Sectigo.com
Shop Enterprise Partners Resources

Configuring the plugin

This page describes how to configure the the Sectigo Vault PKI plugin.

Configuring the plugin directory

Vault servers in development mode can use -dev-plugin-dir to specify the path to the plugin. Otherwise, the Vault server must be configured to use a plugin directory with the plugin_directory field pointing to the path of your plugins directory in a configuration file with HCL or JSON format. For the Sectigo Vault PKI plugin, you must place the custom sectigo-vault-pki_<version> binary in the configured Vault plugins directory (for example, /etc/vault/custom_plugins/). Make sure the custom plugin binary has the proper execute permissions enabled. On Linux, this can be done using the following command.

$ chmod +x /etc/vault/custom_plugins/sectigo-vault-pki_<versions>

For information on the plugin_directory field, see the Vault documentation.

Setting up environmental variables

Whether you are planning on using the Vault CLI tool or cURL commands, you may want to export the following environment variables to facilitate your interactions with your Vault server. The vault address and token are provided by the vault server on startup.

$ export VAULT_ADDR='http://<vault_ip_address>:<vault_port_number>'

$ export VAULT_API_ADDR='http://<vault_ip_adress>:<vault_port_number>'

$ export VAULT_TOKEN='<vault_token>'

$ export VAULT_CLIENT_TIMEOUT='600'
The address environment variables are shown for HTTP. Make sure to use HTTPS instead of HTTP on your production server.

Enabling the plugin

You may enable the Sectigo PKI plugin assuming you have a Vault server that is:

  • running and unsealed

  • configured to point to a plugin directory where the sectigo-vault-pki binary is located

  • accessible through the environment variables that you have exported

Run the following commands to enable the plugin.

$ SHA256=$(shasum -a 256 <path_to_plugin_directory>/sectigo-vault-pki_<version>| cut -d' ' -fl)

$ vault write sys/plugins/catalog/secret/sectigo-vault-pki_<version> sha_256="${SHA256}" command=sectigo-vault-pki_<version>

$ vault secrets enabled -path=sectigo-vault-pki -plugin-name=sectigo-vault-pki_<version> sectigo-vault-pki_<version>