Vault PKI - Retrieve private key

Hello, I am using in one of my project the PKI engine from vault. I have setup CA and subCA, although made a mistake while configuring it. When i configued subCA I didnt backup the private key. I only have PK for root CA. Our security requirement is to backup all private keys. My question is how to retrieve the private key from Vault?

I would like to avoid regenerating subCA.

Worst case if I cant do that how do I generate private key while writing the subCA using command

vault write -field =csr /intermediate/generate/internal \

common_name= "" \

country= "US" \

province= "California" \

locality= "x" \

organization= "z" \

ou= "VMC" \

key_type= "ec" \


private_key_format= "pem" \

exclude_cn_from_sans=true \


Hi Milmoe,

After you issued a certificate from Vault, you have to save the private key,
Vault does not store private key.

How do I save it? I am trying to set type =exportable but its not working

You can out put json format and use jq to save it.

I got it now thank you.