Moving pki engine to another vault cluster

we need some help regarding pki migration. we have 2 different valult clusters (data is different).
we want to switch off one of the 2 vault cluster

we are currently using vault for pki certs for 2way ssl connection in an application.

  1. is there a way to move the configuration of pki engine so that existing generated certificates are not affected with the change
  2. Is there a way migrate existing pki engine to 2nd vault cluster without any data corruption

could you please help us in this regards …

I just went through this, and I had a lot of issues. Just last night someone (I think from Hashicorp) posted a full a set of steps on how to do it. Unfortunately, it was too late for me, I had to rebuild the engine and reissue the certs.

Try these out and let us know if worked.

i am still facing issue while trying to upload root certificate

$ curl \

--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--data "@payload.json" \

{“errors”:[“private key not found in the PEM bundle”]}

dont know what i have missed

payload must contain both the key and the cert.

In our current scenario we are using only root certificate and generating certs for our application.
curl -x “$PROXY_HOST”:"$PROXY_PORT" -i “$VAULT_ADDR”/v1/"$PKI_STORE_NAME"/ca/pem > $SSL_DIR/caRoot.cer .
Is there a way to get private key for root certificate without generating any new root certificate in pki engine ?

Sadly no, the only time the key is available is during generation and you have to capture the .data.pem_bundle out of the JSON output. It’s locked away otherwise.