2)we have a PKI secrets engine and for this we have a ROOT CA private key and have an Intermediate CA also which issues all of our certs
Questions:
Is there a method to copy the PKI secrets engine and setup an an exact clone after copying from one vault instance to another?
2)shall the certificates also be copied over?
3)assuming that the clone method exists,shall the copied certificates issued by original vault work when we use them against the the intermediate CA of the new vault?
I will preface this by saying the enterprise version supports not what you ask, but the end goal of having a Disaster Recovery or a Performance secondary, but it is a jump in price. You can also do a “snapshot” and “restore”, but this does the entire storage, but comes with its own challenges. All of these methods copy “The whole cluster” - and is not really piece by piece.
You mention two things here - copying KV stores and Copying PKI.
The simpler of course is copying the KV values over - yes this works, you read in one and write in the other. You need to implement the logic depending on your use case - copy one way being the easiest. The question is what are you trying to achieve, more than anything - a backup ? a local copy etc.
For PKI things are different - the PKI engine cannot be copied like the kv store, but because of the way PKI is used, that may not be necessary. In the PKI engine, you cannot export the keys except when they get created ( the exportable flag ), this means any read / write will be incomplete. If you have the keys, there is an API call to import the full PEM bundle and replace the existing one :
But this is more a way to set the CA / Issuers at the start, and not really for ongoing “management” - at least not in the way you seem to be mentioning it (I’m guessing). You cannot keep these as seperate CA’s ( or Roots ) still managing the certificates underneath, since, if they are on two active vaults, they are independent, each have their own certificates, CRL, ocsp , etc. But the way certificates are used, this does not really matter in most usecases, except very specific ones.