HashiCorp Vault Sub-CA

1. Overview

HashiCorp Vault serves as the enterprise PKI for Domus Digitalis, replacing the deprecated AD CS on home-dc01.inside.domusdigitalis.dev. The Vault PKI provides automated certificate issuance for:

  • Linux workstation EAP-TLS authentication (802.1X)

  • Server certificates for internal services

  • BYOD device certificates (90-day TTL)

  • pxGrid integration certificates

  • Short-lived automation certificates

AD CS (HOME-ROOT-CA) on home-dc01.inside.domusdigitalis.dev is deprecated and will be decommissioned by 2026-07. All new certificates must be issued from Vault PKI.

2. Architecture

PKI Hierarchy

2.1. Two-Tier PKI Hierarchy

Authority Role Validity Location

DOMUS-ROOT-CA

Root CA (offline after ceremony)

20 years (2026-2046)

certmgr-01.inside.domusdigitalis.dev:8200

DOMUS-ISSUING-CA

Issuing CA (online)

5 years (2026-2031)

certmgr-01.inside.domusdigitalis.dev:8200

2.2. Certificate Roles

Role TTL Use Case

domus-server

1 year

Server certificates (ISE, Keycloak, NAS)

domus-workstation

1 year

Linux workstation EAP-TLS

domus-byod

90 days

BYOD mobile device certificates

domus-pxgrid

1 year

pxGrid client authentication

domus-automation

24-72h

Ephemeral automation certificates

3. Current Status

Component Status Notes

Vault Server

Active on certmgr-01.inside.domusdigitalis.dev

Unsealed, healthy

Root CA

Established 2026-01-25

20-year validity

Issuing CA

Signed 2026-01-25

5-year validity

Server role

Configured

Issuing certificates

Workstation role

Pending

For Linux EAP-TLS

BYOD role

Pending

For mobile devices

AD CS Migration

In progress

Target: 2026-07

4. Quick Reference

4.1. Check Vault Status

# Load credentials
dsource d000 dev/vault

# Check status via netapi
netapi vault status

# Unseal if sealed
netapi vault unseal --auto

4.2. Issue Certificate

# Issue server certificate
netapi vault pki-issue webserver.inside.domusdigitalis.dev

# Issue with custom TTL
netapi vault pki-issue test.inside.domusdigitalis.dev --ttl 24h -o /tmp/certs

4.3. Verify Chain

# Export CA certificates
vault read -field=certificate pki/cert/ca > root.pem
vault read -field=certificate pki_int/cert/ca > issuing.pem

# Verify chain
openssl verify -CAfile root.pem -untrusted issuing.pem cert.pem

5. AD CS Migration Checklist

Migration from HOME-ROOT-CA to DOMUS-ROOT-CA:

  • Vault PKI established (2026-01-25)

  • Root CA created (20-year validity)

  • Issuing CA signed (5-year validity)

  • Server role configured

  • Workstation role configured (Linux EAP-TLS)

  • BYOD role configured (mobile devices)

  • ISE trust store updated (add Vault CAs)

  • Re-issue active certificates from Vault

  • Remove CA role from home-dc01.inside.domusdigitalis.dev

6. Related Documentation

6.1. Runbooks

6.2. Related Projects

  • netapi CLI - Network automation CLI (includes netapi vault commands)

  • domus-secrets-ops - dsec/SOPS credential handling for Vault tokens

  • domus-ise-linux - Linux 802.1X certificate enrollment

6.3. Infrastructure