Template stanza with vault PKI and reissuing certificates

Hi everyone,

i am using the nomad vault integration to get certificates issued by the vault PKI engine:

{% raw %}
{{ with secret "pki1/issue/my-role-dot-com" "common_name=test.my-role.com" "ttl=8760h" "alt_names=localhost"}}
{{- .Data.certificate -}}
{{ end }}
{% endraw %}

this works absolutely fine.
Yet when I redeploy my service I notice that a new certificate is issued - even though the old one is still valid.
Furthermore the old one isn’t revoke.

I have auto tidy enabled in vault - yet with a (quite) long TTL a lot of certificates pile up (especially in a testing/preproduction environment) that will only be tidyd up in “a year”.

I am aware that using considerably lower TTL would fix the problem - but isn’t there some mechanic or similar that makes nomad to “reuse” / have nomad remember the serial of the certificate ?


Use pkiCert instead of secret, which is made especially for this use case (see https://github.com/hashicorp/consul-template/blob/main/docs/templating-language.md#pkicert)
Just be sure to put both the public and private key in the same file for everything to work correctly (unlike secret, pkiCert doesn’t support merging different requests using the the same parameters in a single request)

wow, not sure how I was able to miss that one.