We are running Vault v1.3.2, and we are not able to tidy revoked TLS certs. We suspect that we are not running the commands correctly… What are we doing wrong? Any help would be greatly appreciated, thanks!
This list all the certs that are issued
vault list pki_example-group/certs
Taking one of the listed certs, it shows that the cert is revoked
vault read pki_example-group/cert/ef-e2-01-9f-c7-34-f4 …
Key Value
certificate -----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
revocation_time 1610765449
We run this command:
vault write pki_example-group/tidy tidy_cert_store=true tidy_revoked_certs=true
WARNING! The following warnings were returned from Vault:
- Tidy operation successfully started. Any information from the operation
will be printed to Vault’s server logs.
And we see that after several hours, we can list the revoked certs from pki_example-group/certs still.
There is nothing in the logs that indicates any errors:
{“time”:“2021-01-19T11:28:04.325081532Z”,“type”:“response”,“auth”: {“client_token”:“hmac-> sha256:24…”,“accessor”:“hmac- sha256:66…”,“display_name”:“root”,“policies”:[“root”],“token_policies”:[“root”],“token_type”:“service”},“request”:{“id”:“…”,“operation”:“update”,“client_token”:“hmac-sha256:24…”,“client_token_accessor”:“hmac-sha256:66…”,“namespace”:{“id”:“root”},“path”:“pki_example-group/tidy”,“data”:{“tidy_cert_store”:“hmac-sha256:8f…”,“tidy_revoked_certs”:“hmac-sha256:8f…”},“remote_address”:“10…”},“response”:{“data”:{“http_content_type”:“hmac-sha256:63…”,“http_raw_body”:“hmac-sha256:fa…”,“http_status_code”:202}}}