Skip to main content

Certificate APIs

Request and manage certificates in HashiCorp Vault. Issued certificates are stored in the Vault secrets store.

Request

vault write digicert-pki/issue/[role name] \
common_name="test.winthecustomer.com" \
dns_names="san1.test.winthecustomer.com,san2.test.winthecustomer.com" \
profile_id="0178786e-c738-4b3b-9bbf-9b517e9f0d55" \
tags="tag-test-1,tag-test-2"
csr="-----BEGIN CERTIFICATE REQUEST-----\n•••\n•••\n•••\n-----END CERTIFICATE REQUEST-----

Key

Description

[role name]

Your friendly name for the role.

common_name

Common name for the certificate.

dns_name

(Optional) Specify additional names.

profile_id

(Optional) Specify certificate profile ID.

tags

Specify tags.

csr

(Optional) Include and sign CSR for the request.

Response

Key              Value
---              -----
certificate      -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----
common_name      test16thsept.winthecustomer.com
private_key      -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY-----
serial_number    748B6C3B014C48A1F3FF0C17C4764428360F68F5

If a certificate is not issued immediately, such as for Microsoft CA server certificate profile, then a request_id is returned in the response.

For DV certificates, along with request_id, other DV details i.e. dcv_method and dcv_random_value are also returned in response.

Key                 Value
---                 -----
common_name         test.winthecustomer.com
dcv_method          dns-txt-token
dcv_random_value    _4z93nbtnhqr5v9o84f8m9a6nuu45wyt
request_id          95e4032f-bd7b-4b71-9b39-6e9fb0966484vault write digicert-pki/issue/stage common_name="test.winthecustomer.com"

Pick up a pending certificate with the request_id provided in the issuing response.

The response will show the status of the pending request and return certificate details on successful issuance.

vault read digicert-pki/pickup/[request_id]

The certificate issued through DigiCert PKI secret engine can also be revoked from inside the vault using its serial number.

Note

The plugin cannot revoke a certificate that was not issued by the DigiCert PKI Secrets Engine i.e., the certificate must exist in the plugin storage.

vault write digicert-pki/revoke/[role name] serial_number=748B6C3B014C48A1F3FF0C17C4764428360F68F5<serialNumber>

Key

Description

[role name]

Your friendly name for the role

serial_number

Certificate serial number

List all certificates issued by the DigiCert PKI engine. The result of the command will be a list of serial numbers for the certificates.

Request

vault list digicert-pki/certs

Get an issued certificate using its serial number. The response returns the certificate chain, the certificate, and the private key.

vault read digicert-pki/certs/[serial_number]

Key

Description

serial_number

Certificate serial number