IBM Support

Configuring PKI Roles in HCP Vault to Issue CA-Compliant Certificates

How To


Summary

In HCP Vault Dedicated's PKI Secrets Engine, certificates are generated based on a Role. By default, most roles are configured to issue "End-Entity" certificates (leaf certificates). These have a Basic Constraint of CA: FALSE.

To satisfy network-layer validation, you must update the Role to allow Is CA status. This tells Vault to flip the boolean bit in the X.509 metadata so that any certificate generated under that role is recognized by the network as a functional Certificate Authority.

Objective

Demonstrate how to use the HCP Portal UI to modify PKI Role settings in the HCP Vault Dedicated PKI Secrets Engine, ensuring issued certificates include the required CA: TRUE Basic Constraints extension for compatibility with network appliances and VPN gateways. 

Environment

Product/Service: HCP Vault Dedicated PKI Secrets Engine

 

Platform/Interface: HCP Portal UI

 

Target Systems: Network appliances, VPN gateways, or 802.1X authenticators

Steps

The steps taken to generate the Intermediate CA are:

  1. Access the Issuers tab from the pki secret engine.
  2. Select Generate and intermediate CSR.
  3. Select type exported.
  4. Enter the common name.
  5. Select format pem_bundle.
  6. Click Generate.
  7. Copy the private key to a file.
  8. Copy the CSR.
  9. Click Done.
  10. Go into the Root CA in your issuers.
  11. Click Sign Intermediate.
  12. Paste the CSR (make sure to remove the private key from the top of the text).
  13. Enter the common name.
  14. Set the TTL.
  15. Select format pem_bundle.
  16. Click Save.
  • Note: This process allows you to generate a certificate with the necessary SSL parameters to be imported into the network appliance as its Local CA Certificate.

Additional Information

When validating the basic issued certificate with openssl, the X509v3 Basic Constraints extension shows CA:FALSE.

If these steps are not followed, an attempt to issue an intermediate certificate for an application CSR can result in the following error: 1 error occurred: * could not fetch the CA certificate (was one set?): unable to fetch corresponding key for issuer xxxx-xxxxx-xxxxx; unable to use this issuer for signing.

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD77S","label":"IBM Vault"},"ARM Category":[{"code":"a8mgJ0000000DjgQAE","label":"HCP Vault"},{"code":"a8mgJ0000000DmzQAE","label":"HCP Vault-\u003ESecret Engine"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
30 March 2026

UID

ibm17267639

Page Feedback