Enterprise PKI with HashiCorp Vault and CoreDNS - Complete Setup Guide#

Architecture Overview#

Our setup consists of three virtual machines, each with a specific role:

1
graph TD
2
    A[VM1: Vault Server<br>192.168.122.206] -->|Issues Certificates| C[VM3: Nginx Server<br>192.168.122.27]
3
    B[VM2: CoreDNS Server<br>192.168.122.16] -->|Name Resolution| A
4
    B -->|Name Resolution| C
5
    A -->|Root & Intermediate CA| D[PKI Infrastructure]
6
    C -->|HTTPS Services| E[Internal Users]
7
    B -->|DNS Services| E

• VM1 (192.168.122.206): HashiCorp Vault server acting as Certificate Authority
• VM2 (192.168.122.16): CoreDNS server providing internal DNS resolution
• VM3 (192.168.122.27): Nginx web server with TLS/SSL enabled

Prerequisites#

Before beginning, ensure you have:

• Three virtual machines with the IPs listed above
• Basic Linux administration knowledge
• Network connectivity between all three servers
• Root or sudo access on all machines

Step 1: Initialize and Configure HashiCorp Vault#

First, let’s install and configure Vault on the dedicated server.

1
# Download and install Vault
2
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
3
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
4
sudo apt-get update && sudo apt-get install vault
5

6
# Verify the installation
7
vault --version

1
sudo mkdir /etc/vault
2
sudo nano /etc/vault/config.hcl

1
storage "file" {
2
  path = "/opt/vault/data"
3
}
4

5
listener "tcp" {
6
  address     = "0.0.0.0:8200"
7
  tls_disable = 1  # Enable TLS in production with proper certificates
8
}
9

10
api_addr = "http://192.168.122.206:8200"
11
cluster_addr = "https://192.168.122.206:8201"
12
ui = true

1
sudo mkdir -p /opt/vault/data
2
sudo chown -R vault:vault /opt/vault
3
sudo systemctl enable vault
4
sudo systemctl start vault

1
export VAULT_ADDR='http://192.168.122.206:8200'
2
vault operator init