Skip to content
Latchkey

vault pki issue: Issue Certificates from Vault

The PKI engine issues a certificate and private key on demand from a configured role, ideal for short-lived CI certs.

Instead of long-lived certs sitting in a secret store, PKI mints a fresh cert per job. The role constrains allowed domains and TTL so a pipeline can only request what it is permitted.

What it does

vault write pki/issue/<role> generates a key pair, signs a certificate against the mount CA, and returns the certificate, private key, and issuing CA in the response. The role limits allowed_domains, whether subdomains are allowed, and the max ttl.

Common usage

Terminal
# issue a cert for a test service
vault write pki/issue/web \
  common_name="api.example.com" ttl="1h"
# capture just the certificate field
vault write -field=certificate pki/issue/web \
  common_name="api.example.com" ttl="1h" > cert.pem

Options

FieldWhat it does
common_nameCN (and default SAN) for the cert
alt_namesAdditional DNS SANs (comma-separated)
ip_sansIP SANs
ttlRequested lifetime (capped by the role max_ttl)
-field=certificate|private_key|issuing_caExtract one part of the response

In CI

Use -field=private_key and -field=certificate to write the key and cert to separate files for a test server, then let them expire on their own short ttl. Because each issuance is logged and time-bound, this is safer than checking a static cert into the repo.

Common errors in CI

"role 'web' could not be found" means the PKI role was not created with vault write pki/roles/web .... "common name api.example.com not allowed by this role" means it violates allowed_domains/allow_subdomains. "ttl is larger than maximum allowed" means the requested ttl exceeds the role or mount max; lower it. "backend must be configured with a CA certificate" means the mount has no issuer yet.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →