Find information of cert requests within vault


I’m trying to following the documentation of creating a CA chain with an offline CA, but I don’t seem to understand what is actually happening when I’m supposed to create the first intermediate CA.

resource "vault_mount" "test_org_v1_ica1_v1" {
 path                      = "test-org/v1/ica1/v1"
 type                      = "pki"
 description               = "PKI engine hosting intermediate CA1 v1 for test org"
 default_lease_ttl_seconds = local.default_1hr_in_sec
 max_lease_ttl_seconds     = local.default_3y_in_sec

resource "vault_pki_secret_backend_intermediate_cert_request" "test_org_v1_ica1_v1" {
 depends_on   = [vault_mount.test_org_v1_ica1_v1]
 backend      = vault_mount.test_org_v1_ica1_v1.path
 type         = "internal"
 common_name  = "Intermediate CA1 v1 "
 key_type     = "rsa"
 key_bits     = "2048"
 ou           = "test org"
 organization = "test"
 country      = "US"
 locality     = "Bethesda"
 province     = "MD"

And namely, where exactly in vault can see the information that I’m feeding here through vault_pki_secret_backend_intermediate_cert_request? common_name, ou, organization and such?
There’s no certificate in the path:

root@vault-0:~# vault list test-org/v1/ica1/v1/certs
No value found at test-org/v1/ica1/v1/certs

Which I guess makes sense, because this is just a certificate request. So how do where the added information has been created?

When you call the Vault API, the CSR is returned in the HTTP response. It is not stored within Vault.

terraform-provider-vault makes the CSR available as the csr property of the vault_pki_secret_backend_intermediate_cert_request resource instance.

You need to do something with it, such as looking it up out of your Terraform state file with terraform state show, or assigning it to a Terraform output variable to make it easier to access.

1 Like