Pull from Vault raw cert of existing CN

Does anyone have sample code on how to pull from Vault, the raw cert of an existing CN (cert common name)?

Hoping for curl command examples that can eventually turn into ansible code.

Current ansible code shown below seems to create a new cert by (a) logging in w/ temp token and (b) providing only common_name and cert_ttl.

• name: Get certificate json
  uri:
  url:“{{vault_url}}{{vault_pki_path}}”
  headers:
  X-Vault-Token:“{{json_token_from_services_role}} <<< loginto vault w/ temp token
  body_format:json
  method:POST
  body:
  common_name:”{{cert_common_name}}
  ttl:"{{cert_ttl}}
  register:vault_cert_raw <<< output from vault gets put here

From above code, the info returned looks like certificate, private_key and issuing_ca. These get passed to another ansible yml script.

Am trying to do something similar, but to only extract the info of existing cert, instead of creating a totally new certificate.

Appreciate any advice, guidance and or observations.

What do you mean by an existing certificate? The example you gave is using the PKI secret engine which is used to create certificates on demand. The only option is to create new ones via the API calls.

Alternatively if you use the K/V secret engine you could store certificate details (for example we do that for paid TLS certificates) and then do API calls to fetch those details.

Appreciate the response. Now understand that this engine only generates the secrets, and doesn’t store the said secrets for future reads. At this point, we use another approach.

There is other code that executes after this and puts the cert and key into .pem file and .key file respectively. We may just block this part of the code, and recycle the existing certs and key via these files.

Thanks again!