Generating Certificates using Intermediate Certificate Authority in a different Secrets Engine path

Hi everyone, I’ve got a question which I hope someone can assist with.

We have a service which generates short-lived certificates using a PKI secrets engine using a path of projecta/pki. They generate CSRs, send them to https://vault/v1/projecta/pki/sign/projecta and certificates are generated. This PKI secrets engine also has a projecta Intermediate CA and all of the certificates generated here will all be generated using the Intermediate CA. This all works exactly how they wanted it…

However, Since this was implemented, projecta has now become projectx and they want a different path to generate the certificate e.g. https://vault/v1/projectx/pki/sign/projectx but still want to use the projecta Intermediate CA… Is this possible? My immediate reaction was that you could only generate a certificate from an Intermediate CA if it was in the same Secrets Engine path i.e. you could only generate a certificate from projectx/pki/sign/projectx if you used a projectx Intermediate CA.

If someone could confirm or deny that approach, I’d greatly appreciate it.



Does anyone know any more information about this? Anyone who has even a little bit of information please feel free to comment :slight_smile: