Secret Type - CERT

Last updated 10 months ago

The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.

How To:

First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:

$ vault write -format=json testpki/issue/testrole > data.json
$ vault write secret/ @data.json

Now you should see that the data is saved in a second data object:

"request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
"lease_id": "",
"lease_duration": 2764800,
"renewable": false,
"data": {
"data": {
"certificate": "CERTIFICATE",
"issuing_ca": "ROOTCA",
"private_key": "PRIVATEKEY",
"private_key_type": "rsa",
"serial_number": "SERIAL"
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "1d26c72a-9179-168f-a371-0637034f816e",
"warnings": null
"warnings": null

Now you can create the Vault resource in Kubernetes:

apiVersion: ""
kind: Vault
name: test-cert
path: "secret/"
type: "CERT"

This will generate the Vault resource and also the secret:

$ kubectl get vault test-cert
test-cert 8d
$ kubectl get secret test-cert
test-cert Opaque 2 8d

The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see:‚Äč