Enable the PKI secrets engine at two paths: one for the root CA and one for an intermediate CA (e.g., pki and pki_int)
Generate or import a root CA at the pki path; in production, consider keeping the root CA offline and importing only the signed root certificate
Generate an intermediate CSR at pki_int, sign it with the root CA (or an external CA), and import the signed intermediate certificate back into pki_int
Configure a role at pki_int/roles/<name> specifying allowed domains, max TTL, key type, and whether the CN is enforced; set a TTL appropriate for your rotation cadence
Issue certificates by writing to pki_int/issue/<role> with the requested common name; applications should request short-lived certificates (hours to a few days) and renew automatically
Configure CRL and OCSP endpoints in the PKI mount's URLs config and publish them so relying parties can check revocation status
Known gotchas
The root CA private key generated inside Vault is stored in Vault's backend; protect the root CA path with strict policies and consider using an HSM-backed seal
Certificate TTLs must not exceed the role's max_ttl or the issuing CA's remaining validity; plan CA renewal well in advance of expiry
CRL rotation and OCSP responder availability are critical for certificate revocation to work; a stale or unavailable CRL may cause clients to accept revoked certificates depending on their policy
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp