Unable to tidy revoked TLS certs

We are running Vault v1.3.2, and we are not able to tidy revoked TLS certs. We suspect that we are not running the commands correctly… What are we doing wrong? Any help would be greatly appreciated, thanks!

This list all the certs that are issued

vault list pki_example-group/certs

Taking one of the listed certs, it shows that the cert is revoked

vault read pki_example-group/cert/ef-e2-01-9f-c7-34-f4 …
Key Value


certificate -----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
revocation_time 1610765449

We run this command:

vault write pki_example-group/tidy tidy_cert_store=true tidy_revoked_certs=true
WARNING! The following warnings were returned from Vault:

  • Tidy operation successfully started. Any information from the operation
    will be printed to Vault’s server logs.

And we see that after several hours, we can list the revoked certs from pki_example-group/certs still.

There is nothing in the logs that indicates any errors:

{“time”:“2021-01-19T11:28:04.325081532Z”,“type”:“response”,“auth”: {“client_token”:“hmac-> sha256:24…”,“accessor”:“hmac- sha256:66…”,“display_name”:“root”,“policies”:[“root”],“token_policies”:[“root”],“token_type”:“service”},“request”:{“id”:“…”,“operation”:“update”,“client_token”:“hmac-sha256:24…”,“client_token_accessor”:“hmac-sha256:66…”,“namespace”:{“id”:“root”},“path”:“pki_example-group/tidy”,“data”:{“tidy_cert_store”:“hmac-sha256:8f…”,“tidy_revoked_certs”:“hmac-sha256:8f…”},“remote_address”:“10…”},“response”:{“data”:{“http_content_type”:“hmac-sha256:63…”,“http_raw_body”:“hmac-sha256:fa…”,“http_status_code”:202}}}

Check safety_buffer - are you setting that?

I am not setting safety_buffer, unless this is set implicitly somehow.

I am running:

vault write pki_example-group/tidy tidy_cert_store=true tidy_revoked_certs=true

Ah I see what you mean. it defaults to 72 h. Revised command:

vault write pki_example-group/tidy tidy_cert_store=true tidy_revoked_certs=true safety_buffer=“1h”

Nope I can still list revoked certs. Is there anything else that I can check? Is the command correct?

That’s odd. But might be expected in 1.3.
See the tidy change in 1.5.1