Renew Vault PKI certificates while keeping same private key

Is it possible to renew certificates issued from a Vault PKI while keeping the same private key and without having to change it at every certificate renewal ?
Everytime I renew a certificate from the Vault PKI I get a new private key and the new certificate isn’t compatible with key generated with the previous certificate.
This is an example command I use to generate/renew certificates:
vault write my_pki/issue/my_pki_role ttl=30d

Without going into the “not a best practice, not secure” discussion…

Use my_pki/sign/my_pki_role instead of issue.

Cutting a few corners, the idea is based on the fact that:

  • A Certificate Signing Request (CSR) proves ownership of a private key
  • A CSR never expires

So you must do this once:

  • Create your private key and save it
  • Create a CSR and save it

When you need a new certificate, send the same CSR over and over again. The certificate will have a new expiration date, but still use the same key.

Still, I would advise to review your use case. I do this trick when I want to sniff TLS traffic in dev. I load the private key in my tools, and since every certificate issued uses the same key, I can see everything. Practical, but not secure.

Thank you for your response.

That is exactly how a “traditional” PKI works and that’s just what I want to do with Vault, however I doubt there is a possibility of submitting a CSR (or a private key) to Vault in order to issue a certificate, this is not something I could find in the documentation/online forums but I wish such feature exists.

Look again : PKI - Secrets Engines - HTTP API | Vault by HashiCorp

(No PKI will ever accept a private key, but they accept CSR. Vault is no different)

Oh many thanks! I never got to read the “sign” endpoint documentation mainly misled by the belief that “sign” is used for intermediate or pre-generated certificates in general.