Download Root CA / Intermediate CA without Login?


how can I (or a random user) download the Root- or Intermediate-CA out of vault? They have to add it into there Certificate store.

Thanks for hints.

I don’t believe there is way to allow anonymous access. For us, we publish the cert to our Artifactory server that’s where the clients grab the chain from.

Are you looking to download the root/intermediate CA from a Vault provided PKI? If so you can use the /pki/ca_chain api endpoint to download the certs.

Nice, I had no idea this was available. Interesting enough you can’t use it against the CA, only the intermediate.

$ curl https://vault/v1/pki-root-ca/ca_chain
$ curl https://vault/v1/pki-int-ca/ca_chain

The API documents have so much useful information in them that aren’t even hinted at in the normal docs. They are my go-to resources.

1 Like

Moin, thanks for all the answers. It’s working as described.

This is an old message thread, but just in case anyone else finds it later - the Vault PKI secret engine offers the following anonymously accessible endpoints:

/pki/ca - CA certificate, binary
/pki/ca/pem - CA certificate, PEM
/pki/ca_chain - CA certificate plus chain certificates, PEM
/pki/cert/ca - CA certificate, Vault API JSON
/pki/cert/ca_chain - CA certificate plus chain certificates, Vault API JSON
/pki/cert/crl - CRL, Vault API JSON
/pki/cert/{serial} - Any certificate which has been issued, looked up by its serial number in hexadecimal with each byte separated with a dash
/pki/crl - CRL, binary
/pki/crl/pem - CRL, PEM


thanks for this very usefull information.