Introduction
Vault's PKI secrets engine can dynamically generate X.509 certificates on demand. This allows services to request certificates without going through the usual manual process of generating a private key and Certificate Signing Request (CSR), submitting to a Certificate Authority (CA), and then waiting for the verification and signing process to complete.
Problem
When generating a PKI Certificate in the newly introduced PKI Secrets Engine portion of the Vault UI, the following fields are absent from the resulting output screen:
-
Issuing CA
-
CA chain
-
Private key
-
Private key type
Vault 1.14.0 UI PKI Certificate Generation Output
Vault 1.12.x UI PKI Certificate Generation Output
Prerequisites
Vault 1.13.0 (Beta of the new PKI UI)
Vault 1.14.0 (GA of the new PKI UI)
Cause
This is due to a defect in the new UI and it is anticipated to be fixed in the upcoming 1.14.1 release.
Overview of possible solutions (if applicable)
Workarounds:
-
In the UI, change the format to Pem Bundle and obtain the information from the data contained in the Certificate field in the UI.
-
Use the CLI to generate the PKI certificate.
Additional Information
-
Vault Documentation: PKI Secrets Engine API
- Vault Documentation: PKI Secrets Engine
- Vault Tutorial: PKI Engine: Build your own CA