Enterprise PKI with HashiCorp Vault and CoreDNS - Complete Setup Guide#
Building a secure internal network requires proper certificate management and name resolution. HashiCorp Vault provides robust certificate authority capabilities, while CoreDNS offers flexible DNS management. This guide demonstrates how to implement a complete PKI solution across multiple servers, enabling secure internal HTTPS communications with proper certificate validation.
Architecture Overview#
Our setup consists of three virtual machines, each with a specific role:
1graph TD2 A[VM1: Vault Server<br>192.168.122.206] -->|Issues Certificates| C[VM3: Nginx Server<br>192.168.122.27]3 B[VM2: CoreDNS Server<br>192.168.122.16] -->|Name Resolution| A4 B -->|Name Resolution| C5 A -->|Root & Intermediate CA| D[PKI Infrastructure]6 C -->|HTTPS Services| E[Internal Users]7 B -->|DNS Services| E
- VM1 (192.168.122.206): HashiCorp Vault server acting as Certificate Authority
- VM2 (192.168.122.16): CoreDNS server providing internal DNS resolution
- VM3 (192.168.122.27): Nginx web server with TLS/SSL enabled
Prerequisites#
Before beginning, ensure you have:
- Three virtual machines with the IPs listed above
- Basic Linux administration knowledge
- Network connectivity between all three servers
- Root or sudo access on all machines
Step 1: Initialize and Configure HashiCorp Vault#
First, let’s install and configure Vault on the dedicated server.
Installing Vault#
1# Download and install Vault2curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -3sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"4sudo apt-get update && sudo apt-get install vault5
6# Verify the installation7vault --version
Configure the Vault Server#
Create a basic configuration file:
1sudo mkdir /etc/vault2sudo nano /etc/vault/config.hcl
Add the following configuration:
1storage "file" {2 path = "/opt/vault/data"3}4
5listener "tcp" {6 address = "0.0.0.0:8200"7 tls_disable = 1 # Enable TLS in production with proper certificates8}9
10api_addr = "http://192.168.122.206:8200"11cluster_addr = "https://192.168.122.206:8201"12ui = true
Prepare the storage directory and start Vault:
1sudo mkdir -p /opt/vault/data2sudo chown -R vault:vault /opt/vault3sudo systemctl enable vault4sudo systemctl start vault
Initialize and Unseal Vault#
Initialize the Vault server:
1export VAULT_ADDR='http://192.168.122.206:8200'2vault operator init
This will output five unseal keys and a root token. Store these securely as they are critical for accessing your Vault.
Sample output: