Hashicorp Vault TLS configuration

3 min readApr 26, 2023

There are three vault servers and I connect them with TLS connection for security purposes. First, I created CA and Certification via Consul. Then, Using them I edited Vault configuration file.

Install Consul

curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install consul

what you have to do with Consul

I made CA (Cert, Key) in vault1 server and copy them to vault2 and vault3. All servers are sharing the same CA now.

consul tls ca create -common-name=vault -domain=vault -days=3650
==> Saved vault-agent-ca.pem
==> Saved vault-agent-ca-key.pem

2. CLI

I made CLI (Cert, Key) in vault1 server and copy them to vault2 and vault3. All servers are sharing same CLI now. CLI is for setting vault’s cert as a environment variable.

consul tls cert create -ca vault-agent-ca.pem -cli -days=2650 -domain vault

chmod 777 /opt/vault/tls/*
sftp -i ./vault-key.pem ubuntu@vault1 
sftp> get /opt/vault/tls/* /opt/vault/tls 
sftp> bye


root@vault2:/opt/vault/tls# ls
dc1-cli-vault-0-key.pem  dc1-cli-vault-0.pem  vault-agent-ca-key.pem  vault-agent-ca.pem


root@vault3:/opt/vault/tls# ls
dc1-cli-vault-0-key.pem  dc1-cli-vault-0.pem  vault-agent-ca-key.pem  vault-agent-ca.pem

3. Client (Cert, Key)

I created Client Cert and Key in each node. They are different from each other. I used Consul Server not Consul Client. Because

consul tls cert create -server -domain=vault -dc=global -node=vault1 -additional-ipaddress=10.0.137.166 -days=3650

you should conduct this command in vault1, vault2, and vault3 server.

Giving ownership and permission to CA, Client(Cert, Key)

sudo chown root:root /opt/vault/tls/global-server-vault-0.pem /opt/vault/tls/vault-agent-ca.pem
sudo chown root:vault /opt/vault/tls/global-server-vault-0-key.pem
sudo chmod 0644 /opt/vault/tls/global-server-vault-0.pem /opt/vault/tls/vault-agent-ca.pem
sudo chmod 0640 /opt/vault/tls/global-server-vault-0-key.pem

Update OS’s Cert

sudo chown root:root /opt/vault/tls/global-server-vault-0.pem /opt/vault/tls/vault-agent-ca.pem
sudo chown root:vault /opt/vault/tls/global-server-vault-0-key.pem
sudo chmod 0644 /opt/vault/tls/global-server-vault-0.pem /opt/vault/tls/vault-agent-ca.pem
sudo chmod 0640 /opt/vault/tls/global-server-vault-0-key.pem

Vault License Key for TLS connection

sudo chown root:vault /opt/vault/vault.hclic
sudo chmod 0640 /opt/vault/vault.hclic

Vault Configuration File

cluster_addr  = "https://10.0.174.209:8201"
api_addr      = "https://10.0.174.209:8200"

ui = true

#mlock = true
disable_mlock = true

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "vault1"

  retry_join {
    auto_join               = "provider=aws region=ap-northeast-2 tag_key=service tag_value=vault access_key_id=AKIAZ000000000WIXLQL secret_access_key=6WAe00000000000000QaQjvV9u"
    auto_join_scheme        = "https"
    leader_tls_servername   = "vault1.server.global.vault"
    leader_ca_cert_file     = "/opt/vault/tls/vault-agent-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/global-server-vault-0.pem"
    leader_client_key_file  = "/opt/vault/tls/global-server-vault-0-key.pem"
  }


  retry_join {
    auto_join               = "provider=aws region=ap-northeast-2 tag_key=service tag_value=vault access_key_id=AKIAZ000000000WIXLQL secret_access_key=6WAe00000000000000QaQjvV9u"
    auto_join_scheme        = "https"
    leader_tls_servername   = "vault2.server.global.vault"
    leader_ca_cert_file     = "/opt/vault/tls/vault-agent-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/global-server-vault-0.pem"
    leader_client_key_file  = "/opt/vault/tls/global-server-vault-0-key.pem"
  }

  retry_join {
    auto_join               = "provider=aws region=ap-northeast-2 tag_key=service tag_value=vault access_key_id=AKIAZ000000000WIXLQL secret_access_key=6WAe00000000000000QaQjvV9u"
    auto_join_scheme        = "https"
    leader_tls_servername   = "vault3.server.global.vault"
    leader_ca_cert_file     = "/opt/vault/tls/vault-agent-ca.pem"
    leader_client_cert_file = "/opt/vault/tls/global-server-vault-0.pem"
    leader_client_key_file  = "/opt/vault/tls/global-server-vault-0-key.pem"
  }

}

# HTTPS listener
listener "tcp" {
  address            = "0.0.0.0:8200"
  tls_cert_file      = "/opt/vault/tls/global-server-vault-0.pem"
  tls_key_file       = "/opt/vault/tls/global-server-vault-0-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-agent-ca.pem"
}

# Enterprise license_path
# This will be required for enterprise as of v1.8
license_path = "/opt/vault/vault.hclic"

# Example AWS KMS auto unseal
seal "awskms" {
  region     = "ap-northeast-2"
  kms_key_id = "5e106a0c-4aa4-438b-ad73-46fe0bfe8802"
  access_key = "AKIAZ000000000WIXLQL"
  secret_key = "6WAe00000000000000QaQjvV9u"
}

tls_servername={node name}.{consul server or client}.{dc}.{domain}

Environment Variable

export VAULT_ADDR="https://{Node IP address}:8200"
export VAULT_CACERT=/opt/vault/tls/vault-agent-ca.pem

System Start

sudo systemctl enable vault.service 
sudo systemctl start vault.service 
sudo systemctl status vault.service

Vault status

vault status