DOMUS PKI Key Ceremony
1. Overview
This document records the key ceremony for establishing the DOMUS enterprise PKI hierarchy using HashiCorp Vault.
|
This is a formal key ceremony document. All steps are timestamped and auditable. |
2. PKI Hierarchy
| Authority | Algorithm | Validity | Purpose |
|---|---|---|---|
DOMUS-ROOT-CA |
RSA 4096 |
20 years (2026-2046) |
Sign intermediate CAs only |
DOMUS-ISSUING-CA |
RSA 4096 |
5 years (2026-2031) |
Issue end-entity certificates |
| Type | TTL |
|---|---|
Server certificates |
1 year |
Client certificates |
1 year |
Automation certificates |
24-72 hours |
3. Pre-Ceremony Checklist
| Item | Requirement | Status |
|---|---|---|
Vault Server |
Running and unsealed on certmgr-01 |
[x] |
Root Token |
Available in dsec d000/dev/vault |
[x] |
Backup Location |
NAS accessible for key escrow |
[x] |
Documentation |
This runbook open and ready |
[x] |
Time |
~90 minutes uninterrupted |
[x] |
5. Step 1: Enable PKI Secrets Engine (Root)
Mount a dedicated PKI secrets engine for the root CA.
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='<root-token>'
# Enable PKI for root CA (already done)
vault secrets enable -path=pki pki
# Configure max TTL for root (20 years)
vault secrets tune -max-lease-ttl=175200h pkiResult: [x] Success / [ ] Failed
6. Step 2: Generate Root CA
Generate the DOMUS-ROOT-CA internal to Vault.
# Generate root CA certificate
vault write -format=json pki/root/generate/internal \
common_name="DOMUS-ROOT-CA" \
organization="Domus Digitalis" \
ou="Enterprise PKI" \
country="US" \
ttl=175200h \
key_type=rsa \
key_bits=4096 \
> /tmp/domus-root-ca.json
# Extract and save root certificate
cat /tmp/domus-root-ca.json | jq -r '.data.certificate' > /tmp/domus-root-ca.crtResult: [x] Success / [ ] Failed
Certificate Details:
Subject: CN=DOMUS-ROOT-CA, O=Domus Digitalis, OU=Enterprise PKI, C=US
Serial: 10:E0:16:3C:7C:35:09:14:E2:9C:5B:78:D7:31:F1:50:1D:B6:55:83
Fingerprint (SHA256): B7:80:04:C9:A8:E3:99:B6:F5:41:8E:69:F3:FA:CA:C3:E3:09:90:FA:DD:31:0A:7D:74:2E:55:DF:E2:01:9D:A6
Not Before: 2026-01-25 06:57:11 UTC
Not After: 2046-01-20 06:57:41 UTC (20 years)7. Step 3: Configure Root CA URLs
Configure the issuing certificate and CRL distribution points.
vault write pki/config/urls \
issuing_certificates="http://certmgr-01.inside.domusdigitalis.dev:8200/v1/pki/ca" \
crl_distribution_points="http://certmgr-01.inside.domusdigitalis.dev:8200/v1/pki/crl"Result: [x] Success / [ ] Failed
8. Step 4: Enable Intermediate PKI Engine
Mount a separate PKI secrets engine for the issuing CA.
# Enable PKI for intermediate/issuing CA
vault secrets enable -path=pki_int pki
# Configure max TTL (5 years)
vault secrets tune -max-lease-ttl=43800h pki_intResult: [x] Success / [ ] Failed
9. Step 5: Generate Intermediate CSR
Generate a CSR for the intermediate CA.
vault write -format=json pki_int/intermediate/generate/internal \
common_name="DOMUS-ISSUING-CA" \
organization="Domus Digitalis" \
ou="Enterprise PKI" \
country="US" \
key_type=rsa \
key_bits=4096 \
> /tmp/domus-issuing-csr.json
# Extract CSR
cat /tmp/domus-issuing-csr.json | jq -r '.data.csr' > /tmp/domus-issuing-ca.csrResult: [x] Success / [ ] Failed
10. Step 6: Sign Intermediate with Root
Sign the intermediate CA CSR with the root CA.
vault write -format=json pki/root/sign-intermediate \
csr=@/tmp/domus-issuing-ca.csr \
common_name="DOMUS-ISSUING-CA" \
organization="Domus Digitalis" \
ttl=43800h \
> /tmp/domus-issuing-signed.json
# Extract signed certificate
cat /tmp/domus-issuing-signed.json | jq -r '.data.certificate' > /tmp/domus-issuing-ca.crtResult: [x] Success / [ ] Failed
Intermediate Certificate Details:
Subject: CN=DOMUS-ISSUING-CA
Issuer: C=US, O=Domus Digitalis, OU=Enterprise PKI, CN=DOMUS-ROOT-CA
Serial: 3F:83:98:35:4C:D7:8D:E5:99:3C:B1:94:7D:9C:BB:19:67:3F:10:7D
Fingerprint (SHA256): 63:59:14:98:56:85:00:20:34:8B:F0:22:BA:A6:DA:6B:AA:6A:B3:0C:72:33:60:E5:6E:83:A3:94:6E:C9:0B:19
Not After: 2031-01-24 (5 years)11. Step 7: Import Signed Intermediate
Import the signed certificate back into the intermediate PKI engine.
