View pki root ca

Hi, I have a vault server which has a few secrets

ubuntu@juju-48d934-0-lxd-6:~$ vault secrets list
Path Type Accessor Description

charm-pki-local/ pki pki_424d8583 Charm created PKI backend
cubbyhole/ cubbyhole cubbyhole_4eebd0b8 per-token private secret storage
identity/ identity identity_e175e164 identity store
sys/ system system_3d81439b system endpoints used for control, policy and debugging

I want to get root-ca from charm-pki-local/ but it seems I have missed something.

Any idea?


please try, with modifications for your setup, this:
$ curl --header “X-Vault-Token: s.*****” --cacert /opt/vault/tls/vault_ca.pem

Or, more fancy to check the certificate, this:

$ curl --header “X-Vault-Token: s.*****” --cacert /opt/vault/tls/vault_ca.pem | openssl x509 -text

I cannot find vault_ca.pem file in my server, I have installed vault via snap as part of juju charm.

I don’t know how much you are familiar with juju + maas + openstack charm bundles, I have the following problem .

juju run --unit vault/leader ‘leader-get root-ca’

it does not show anything.


to be serious, I never heard of juju. But maybe you should try a more basic command

$ curl --insecure

or, if your vault installation does not use SSL just this:

$ curl

Maybe you have to use instead of
I hope this will hep you.

it says “{“errors”:[“missing client token”]}”


well, the good thing is: The error message comes from the vault server process. So just give your root token (to keep things simple for the moment) as a header field. So the complete command will lock similar to this:

$ curl --insecure --header “X-Vault-Token: s.*****”

You got this root token as a result of the “vault init” command.

I recommand this tutorial: