While issuing a server certificate if you receive the following error:
$ vault write pki/issue/server-certificates common_name=test.example.com
Error writing data to pki/issue/server-certificates: Error making API request.
URL: PUT https://$VAULT_ADDR/v1/pki/issue/server-certificates
Code: 500. Errors:
* 2 errors occurred:
* errors from both primary and secondary; primary error was error
fetching CA certificate: stored CA information not able to be parsed;
secondary errors follow
* error fetching CA certificate: stored CA information not able to be parsed
This could be because of any accidental change majorly in your Intermediate CA (ICA).
For example, if you would have accidentally executed
/intermediate/generate/internalendpoint which generates the intermediate CA's CSR along with the private key which only Vault knows in case of
internal, the existing ICA gets corrupted due to the change in the private key hence any operation through the ICA fails.
The only solution is to reconfigure the ICA and then get it signed with the Root CA.
To mitigate this to be happening again, it is advised that we immediately plan for a Vault version upgrade to a minimum version 1.11.x which doesn't have this risky behavior anymore, due to multi-issuer/safe CA rotation functionality.