Is it possible to renew certificates issued from a Vault PKI while keeping the same private key and without having to change it at every certificate renewal ?
Everytime I renew a certificate from the Vault PKI I get a new private key and the new certificate isn’t compatible with key generated with the previous certificate.
This is an example command I use to generate/renew certificates:
vault write my_pki/issue/my_pki_role common_name=mydomain.com ttl=30d
Without going into the “not a best practice, not secure” discussion…
Use my_pki/sign/my_pki_role instead of issue.
Cutting a few corners, the idea is based on the fact that:
- A Certificate Signing Request (CSR) proves ownership of a private key
- A CSR never expires
So you must do this once:
- Create your private key and save it
- Create a CSR and save it
When you need a new certificate, send the same CSR over and over again. The certificate will have a new expiration date, but still use the same key.
Still, I would advise to review your use case. I do this trick when I want to sniff TLS traffic in dev. I load the private key in my tools, and since every certificate issued uses the same key, I can see everything. Practical, but not secure.
Thank you for your response.
That is exactly how a “traditional” PKI works and that’s just what I want to do with Vault, however I doubt there is a possibility of submitting a CSR (or a private key) to Vault in order to issue a certificate, this is not something I could find in the documentation/online forums but I wish such feature exists.
Look again : PKI - Secrets Engines - HTTP API | Vault by HashiCorp
(No PKI will ever accept a private key, but they accept CSR. Vault is no different)
Oh many thanks! I never got to read the “sign” endpoint documentation mainly misled by the belief that “sign” is used for intermediate or pre-generated certificates in general.