Certificate APIs
Request and manage certificates in HashiCorp Vault. Issued certificates are stored in the Vault secrets store.
Request
vault write digicert-pki/issue/[role name] \ common_name="test.winthecustomer.com" \ dns_names="san1.test.winthecustomer.com,san2.test.winthecustomer.com" \ profile_id="0178786e-c738-4b3b-9bbf-9b517e9f0d55" \ tags="tag-test-1,tag-test-2" csr="-----BEGIN CERTIFICATE REQUEST-----\n•••\n•••\n•••\n-----END CERTIFICATE REQUEST-----
Key | Description |
---|---|
[role name] | Your friendly name for the role. |
common_name | Common name for the certificate. |
dns_name | (Optional) Specify additional names. |
profile_id | (Optional) Specify certificate profile ID. |
tags | Specify tags. |
csr | (Optional) Include and sign CSR for the request. |
Response
Key Value --- ----- certificate -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE----- common_name test16thsept.winthecustomer.com private_key -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY----- serial_number 748B6C3B014C48A1F3FF0C17C4764428360F68F5
If a certificate is not issued immediately, such as for Microsoft CA server certificate profile, then a request_id
is returned in the response.
For DV certificates, along with request_id
, other DV details i.e. dcv_method
and dcv_random_value
are also returned in response.
vault write digicert-pki/issue/stage common_name="test.winthecustomer.com" Key Value --- ----- common_name test.winthecustomer.com dcv_method dns-txt-token dcv_random_value _4z93nbtnhqr5v9o84f8m9a6nuu45wyt request_id 95e4032f-bd7b-4b71-9b39-6e9fb0966484
Pick up a pending certificate with the request_id
in the issuing response:
vault read digicert-pki/pickup/[request_id]
The response will show the status of the pending request and return certificate details on successful issuance.
The certificate issued through DigiCert PKI secret engine can also be revoked from inside the vault using its serial number.
Note
The plugin cannot revoke a certificate that was not issued by the DigiCert PKI Secrets Engine i.e., the certificate must exist in the plugin storage.
vault write digicert-pki/revoke/[role name] serial_number=748B6C3B014C48A1F3FF0C17C4764428360F68F5
Description | |
---|---|
[role name] | Your friendly name for the role |
serial_number | Certificate serial number |
List all certificates issued by the DigiCert PKI engine. The result of the command will be a list of serial numbers for the certificates.
Request
vault list digicert-pki/certs
Get an issued certificate using its serial number. The response returns the certificate chain, the certificate, and the private key.
vault read digicert-pki/certs/[serial_number]
Key | Description |
---|---|
serial_number | Certificate serial number |