PKI CA File Key not same as Key in pki/keys

Hi team,

I am trying to rotate my root ca created a few years ago utilizing “existing” flow. But when I checked using OpenSSL the Key for the CA file against what vault has for the issuer, the keys don’t match.

I did this same thing in a new fresh environment and the keys matched and I was able to utilizing “existing”.

What could have cause this? Is there a way to correct what’s in vault pki/keys to match what it should be?

Please help and thanks ahead of time.

It sounds like you’ve stumbled into a bit of a tricky situation with your Vault PKI setup. The mismatch between the CA key in the file and the one stored in Vault’s pki/keys could be due to a few reasons, but often it boils down to an update or change that didn’t propagate as expected. Maybe the CA was rotated or reconfigured outside of Vault, and the update wasn’t mirrored in Vault’s storage. This can happen if manual changes were made directly to the CA files without updating Vault, or if there were some hiccups during a Vault migration or backup restoration process.

To align things back, you’d typically need to ensure the correct CA key is imported into Vault, matching the CA certificate. However, tread carefully—modifying CA keys and certificates in a live environment can have wide-reaching implications. If feasible, testing in a sandbox environment first is always a good idea!

I’m assuming the key is the private key. When the CA was created years back, it was created with “internal” generation. So I don’t have the private key.

The only thing that has changed with Vault since is upgrading the version of Vault.

Do you have any information on the process/procedure?