Hypervisor

Role

vault-01

10.50.1.60

kvm-01

Leader (original)

vault-02

10.50.1.61

kvm-02

Follower

vault-03

10.50.1.62

kvm-02

Follower

Secrets Engines Deployed

Engine	Path	Function
PKI (Root)	pki/	Root CA (20-year, offline)
PKI (Intermediate)	pki_int/	Issuing CA for 802.1X, TLS
SSH CA	ssh/	User certificate signing
KV v2	secret/	Static secrets storage

Engine

Path

Function

PKI (Root)

pki/

Root CA (20-year, offline)

PKI (Intermediate)

pki_int/

Issuing CA for 802.1X, TLS

SSH CA

ssh/

User certificate signing

KV v2

secret/

Static secrets storage

PKI Hierarchy

Domus Root CA (pki/)
+-- Domus Intermediate CA (pki_int/)
    +-- 802.1X Client Certificates
    +-- Server TLS Certificates
    +-- Internal Service Certificates

Table 1. Certificate Roles
Role	TTL	Use Case
domus-client	8 hours	SSH user certificates
802.1x-client	365 days	Wired/wireless EAP-TLS
server-tls	90 days	Internal server certificates

SSH CA Configuration

Setting	Value
Role	domus-client
Max TTL	8 hours
Principals	admin, ansible, evanusmodestus, root
Key Type	ed25519
Extensions	permit-pty, permit-user-rc

Setting

Value

Role

domus-client

Max TTL

8 hours

Principals

admin, ansible, evanusmodestus, root

Key Type

ed25519

Extensions

permit-pty, permit-user-rc