Skip to main content

Certificate APIs

Request and manage certificates in HashiCorp Vault. Issued certificates are stored in the Vault secrets store.

Request

vault write digicert-pki/issue/[role name] \

common_name="test.winthecustomer.com" \
dns_names="san1.test.winthecustomer.com,san2.test.winthecustomer.com" \
profile_id="0178786e-c738-4b3b-9bbf-9b517e9f0d55" \
tags="tag-test-1,tag-test-2"
csr="-----BEGIN CERTIFICATE REQUEST-----\n•••\n•••\n•••\n-----END CERTIFICATE REQUEST-----

Key

Description

[role name]

Your friendly name for the role.

common_name

Common name for the certificate.

dns_name

(Optional) Specify additional names.

profile_id

(Optional) Specify certificate profile ID.

tags

Specify tags.

csr

(Optional) Include and sign CSR for the request.

Response

Key              Value
---              -----
certificate      -----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----
common_name      test16thsept.winthecustomer.com
private_key      -----BEGIN RSA PRIVATE KEY-----\n•••\n•••\n•••\n-----END RSA PRIVATE KEY-----
serial_number    748B6C3B014C48A1F3FF0C17C4764428360F68F5

If a certificate is not issued immediately, such as for Microsoft CA server certificate profile, then a request_id is returned in the response.

For DV certificates, along with request_id, other DV details i.e. dcv_method and dcv_random_value are also returned in response.

vault write digicert-pki/issue/stage common_name="test.winthecustomer.com"

Key                 Value
---                 -----
common_name         test.winthecustomer.com
dcv_method          dns-txt-token
dcv_random_value    _4z93nbtnhqr5v9o84f8m9a6nuu45wyt
request_id          95e4032f-bd7b-4b71-9b39-6e9fb0966484

Pick up a pending certificate with the request_id in the issuing response:

vault read digicert-pki/pickup/[request_id]

The response will show the status of the pending request and return certificate details on successful issuance.

The certificate issued through DigiCert PKI secret engine can also be revoked from inside the vault using its serial number.

注意

The plugin cannot revoke a certificate that was not issued by the DigiCert PKI Secrets Engine i.e., the certificate must exist in the plugin storage.

vault write digicert-pki/revoke/[role name] serial_number=748B6C3B014C48A1F3FF0C17C4764428360F68F5

Description

[role name]

Your friendly name for the role

serial_number

Certificate serial number

List all certificates issued by the DigiCert PKI engine. The result of the command will be a list of serial numbers for the certificates.

Request

vault list digicert-pki/certs

Get an issued certificate using its serial number. The response returns the certificate chain, the certificate, and the private key.

vault read digicert-pki/certs/[serial_number]

Key

Description

serial_number

Certificate serial number