Vault PKI - Retrieve private key

milmoe · January 4, 2021, 8:36pm

Hello, I am using in one of my project the PKI engine from vault. I have setup CA and subCA, although made a mistake while configuring it. When i configued subCA I didnt backup the private key. I only have PK for root CA. Our security requirement is to backup all private keys. My question is how to retrieve the private key from Vault?

I would like to avoid regenerating subCA.

Worst case if I cant do that how do I generate private key while writing the subCA using command

vault write -field =csr /intermediate/generate/internal \

common_name= "xo.com" \

country= "US" \

province= "California" \

locality= "x" \

organization= "z" \

ou= "VMC" \

key_type= "ec" \

key_bits=384\

private_key_format= "pem" \

exclude_cn_from_sans=true \

>1.csr

sunny760408 · January 5, 2021, 1:54am

Hi Milmoe,

After you issued a certificate from Vault, you have to save the private key,
Vault does not store private key.

milmoe · January 6, 2021, 1:26am

How do I save it? I am trying to set type =exportable but its not working

sunny760408 · January 6, 2021, 5:23am

You can out put json format and use jq to save it.

milmoe · January 6, 2021, 10:36pm

I got it now thank you.

awcator · August 9, 2023, 2:33pm

We had a same situation, I solved it this way.
Add
raw_storage_endpoint=true
in serverconfig file and restart Vault. then do

# get list of PKI UUID
vault read --format json sys/mounts | jq -r '.data[] | select(.type=="pki").uuid'
vault list --format json sys/raw/logical/418a291c-90f9-d3da-d553-657d0c952d85/config/key
#418a291c-90f9-d3da-d553-657d0c952d85 is the UUID
vault read --format json sys/raw/logical/418a291c-90f9-d3da-d553-657d0c952d85/config/key/158a721e-e097-1a58-0430-69ad60dce28
# 158a721e-e097-1a58-0430-69ad60dce28 is the keyID