{"id":"3e9fb762-b8c1-4cbd-a222-fa93aad08d20","task":"Issue TLS certificates from HashiCorp Vault PKI secrets engine as an intermediate CA","domain":"developer.hashicorp.com","steps":["Enable the PKI secrets engine at two paths: one for the root CA and one for an intermediate CA (e.g., pki and pki_int)","Generate or import a root CA at the pki path; in production, consider keeping the root CA offline and importing only the signed root certificate","Generate an intermediate CSR at pki_int, sign it with the root CA (or an external CA), and import the signed intermediate certificate back into pki_int","Configure a role at pki_int/roles/<name> specifying allowed domains, max TTL, key type, and whether the CN is enforced; set a TTL appropriate for your rotation cadence","Issue certificates by writing to pki_int/issue/<role> with the requested common name; applications should request short-lived certificates (hours to a few days) and renew automatically","Configure CRL and OCSP endpoints in the PKI mount's URLs config and publish them so relying parties can check revocation status"],"gotchas":["The root CA private key generated inside Vault is stored in Vault's backend; protect the root CA path with strict policies and consider using an HSM-backed seal","Certificate TTLs must not exceed the role's max_ttl or the issuing CA's remaining validity; plan CA renewal well in advance of expiry","CRL rotation and OCSP responder availability are critical for certificate revocation to work; a stale or unavailable CRL may cause clients to accept revoked certificates depending on their policy"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/3e9fb762-b8c1-4cbd-a222-fa93aad08d20"}