Skip to content
Tool to manage a keypair provided by HashiCorp Vault
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



vault-pki-client is a tool, similar to consul-template but crafted specifically for Vault and the PKI (certificate) secret backend

The tool will connect to a Vault server and periodically request a x509 keypair, save the generated keypair to files, and optionally execute a command each time the files are updated. The tool runs as a daemon (unless the --once argument is given), and will continue to run in the background and update the keypair shortly before it expires. The idea is to enable system administrators to request shorter TTLs, aligning with Vault's principle of short-lived one-time secrets.


If you have node.js installed, simply npm install -g vault-pki-client

If you don't have node.js installed, you can download a binary package



vault-pki-client makes use of the excellent rc module, so variables can be passed as command line parameters, environment variables or provided via a configuration file named .vault-pki-clientrc

For more detailed information about how to set parameters, see the rc page.


Parameter Default Value Description
vault.server.address The protocol, hostname and port of the Vault server. None Path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate None Path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
vault.server.tls-skip-verify false If set, do not verify Vault's presented certificate before communicating with it. Setting this variable is not recommended except during testing.
vault.server.api-version v1 The API version to use when communicating with the Vault server. For now, only v1 is supported.
vault.pki.path pki The path to the requested pki mount point in the Vault server.
vault.pki.role None (required) The name of the role used to request the client certificate pair. See the Vault documentation for details of how to configure this in the Vault server.
vault.token None The token used to authenticate to the Vault server.
vault.token-renewable false If true, vault-pki-client will attempt to renew the token based on the TTL of the token. The token will be renewed immediately on startup to determine the TTL.
certCN The hostname of the machine running vault-pki-client The Common Name (CN) to be used in the requested x509 keypair. For example, The value specified here must be a valid CN based on the role defined in vault.pki.role or the request will be rejected by the Vault server.
certAltNames [] Subject Alternative Names to request in the cert. These are in addition to the value of certCN. Any values specified must be a valid CN based on the role defined in vault.pki.role or the entire request will be denied.
certIPs [] IP Subject Alternative Name to request in the cert. The role defined in vault.pki.role must allow IP SANs or the entire request will be denied.
certTTL None The TTL of the keypair being requested by the Vault server. In a production environment, this should normally be kept to a reasonably low value. See the Vault documentation. If not specified, the Vault server will use the configured default lease TTL. Note that the value specified may not exceed the maximum TTL defined on the Vault server mount.
certFile client.pem The file to store the x509 certificate returned by the Vault server.
keyFile client.key The file to store the private key for the certificate returned by the Vault server.
caFile None If specified, the file to store the certificate of the CA used to sign certFile. If empty, the CA certificate will not be written to disk.
onUpdate None A command to run after updating the keypair. Can be used to restart services. For example service httpd restart. The command should exit quickly - if you want to start a service, don't start the service directly, but rather write a short-running script/batch file to start the service.
renewalCoefficient 0.9 A coefficient applied to TTLs returned by the Vault server to determine when to renew secrets returned by the vault server. A value of 1.0 means 100% of the lease time, and will almost certainly mean that secrets will expire before they can be renewed. The default value of 0.9 means that secrets will be renewed at 90% of the TTL value. This affects token renewel (if vault.token-renewable is set to true) and certTTL
once false If true, specifies that vault-pki-client will request a new keypair (including writing to disk and execuring onUpdate) and exit immediately without staying alive to renew the keypair when certTTL expires`

###Vault environment variables

vault-pki-client will utilize the standard Vault environment variables if they are defined. Options passed directly to vault-pki-client (including by environment variables) will take precedence over these environment variables, but these environment variables will take precedence over the defaults spefified in the Options section above.

For example if the environment variable VAULT_TOKEN is set to foo, and no value for vault.token is specified, vault-pki-client will use foo as the Vault token. However, if the environment variable VAULT_TOKEN is set to foo, and the environment variable vault-pki-client_vault__token is set to bar, vault-pki-client will use bar as the Vault token.


For more information about configuration files, environment variables and arguments, see the configuration section.

vault-pki-client --certFile=client.pem --keyFile=client.key --caFile=ca.pem --certTTL=24h

This example will attempt to fetch an x509 keypair with the CN which expires 24 hours in the future.


Copyright 2015 Issac Goldstand

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

You can’t perform that action at this time.