Vault PKI lease and ttl

Hi everyone,

I have deployed vault pki to enable x509 authentication in my zookeeper/kafka clusters.
Everything works super nice, Iam happy.
For systems stability reasons I want scenario like this:

  • we configure alert in prometheus for certificates which is older then 24h
  • vault-agent issues x509 certificate which is valid for 48h.
  • vault-agent(?) will track the age of certificate and will try to renew it in 24h.
  • if vault-agent process/vault pki or anything else in chain will fail to provide new certificate to host after 24h, initial certificate will still be valid, but alert will fire.

Is it possible to do with some lease set for pki backend/role? I’v tested and the ttls that can be set just controls the max. time for which cert/key can be issued