I am following the PKI w/offline root tutorial and noticed that any certificates created from the second intermediate’s PKI mount/role are not listed when running vault list test_org_v1_ica2_v1/certs. Is this behavior by design? I understand that Vault will not track certs it created or signed directly by an imported CA but I would to confirm that this behavior applies even with intermediate CAs created in Vault and signed anywhere in its chain by an offline CA.
I finally found the “Store in storage backend” (no_store) option for the PKI role. Once unchecked/set to false I am able to see the certificates. See PKI - Secrets Engines - HTTP API | Vault | HashiCorp Developer for details.