I'm looking to migrate a process that generates client certificates from a custom root CA into hashicorp vault.

The root is already trusted by a lot of applications, so I'd like to import it (or an intermediate) into vault and emit the client certificates from there.

The tutorials are straightforward but always show how to generate a new root and intermediate certificate.

How can I initialize a PKI secrets engine with a pre-existing root cert via command-line (e.g. vault write pki/root/???) ?

Short answer

• If all you have is the certificate, you simply can`t. You also need the private key.
• If you have the private key, here is the API call to import it.

Long answer

PKI means "public key infrastructure", but with that public key comes the all important private key. The private key is the key used to sign (or generate) the certificates for your applications. Vault has nothing to do with it, it's the math behind the PKI that require it.

So the CA needs a key pair (public and private). Without the private key, it will be impossible to generate the signature and issue a certificate. It is computationally impossible to find the private key if you only have the public key (but ask again in 10 years from now).

Most PKI don't allow exporting their private key. Some/Most PKI are hooked to a tampmer proof hardware device (called an HSM) designed to prevent the private key to ever leave its secure container.

So unless you can get your hands on the private key, you will have to deploy a new issuer certificate. You can have Vault's certificate signed by your old CA. Doing so will make your certificates recognized by browsers, but now you have 2 CA to maintain...