Roadmap: HashiCorp Vault PKI Infrastructure
1. Overview
This roadmap defines the implementation of a dual-PKI architecture using HashiCorp Vault:
-
Internal PKI (Vault): Machine certificates, EAP-TLS, service-to-service TLS
-
External PKI (Let’s Encrypt): Public-facing services, ISE Guest Portal, captive portals
|
This architecture serves both home enterprise and work enterprise environments. The patterns developed here are directly applicable to production deployments. |
3. Current State
| Component | Status | Notes |
|---|---|---|
vault-01 (10.50.1.60) |
OPERATIONAL |
Primary PKI + SSH CA (8h certs), AppRole, KV v2 |
vault-02 (10.50.1.61) |
PLANNED |
Raft follower, HA cluster member |
vault-03 (10.50.1.62) |
PLANNED |
Raft follower, HA cluster member |
DOMUS-ROOT-CA |
OPERATIONAL |
Offline root, 20-year validity |
DOMUS-ISSUING-CA |
OPERATIONAL |
Intermediate, 5-year validity |
Let’s Encrypt integration |
PARTIAL |
Manual certbot, needs automation |
dsec PKI integration |
PLANNED |
Store dsec encryption keys in Vault |
4. Phase 1: Vault HA Cluster (3-node)
4.1. Objectives
-
Deploy vault-02 and vault-03 as Raft followers
-
Configure 3-node Raft cluster for quorum
-
Automatic leader election on failure
-
Unseal automation (optional - security tradeoff)
4.2. Tasks
| # | Task | Priority | Status |
|---|---|---|---|
1.1 |
Deploy vault-02 VM on kvm-02 (Supermicro B) |
HIGH |
BLOCKED (kvm-02 pending) |
1.2 |
Deploy vault-03 VM on kvm-02 |
HIGH |
BLOCKED |
1.3 |
Join vault-02 to Raft cluster |
HIGH |
PENDING |
1.4 |
Join vault-03 to Raft cluster |
HIGH |
PENDING |
1.5 |
Test failover scenarios |
HIGH |
PENDING |
1.6 |
Document unseal procedures for all nodes |
MEDIUM |
PENDING |
1.7 |
Configure DNS round-robin or VIP for vault.inside.domusdigitalis.dev |
MEDIUM |
PENDING |
5. Phase 2: dsec Integration with Vault
5.1. Objectives
-
Store dsec master keys in Vault KV secrets engine
-
Enable Vault Transit for dsec encryption operations
-
Migrate from age-based encryption to Vault-backed encryption
-
Maintain backwards compatibility with existing .age files
5.3. Tasks
| # | Task | Priority |
|---|---|---|
2.1 |
Enable Vault KV v2 secrets engine for dsec |
HIGH |
2.2 |
Enable Vault Transit engine for encryption operations |
HIGH |
2.3 |
Create dsec-specific Vault policies |
HIGH |
2.4 |
Implement Vault backend in dsec CLI |
HIGH |
2.5 |
Migration tool: .age → Vault KV |
MEDIUM |
2.6 |
Document hybrid mode (Vault + age fallback) |
MEDIUM |
6. Phase 3: Let’s Encrypt Automation for External Services
6.1. Objectives
-
Automated certificate issuance for public-facing services
-
DNS-01 challenge via BIND DNS API
-
Certificate deployment to ISE Guest Portal
-
Renewal automation with zero downtime
6.2. Use Cases
| Service | Domain | Notes |
|---|---|---|
ISE Guest Portal |
guest.domusdigitalis.dev |
Public captive portal for guest WiFi |
ISE Sponsor Portal |
sponsor.domusdigitalis.dev |
Employee sponsor interface |
External APIs |
api.domusdigitalis.dev |
Public API endpoints |
Documentation |
docs.domusdigitalis.dev |
Antora documentation site |
6.3. Tasks
| # | Task | Priority |
|---|---|---|
3.1 |
Configure certbot with DNS-01 challenge |
HIGH |
3.2 |
Integrate BIND DNS API for challenge response (VyOS replaced pfSense) |
HIGH |
3.3 |
Create ISE certificate deployment script |
HIGH |
3.4 |
Set up renewal cron/systemd timer |
MEDIUM |
3.5 |
Monitoring for certificate expiration |
MEDIUM |
3.6 |
Document in domus-infra-ops runbook |
MEDIUM |
7. Phase 4: Certificate Lifecycle Management
8. Work Applicability
|
This roadmap directly supports work enterprise requirements:
Patterns validated in home enterprise are directly deployable to work. |