# Generate Certificates with Hashicorp Vault

Here are steps to generate SSL certificates using HashiCorp Vault as an Intermediate CA.

NOTE: Be sure that you've setup a vault instance as an Intermediate CA.  
See this page for how: [Vault as Intermediate CA](https://wiki.galaxydump.com/link/455)

Login to the web UI of your intermediate CA, such as: [https://vault02.ogsofttech.lan:8200/ui/](https://vault02.ogsofttech.lan:8200/ui/)  
If DNS is down, use this: [https://192.168.60.6:8200/ui/](https://192.168.60.6:8200/ui/)

For the latest intermediate CA url, see this page: [Vault Services](https://wiki.galaxydump.com/link/300)

Find the issuing role by navigating to Secrets/PKI/Roles.

[![image.png](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/scaled-1680-/Ctq7LL1OQADcWAZf-image.png)](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/Ctq7LL1OQADcWAZf-image.png)

Select the role, and click Generate Certificate:

[![image.png](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/scaled-1680-/ZJgTJD3X6MrCO68T-image.png)](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/ZJgTJD3X6MrCO68T-image.png)

Fill in the Common name as: router.ogsofttech.lan.

Set the TTL to 1 year (365 days).

[![image.png](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/scaled-1680-/w26rZjkslfBLo9UP-image.png)](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/w26rZjkslfBLo9UP-image.png)

Click Generate, to create the key and certificate, and you’ll see this:

[![image.png](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/scaled-1680-/0Lso9nwbaxRntk1h-image.png)](https://wiki.galaxydump.com/uploads/images/gallery/2025-09/0Lso9nwbaxRntk1h-image.png)

Download the private key as: router.ogsofttech.lan-key.pem

Download the certiticate as: router.ogsofttech.lan-cert.pem

Download the CA chain as: router.ogsofttech.lan-cabundle.pem

<p class="callout info">NOTE: We are calling the downloaded CA chain file a “ca bundle”.  
CA bundle is the standard naming convention for this file type.  
Specifically, a cert is often concatenated with the CA bundle that signed it, to create a chain certificate file.</p>

Now, you can copy the cert, ca bundle, and private key to the host, for usage.

If generating a pair for a linux host, you will need them as .crt and .key files.  
Follow this: [Converting PEM to crt and key](https://wiki.galaxydump.com/link/303 "https://wiki.galaxydump.com/link/303")

If generating a pair for an Nginx host, you will need