Vault pki-API 'set-signed' endpoint unexpected behaviour

Hi there,

Using the set-intermediate endpoint from the pki-API to import a vault intermediate cert always imports into the same mount, which holds the root-CA.

I have been working towards setting up a PKI inside of Vault for some time.
The PKI consists of a selfsigned Root, created by the Vault, and several Intermediate Certificates, that should later on sign the leaf certificates.
I am following the Build Your Own Certificate Authority (CA) | Vault | HashiCorp Developer article.
All steps have been working quite well except one.

In Step 2 - Generate Intermediate CA - at the import step of the vault-generated ca, i cannot import the ca to the right PKI secret-mount.
Every time the sign-intermediate endpoint is being called, the intermediate certificate gets imported into the mount of the root-CA, even when specifying another mount.


  • ‘pki-root’ → Mount for the selfsigned Root-CA ‘
  • ‘namespace_123xyz’ → Mount for the Intermediate-CA

Used Commands:
vault write -format=json namespace_123xyz/intermediate/generate/internal
issuer_name=“pki-root” \
| jq -r ‘.data.csr’ > pki_intermediate.csr

vault write -format=json pki-root/root/sign-intermediate
issuer_ref=“pki-root” \
format=pem_bundle ttl=“43800h”
| jq -r ‘.data.certificate’ > intermediate.cert.pem

vault write namespace_123xyz/intermediate/set-signed certificate=@intermediate.cert.pem
=> Response:
Key ------------------- Value
imported_issuers [a8c7daf7-2733-98b8-470e-ba5d85295fbe]
imported_keys [nil]
mapping map[a8c7daf7-2733-98b8-470e-ba5d85295fbe:a18d8dc5-3b89-7c9a-0397-193a2f1be9c8 dd5f4aa4-d532-99a8-64a6-e3aff59edec7:]

Now looking at the mounts, the intermediate CA has been imported into the pki-root mount and the namespace_123xyz mount is still empty.

Could there be something that causes this behaviour, like missuse of an endpoint or might it be a bug?

Thanks in Advance