Vault PKI - Retrieve private key

Hello, I am using in one of my project the PKI engine from vault. I have setup CA and subCA, although made a mistake while configuring it. When i configued subCA I didnt backup the private key. I only have PK for root CA. Our security requirement is to backup all private keys. My question is how to retrieve the private key from Vault?

I would like to avoid regenerating subCA.

Worst case if I cant do that how do I generate private key while writing the subCA using command

vault write -field =csr /intermediate/generate/internal \

common_name= "" \

country= "US" \

province= "California" \

locality= "x" \

organization= "z" \

ou= "VMC" \

key_type= "ec" \


private_key_format= "pem" \

exclude_cn_from_sans=true \


Hi Milmoe,

After you issued a certificate from Vault, you have to save the private key,
Vault does not store private key.

How do I save it? I am trying to set type =exportable but its not working

You can out put json format and use jq to save it.

I got it now thank you.

We had a same situation, I solved it this way.
in serverconfig file and restart Vault. then do

# get list of PKI UUID
vault read --format json sys/mounts | jq -r '.data[] | select(.type=="pki").uuid'
vault list --format json sys/raw/logical/418a291c-90f9-d3da-d553-657d0c952d85/config/key
#418a291c-90f9-d3da-d553-657d0c952d85 is the UUID
vault read --format json sys/raw/logical/418a291c-90f9-d3da-d553-657d0c952d85/config/key/158a721e-e097-1a58-0430-69ad60dce28
# 158a721e-e097-1a58-0430-69ad60dce28 is the keyID
1 Like