PKI

Public Key Infrastructure operations for the domus certificate authority.

CA Hierarchy

Root CA (offline, 10-year validity)
└── Intermediate CA (Vault-managed, 3-year validity)
    ├── Server certificates (1-year max)
    ├── Client certificates — EAP-TLS (90-day to 1-year)
    └── SSH CA (Vault ssh engine)

Vault PKI Operations

Check the intermediate CA — subject, validity, serial

vault read -format=json pki_int/cert/ca | jq -r '.data.certificate' | \
    openssl x509 -noout -subject -dates -serial

List available PKI roles

vault list pki_int/roles

Read role configuration — check allowed domains, TTL, key type

vault read pki_int/roles/domus-server

Issue a server certificate

vault write pki_int/issue/domus-server \
    common_name="web.inside.domusdigitalis.dev" \
    alt_names="web" \
    ip_sans="10.50.1.100" \
    ttl=720h

Issue a client certificate for 802.1X EAP-TLS

vault write pki_int/issue/domus-client \
    common_name="modestus-razer.inside.domusdigitalis.dev" \
    ttl=2160h

CSR Workflow

When a service needs a certificate but cannot use Vault directly.

Generate key and CSR with SAN

openssl req -new -newkey rsa:2048 -nodes \
    -keyout server.key \
    -subj "/CN=web.inside.domusdigitalis.dev" \
    -addext "subjectAltName=DNS:web.inside.domusdigitalis.dev,DNS:web,IP:10.50.1.100" \
    -out server.csr

Inspect the CSR before submitting

openssl req -in server.csr -noout -text | grep -A3 "Subject\|Alternative"

Sign CSR with the intermediate CA (manual, non-Vault)

openssl x509 -req -in server.csr -CA intermediate-ca.pem -CAkey intermediate-ca.key \
    -CAcreateserial -sha256 -days 365 \
    -extfile server-ext.cnf -extensions server_cert \
    -out server.pem

Certificate Revocation

Revoke via Vault

vault write pki_int/revoke serial_number=<serial>

Tidy expired certs and rebuild CRL

vault write pki_int/tidy \
    tidy_cert_store=true \
    tidy_revoked_certs=true \
    safety_buffer=72h

Check CRL contents (manual CA)

openssl crl -in crl.pem -noout -text

Chain Building

Assemble the full chain — leaf first, root last

cat server.pem intermediate-ca.pem root-ca.pem > fullchain.pem

Verify the assembled chain

openssl verify -CAfile root-ca.pem -untrusted intermediate-ca.pem server.pem

Trust Store Management

Install a CA certificate on Arch Linux

sudo cp domus-root-ca.pem /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trust

Verify the CA is trusted system-wide

openssl verify -CApath /etc/ssl/certs server.pem

Certificate Extensions Reference

serverAuth           — web servers, API endpoints
clientAuth           — EAP-TLS, mutual TLS, ISE endpoints
serverAuth,clientAuth — server that also authenticates to peers
codeSigning          — signed binaries and scripts
OCSPSigning          — OCSP responder