Configuring the plugin
This page describes how to configure the the Sectigo Vault PKI plugin.
Configuring the plugin directory
Vault servers in development mode can use -dev-plugin-dir
to specify the path to the plugin.
For example:
vault server -dev -dev-plugin-dir="/etc/vault/plugins"
Otherwise, the Vault server must be configured to use a plugin directory with the plugin_directory
field pointing to the path of your plugins directory in a configuration file with HCL or JSON format.
For the Sectigo Vault PKI plugin, you must place the custom sectigo-vault-pki_<version>
binary in the configured Vault plugins directory (for example, /etc/vault/custom_plugins/
).
Make sure the custom plugin binary has the proper execute permissions enabled.
On Linux, this can be done using the following command.
$ chmod +x /etc/vault/custom_plugins/sectigo-vault-pki_<versions>
For information on the plugin_directory
field, see the Vault documentation.
Setting up environmental variables
Whether you are planning on using the Vault CLI tool or cURL commands, you may want to export the following environment variables to facilitate your interactions with your Vault server. The vault address and token are provided by the vault server on startup.
$ export VAULT_ADDR='http://<vault_ip_address>:<vault_port_number>'
$ export VAULT_API_ADDR='http://<vault_ip_adress>:<vault_port_number>'
$ export VAULT_TOKEN='<vault_token>'
$ export VAULT_CLIENT_TIMEOUT='600'
The address environment variables are shown for HTTP. Make sure to use HTTPS instead of HTTP on your production server. |
Enabling the plugin
You may enable the Sectigo PKI plugin assuming you have a Vault server that is:
-
running and unsealed
-
configured to point to a plugin directory where the
sectigo-vault-pki
binary is located -
accessible through the environment variables that you have exported
Run the following commands to enable the plugin.
$ SHA256=$(shasum -a 256 <path_to_plugin_directory>/sectigo-vault-pki_<version>| cut -d' ' -f1)
$ vault write sys/plugins/catalog/secret/sectigo-vault-pki_<version> sha_256="${SHA256}" command=sectigo-vault-pki_<version>
$ vault secrets enable -path=sectigo-vault-pki -plugin-name=sectigo-vault-pki_<version> sectigo-vault-pki_<version>