Vault PKI API - Checking Cert Existence


I’m writing an integration between Puppet and Vault to manage SSL certificates on a host.

I’m attempting to query the Vault API to find certificates matching a CN (Common Name) and then determine if the cert in Vault matches the cert on my host, if not my code will perform some remediation action (generate a new cert).

Right now my code does the following (high level)

all_certs_response = HTTP('LIST', '/pki/certs')
all_common_names = []
for serial in all_certs_response['data']['keys']
    cert_response = HTTP('GET', '/pki/cert/#{serial}')
    cert = cert_reponse['data']['certificate']
    # use OpenSSL to read the cert data and parse the Common Name
    ossl_cert = OpenSSL.certificate(cert)
    all_common_names += ossl_cert.common_name

# check if my host's common name is in all_common_names
# do some remediation

My question comes with the Vault API. Is there a way to filter the LIST /pki/certs by properties of the certificate (example CN/Common Name)?

As you can see with my code above, right now i have to read all certificates from Vault to find the one that matches my Common Name, then use OpenSSL to parse the cert for the details.

Is there a more efficient way of doing this with the Vault API?


There is not. Vault does not currently maintain an index of issued certs.