vault pki issue: Issue Certificates from Vault
The PKI engine issues a certificate and private key on demand from a configured role, ideal for short-lived CI certs.
Instead of long-lived certs sitting in a secret store, PKI mints a fresh cert per job. The role constrains allowed domains and TTL so a pipeline can only request what it is permitted.
What it does
vault write pki/issue/<role> generates a key pair, signs a certificate against the mount CA, and returns the certificate, private key, and issuing CA in the response. The role limits allowed_domains, whether subdomains are allowed, and the max ttl.
Common usage
# issue a cert for a test service
vault write pki/issue/web \
common_name="api.example.com" ttl="1h"
# capture just the certificate field
vault write -field=certificate pki/issue/web \
common_name="api.example.com" ttl="1h" > cert.pemOptions
| Field | What it does |
|---|---|
| common_name | CN (and default SAN) for the cert |
| alt_names | Additional DNS SANs (comma-separated) |
| ip_sans | IP SANs |
| ttl | Requested lifetime (capped by the role max_ttl) |
| -field=certificate|private_key|issuing_ca | Extract one part of the response |
In CI
Use -field=private_key and -field=certificate to write the key and cert to separate files for a test server, then let them expire on their own short ttl. Because each issuance is logged and time-bound, this is safer than checking a static cert into the repo.
Common errors in CI
"role 'web' could not be found" means the PKI role was not created with vault write pki/roles/web .... "common name api.example.com not allowed by this role" means it violates allowed_domains/allow_subdomains. "ttl is larger than maximum allowed" means the requested ttl exceeds the role or mount max; lower it. "backend must be configured with a CA certificate" means the mount has no issuer yet.