# Secret Type - PKI

�The PKI-Type is made to connect to the PKI - Secrets Engine of [HashiCorp Vault](https://www.vaultproject.io/docs/secrets/pki/index.html). It generates certificates X.509 Certificates and refreshes them if they are near the expiration date.

### How To

First generate a PKI in Vault and create a rule to issue new certificates:

{% hint style="danger" %}
This is only a test pki, for info how to generate a more secure pki please read the manual of HashiCorp Vault!
{% endhint %}

```
$ vault secrets enable -path=testpki -description=testpki pki
$ vault secrets tune -max-lease-ttl=8760h testpki
$ vault write testpki/root/generate/internal \
      common_name=koudingspawn.de \
      ttl=500h
$ vault write testpki/roles/testrole \
      allowed_domains=*.koudingspawn.de \
      max_ttl=8760h
```

After this create the following Vault-Resource and apply it to Kubernetes:

```yaml
apiVersion: "koudingspawn.de/v1"
kind: Vault
metadata:
  name: test-pki
spec:
  path: "testpki/issue/testrole"
  type: "PKI"
  pkiConfiguration:
    commonName: "vault.koudingspawn.de"
    ttl: "8h"

```

This issues a new certificate that is available in your Kubernetes secret resource. It's saved in the format that Ingress can use to read them as certificates. For more details on ingress configuration please see: <https://koudingspawn.de/advanced-ingress/>

```
$ kubectl get vault test-pki
NAME       AGE
test-pki   8d
```

```
$ kubectl get secret test-pki
NAME       TYPE      DATA      AGE
test-pki   Opaque    2         8d
```

```
$ kubectl get secret test-pki -o yaml
apiVersion: v1
data:
  tls.crt: <certificate>
  tls.key: <key>
kind: Secret
metadata:
  annotations:
    vault.koudingspawn.de/compare: 2018-04-13T22:38Z
    vault.koudingspawn.de/lastUpdated: 2018-04-14T00:31:42.889
  creationTimestamp: 2018-04-13T22:16:03Z
  name: test-pki
  namespace: default
  resourceVersion: "1791800"
  selfLink: /api/v1/namespaces/default/secrets/test-pki
  uid: 40eaddf8-3f68-11e8-8433-b2b7401505d0
type: Opaque
```

### Supported Values in pkiConfiguration

```yaml
pkiConfiguration:
  commonName: "vault.koudingspawn.de"
  altNames: ""
  ipSans: ""
  ttl: "8h"
```

For more information about the described fields please see the [API documentation](https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate) of Vault.

### Change Adjustment Callback

For more details please see [Change Detection](/change-detection.md)!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vault.koudingspawn.de/supported-secret-types/secret-type-pki.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.