Vault API Patterns
HashiCorp Vault API patterns from production secret and certificate management. Every entry has a date and context.
2026-04-03: PKI Certificate Issuance via API
Problem: Issue a client certificate from Vault’s PKI intermediate CA for EAP-TLS authentication.
Context: P16g deployment, Vault PKI for WiFi EAP-TLS. Vault cluster running on vault-01/vault-02, PKI intermediate (pki_int) with domus-client role configured. ISE trusts DOMUS-ISSUING-CA in its certificate store.
The Fix:
# 1. Load Vault credentials
ds d000 dev/vault
# 2. Set the TARGET hostname explicitly
HOSTNAME="modestus-p16g"
echo "Issuing cert for: ${HOSTNAME}.inside.domusdigitalis.dev"# 3. Issue certificate — tee saves full JSON AND pipes summary to screen
vault write -format=json pki_int/issue/domus-client \
common_name="${HOSTNAME}.inside.domusdigitalis.dev" \
ttl=8760h \
| tee /tmp/${HOSTNAME}-vault-cert.json \
| jq '{common_name: .data.common_name, serial: .data.serial_number, expiration: .data.expiration}' \
> /tmp/${HOSTNAME}-vault-summary.json# 4. Extract cert, key, and CA chain
jq -r '.data.certificate' /tmp/${HOSTNAME}-vault-cert.json >| /tmp/${HOSTNAME}-eaptls.pem
jq -r '.data.private_key' /tmp/${HOSTNAME}-vault-cert.json >| /tmp/${HOSTNAME}-eaptls.key
jq -r '.data.ca_chain[]' /tmp/${HOSTNAME}-vault-cert.json >| /tmp/DOMUS-CA-CHAIN.pem# 5. Install to standard locations
sudo cp /tmp/${HOSTNAME}-eaptls.pem /etc/ssl/certs/
sudo cp /tmp/${HOSTNAME}-eaptls.key /etc/ssl/private/
sudo chmod 600 /etc/ssl/private/${HOSTNAME}-eaptls.key
sudo cp /tmp/DOMUS-CA-CHAIN.pem /etc/ssl/certs/Rule: Always tee the full JSON response before extracting fields. Vault returns cert, key, and CA chain in one response — capture all of it. Use vault write -format=json (not curl) for interactive issuance; use curl API for scripts.
Worklog: WRKLOG-2026-04-03
2026-03-28: Vault CLI vs API — When to Use Which
Problem: Both vault write CLI and curl API achieve the same result. When to use which?
Context: Daily Vault operations, netapi development
The Pattern:
# CLI (interactive, human-friendly)
vault write pki_int/issue/domus-client \
common_name="host.inside.domusdigitalis.dev" ttl="8760h"
# API (scriptable, automatable)
curl -s -H "X-Vault-Token: $VAULT_TOKEN" -X POST \
https://vault-01.inside.domusdigitalis.dev:8200/v1/pki_int/issue/domus-client \
-d '{"common_name": "host.inside.domusdigitalis.dev", "ttl": "8760h"}'Rule: Use CLI for interactive work, API for scripts. CLI wraps the API — both hit the same endpoint. For netapi integration, always use the API. CLI handles token from ~/.vault-token or $VAULT_ADDR; API requires explicit X-Vault-Token header.
Worklog: WRKLOG-2026-03-28