Vault pki manual_chain examples?

I am trying to figure out how to use the manual_chain attribute on a pki secrets engine. After looking through all available documentation, I am pretty stumped. I have tried adding in the actual certificate as a string, as well as trying to add entire or partial paths to the secret engine, but it seems regardless of what I am trying to put in for a path just renders the error:

vault write pki/issuer/default manual_chain=foo
* unable to find PKI issuer for reference: foo

So, my question is: Does anyone know the secret sauce needed to get manual_chain up and running? Any examples out there of working configuration I could look at?

Judging by the error message, I imagine it wants an issuer reference - i.e. an issuer name or issuer UUID.

1 Like

Oh, I see… So the idea is that every pki engine instance would import all issuers up the chain? I so far have assumed keeping each “level” in their own instance would be the approach to go with. I guess I will give that a try, then. And if anyone finds this thread and is wondering, “default” works instead of name/uuid to reference the current default issuer.