Secret Type - CERT

The Certificate-Type is similar to a KEYVALUE-Type but the data has to be saved in a specific order. The reason for this is, that when you issue a new certificate from a PKI Secret Engine in Vault they are wrapped in a second data object.

How To:

First generate or use an existing PKI. A documentation can be found at HashiCorps documentation page for Vault. Now issue a certificate, pipe it to a file and save it to a KV Secret Engine:

$ vault write -format=json testpki/issue/testrole > data.json
$ vault write secret/ @data.json

Now you should see that the data is saved in a second data object:

  "request_id": "31773810-0506-cc95-ce44-20f6e9c45518",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "data": {
      "certificate": "CERTIFICATE",
      "issuing_ca": "ROOTCA",
      "private_key": "PRIVATEKEY",
      "private_key_type": "rsa",
      "serial_number": "SERIAL"
    "lease_duration": 0,
    "lease_id": "",
    "renewable": false,
    "request_id": "1d26c72a-9179-168f-a371-0637034f816e",
    "warnings": null
  "warnings": null

Now you can create the Vault resource in Kubernetes:

apiVersion: ""
kind: Vault
  name: test-cert
  path: "secret/"
  type: "CERT"

This will generate the Vault resource and also the secret:

$ kubectl get vault test-cert
NAME        AGE
test-cert   8d
$ kubectl get secret test-cert
NAME        TYPE      DATA      AGE
test-cert   Opaque    2         8d

The data is stored to allow an Ingress to read it as tls. For more details on ingress configuration please see:

Change Adjustment Callback

For more details please see Change Detection!

Last updated