Is there any limit on the number of certs vault PKI engine can issue ?
Question is for Free Community edition of Vault Installation. Please provide any document references if we have to update any policy or config to support large number of pki cert issues.
Does the PKI engine store all the issued certs ? and what config to tune to increase the storage ?
There is no explicit hard limit, but in the default configuration, all issued certificates are stored for possible use in maintaining the revocation list.
Storing a large number (10000+) of certificates will have a very noticeable impact on the amount of storage used by Vault … exactly how much of a problem this is will vary depending on the storage backend in use. Consul, for example, is an in-memory datastore, so you’re literally keeping all of those certificates in memory all the time.
It’s worth mentioning that Vault never initiates deletion of expired certificates on its own. You have to externally trigger periodic cleanup runs by invoking the
There is a
no_store option to turn off storing the certificates entirely… but if you do this, you lose the ability to revoke them, so you need to consider whether that matters to you.
Thanks for the response @maxb