vault write pki_int/intermediate/set-signed \
certificate=@/tmp/domus-issuing-ca.crtResult: [x] Success / [ ] Failed
12. Step 8: Configure Intermediate CA URLs
vault write pki_int/config/urls \
issuing_certificates="http://certmgr-01.inside.domusdigitalis.dev:8200/v1/pki_int/ca" \
crl_distribution_points="http://certmgr-01.inside.domusdigitalis.dev:8200/v1/pki_int/crl"Result: [x] Success / [ ] Failed
13. Step 9: Create Issuing Role
Create a role for issuing server certificates.
vault write pki_int/roles/domus-server \
allowed_domains="inside.domusdigitalis.dev,domusdigitalis.dev" \
allow_subdomains=true \
allow_bare_domains=false \
max_ttl=8760h \
key_type=rsa \
key_bits=2048 \
require_cn=true \
enforce_hostnames=trueResult: [x] Success / [ ] Failed
14. Step 10: Test Certificate Issuance
Issue a test certificate to verify the chain.
vault write -format=json pki_int/issue/domus-server \
common_name="test-server.inside.domusdigitalis.dev" \
ttl=24h \
> /tmp/test-cert.json
# Verify the chain
openssl verify -CAfile /tmp/domus-root-ca.crt \
-untrusted /tmp/domus-issuing-ca.crt \
<(cat /tmp/test-cert.json | jq -r '.data.certificate')Expected Output: stdin: OK
Actual Output: /tmp/test-server.crt: OK
Result: [x] Success / [ ] Failed
15. Step 11: Key Escrow
Backup critical certificates to secure storage.
# Create backup archive
mkdir -p /tmp/domus-pki-backup
cp /tmp/domus-root-ca.crt /tmp/domus-pki-backup/
cp /tmp/domus-issuing-ca.crt /tmp/domus-pki-backup/
# Encrypt and store
tar -czf - -C /tmp domus-pki-backup | \
age -r <your-age-public-key> > ~/domus-pki-ceremony-backup.tar.gz.age
# Upload to NAS
scp ~/domus-pki-ceremony-backup.tar.gz.age \
nas-backup@nas-01:/volume1/backups/pki/
# Clean up temporary files
rm -rf /tmp/domus-*.json /tmp/domus-*.crt /tmp/domus-*.csr /tmp/domus-pki-backup
rm -f /tmp/test-cert.jsonBackup Location: ~/.secrets/certs/domus-pki-ceremony-20260124.tar.gz.age
Result: [x] Success / [ ] Failed
16. Step 12: Update dsec Vault Configuration
Add PKI configuration to dsec vault secrets.
# Add to d000/dev/vault:
VAULT_PKI_PATH=pki
VAULT_PKI_INT_PATH=pki_int
VAULT_PKI_ROLE=domus-server
VAULT_PKI_ROOT_SERIAL="10:E0:16:3C:7C:35:09:14..."
VAULT_PKI_INT_SERIAL="3F:83:98:35:4C:D7:8D:E5..."
VAULT_PKI_ALLOWED_DOMAINS="inside.domusdigitalis.dev,domusdigitalis.dev"Result: [x] Success / [ ] Failed
17. Post-Ceremony Verification
| Check | Command | Status |
|---|---|---|
Root CA accessible |
|
[x] |
Intermediate CA accessible |
|
[x] |
Role configured |
|
[x] |
Can issue certs |
|
[x] |
Keys backed up |
|
[x] |
18. Ceremony Completion
| Field | Value |
|---|---|
Time Completed |
2026-01-25T07:06:00Z |
Total Duration |
~60 minutes |
Root CA Serial |
10:E0:16:3C:7C:35:09:14:E2:9C:5B:78:D7:31:F1:50:1D:B6:55:83 |
Intermediate CA Serial |
3F:83:98:35:4C:D7:8D:E5:99:3C:B1:94:7D:9C:BB:19:67:3F:10:7D |
Operator Signature |
EvanusModestus |
19. Certificate Chain Summary
After this ceremony, the trust chain is:
DOMUS-ROOT-CA (self-signed, 20 years: 2026-2046)
│
├── Serial: 10:E0:16:3C:7C:35:09:14:E2:9C:5B:78:D7:31:F1:50:1D:B6:55:83
├── Fingerprint: B7:80:04:C9:A8:E3:99:B6:F5:41:8E:69...
│
└── DOMUS-ISSUING-CA (signed by root, 5 years: 2026-2031)
│
├── Serial: 3F:83:98:35:4C:D7:8D:E5:99:3C:B1:94:7D:9C:BB:19:67:3F:10:7D
├── Fingerprint: 63:59:14:98:56:85:00:20:34:8B:F0:22...
│
└── End-entity certificates (up to 1 year)
└── Issued via: netapi vault pki-issue <hostname>20. Revocation
To revoke the intermediate CA (if compromised):
vault write pki/revoke serial_number=<intermediate-serial>
vault write pki/tidy tidy_revoked_certs=true