Mount a root CA at 'pki' and generate an internal root cert: 'vault write pki/root/generate/internal common_name=example.com ttl=87600h'
Mount an intermediate CA at 'pki_int', generate a CSR, sign it with the root, and import the signed cert: 'vault write pki_int/intermediate/generate/internal common_name=intermediate.example.com' then 'vault write pki/root/sign-intermediate csr=<CSR> format=pem_bundle ttl=43800h' then 'vault write pki_int/intermediate/set-signed certificate=<SIGNED_CERT>'
Create a PKI role constraining allowed domains: 'vault write pki_int/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h'
Issue a certificate: 'vault write pki_int/issue/example-dot-com common_name=web.example.com ttl=24h'
Extract the certificate, private_key, and issuing_ca from the response JSON and deploy to the target service
Automate renewal by re-issuing before expiry; use Vault Agent with a 'template' stanza to render the cert and key to disk and send SIGHUP to the service on change
Known gotchas
The private key is only returned at issuance time and is never stored in Vault; if you lose it you must issue a new certificate
CRL and OCSP endpoints must be configured with 'vault write pki_int/config/urls' before issuance or browsers will fail revocation checks
Setting 'generate_lease=true' on the PKI role allows lease-based revocation but adds Vault storage overhead at scale; for high-volume issuance leave it false and use CRL-based revocation
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp