Normally you would write entire Vault config in Terraform instead of executing CLI runbook. The problem rises if you want to use remote backend to store the state files but you cant do that securely because there is no PKI yet. So... you end up with local state file which you should take care off onwards.
My Intermediate CA(pki_int) is expiring soon and I can't find documentation on replacing it. Should I just create a new secret called pki_int2? There is a Replace CA option within the GUI but I'm afraid that might delete the existing certs.
Normally, you would just create a new intermediate and swap out the certs. There is also a practice of creating a private key and just signing with new intermediates so key wouldn't have to be swapped just resigned, but not exactly a best practice. You can see that example here (discuss.hashicorp.com/t/renew-vault-pki-certificates-while-keeping-same-private-key/20790/3).
The first two parts where good. This part not so much. You are covering a very complex issue and not really explaining what you are doing. You are just reading what you are typing. The paths that you are typing look like they have reserved words in them like "roles" but you don't indicate that. You are explaining with a lot of unspoken assumptions so it makes it very hard to follow.
Valid feedback. It's hard to go into the details of certs without a deep dive. I was trying to show more of the process of doing rather than this is about the certs themselves. I may do a follow up in the future to elaborate more on this specific subject.
This Mic changed everything! :)
Normally you would write entire Vault config in Terraform instead of executing CLI runbook. The problem rises if you want to use remote backend to store the state files but you cant do that securely because there is no PKI yet. So... you end up with local state file which you should take care off onwards.
Google assistant reminding you that you arent the only one who has bugs ;)
My Intermediate CA(pki_int) is expiring soon and I can't find documentation on replacing it. Should I just create a new secret called pki_int2? There is a Replace CA option within the GUI but I'm afraid that might delete the existing certs.
Normally, you would just create a new intermediate and swap out the certs.
There is also a practice of creating a private key and just signing with new intermediates so key wouldn't have to be swapped just resigned, but not exactly a best practice. You can see that example here (discuss.hashicorp.com/t/renew-vault-pki-certificates-while-keeping-same-private-key/20790/3).
The first two parts where good. This part not so much. You are covering a very complex issue and not really explaining what you are doing. You are just reading what you are typing. The paths that you are typing look like they have reserved words in them like "roles" but you don't indicate that. You are explaining with a lot of unspoken assumptions so it makes it very hard to follow.
Valid feedback. It's hard to go into the details of certs without a deep dive. I was trying to show more of the process of doing rather than this is about the certs themselves. I may do a follow up in the future to elaborate more on this specific subject.
12 months maybe?