Submit a CSR and ask Vault PKI to use that CSR To generate a Certificate


Issue #1

On my client server to generated private key and CSR File to submit.
openssl req -new -newkey rsa:2048 -nodes -keyout pri.key -out server.csr

Can I able to use the server.csr to issue the cert for this server via Vault PKI. I dont want vault to create my private key. we have scenarios where we want to use client generated private keys and CSR…

a. Are there commands to add .csr file while generting a cert via Vault API ? If so please let me know

Issue #2
I was able to revoke the cert via API, Web UI and also Vault cli.
I was able to see that its revoked on Vault side.

When i check on the Web Server / Client side, I still see that the certificate is showing as valid. It doesnt show its revoked. I tested this in both Firefox and Chrome.


yes, please see this endpoint.

I don’t have a vault to test now but I am guessing something like below:

vault write pki_int/sign/example-dot-com common_name=""\
 ttl="24h" csr=@something.csr

issue 2:
when a certificate is revoked, it will be added to the vault’s pki secret engine’s Certificate Revocation List. it is up to the client(chrome/firefox) to reach out to the original CA’s CRL and check if a particular certificate is revoked. different browsers implement this differently. you may find this link useful.

1 Like