Certificate APIs
Request and manage certificates in HashiCorp Vault. Issued certificates are stored in the Vault secrets store.
Request
vault write digicert-pki/issue/[role name] \ common_name="test.winthecustomer.com" \ dns_names="san1.test.winthecustomer.com,san2.test.winthecustomer.com" \ profile_id="0178786e-c738-4b3b-9bbf-9b517e9f0d55" \ tags="tag-test-1,tag-test-2" csr="-----BEGIN CERTIFICATE REQUEST-----\n•••\n•••\n•••\n-----END CERTIFICATE REQUEST-----
Key | Description |
---|---|
[role name] | Your friendly name for the role. |
common_name | Common name for the certificate. |
dns_name | (Optional) Specify additional names. |
profile_id | (Optional) Specify certificate profile ID. |
tags | Specify tags. |
csr | (Optional) Include and sign CSR for the request. |
Response
Key Value --- ----- certificate -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE----- common_name test16thsept.winthecustomer.com private_key -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY----- serial_number 748B6C3B014C48A1F3FF0C17C4764428360F68F5
If a certificate is not issued immediately, such as for Microsoft CA server certificate profile, then a request_id
is returned in the response.
For DV certificates, along with request_id
, other DV details i.e. dcv_method
and dcv_random_value
are also returned in response.
Key Value --- ----- common_name test.winthecustomer.com dcv_method dns-txt-token dcv_random_value _4z93nbtnhqr5v9o84f8m9a6nuu45wyt request_id 95e4032f-bd7b-4b71-9b39-6e9fb0966484vault write digicert-pki/issue/stage common_name="test.winthecustomer.com"
Pick up a pending certificate with the request_id
provided in the issuing response.
The response will show the status of the pending request and return certificate details on successful issuance.
vault read digicert-pki/pickup/[request_id]
The certificate issued through DigiCert PKI secret engine can also be revoked from inside the vault using its serial number.
Note
The plugin cannot revoke a certificate that was not issued by the DigiCert PKI Secrets Engine i.e., the certificate must exist in the plugin storage.
vault write digicert-pki/revoke/[role name] serial_number=748B6C3B014C48A1F3FF0C17C4764428360F68F5<serialNumber>
Key | Description |
---|---|
[role name] | Your friendly name for the role |
serial_number | Certificate serial number |
List all certificates issued by the DigiCert PKI engine. The result of the command will be a list of serial numbers for the certificates.
Request
vault list digicert-pki/certs
Get an issued certificate using its serial number. The response returns the certificate chain, the certificate, and the private key.
vault read digicert-pki/certs/[serial_number]
Key | Description |
---|---|
serial_number | Certificate serial number |