The KMIP Secrets Engine operates a sever which, by default, listens on port 5696. Presently the server's TLS certificate is created when the server starts and is not configurable. This results in the certificate changing when the server is restarted. Restarts can be triggered by:
- a leader change
- a change to KMIP configuration
- a normal restart
This can affect organisations planning or attempting to pin to the KMIP server certificate as it is potentially volatile
The suggested workflow is to trust the intermediate or CA certificates of the KMIP server to avoid potential service interruption.