This is true… but just to give everyone clarity that it’s really not that hard to grab the key if you have admin access to Vault:
Option 1
If you can turn raw_storage_endpoint on in the Vault configuration file, and have access to define Vault policy, it’s quite easy to fetch the private key out of the sys/raw/ API.
Option 2
If you have access to manage plugins on a Vault server, you can make a forked version of the PKI secrets engine that adds a new API for getting the CA private key, and load it into a running Vault server.