Vault Commands
Overview
The netapi vault commands provide CLI access to HashiCorp Vault for secrets management, certificate issuance, and backup operations.
Prerequisites
# Install vault CLI
sudo pacman -S vault # Arch
sudo dnf install vault # Fedora
# Load Vault credentials
dsource d000 dev/vault
# Set VAULT_ADDR (if not in dsec)
export VAULT_ADDR="http://certmgr-01.inside.domusdigitalis.dev:8200"Commands
status
Show Vault server status.
netapi vault status
netapi vault status -f jsonSample Output:
Vault Status: UNSEALED
┏━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Property ┃ Value ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Initialized │ Yes │
│ Sealed │ No │
│ Version │ 1.21.2 │
│ Cluster Name │ vault-cluster-904d4b42 │
│ HA Enabled │ No │
│ Storage Type │ file │
└──────────────┴────────────────────────┘unseal
Unseal Vault server.
# Auto-unseal using VAULT_UNSEAL_KEY_* from dsec
netapi vault unseal --auto
# Manual unseal with specific key
netapi vault unseal --key "VB0zxl..."Auto-unseal reads VAULT_UNSEAL_KEY_1, VAULT_UNSEAL_KEY_2, etc. from the environment (loaded via dsource d000 dev/vault) and applies the required number of keys based on VAULT_UNSEAL_THRESHOLD.
seal
Seal Vault server (emergency operation).
netapi vault seal --force|
Sealing Vault will require manual unseal with unseal keys. Use only in emergencies or during maintenance. |
secrets-list
List secrets at a path.
netapi vault secrets-list
netapi vault secrets-list secret/network/secrets-engines
List enabled secrets engines.
netapi vault secrets-enginesSample Output:
Secrets Engines
┏━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Path ┃ Type ┃ Description ┃
┡━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ secret/ │ kv │ Key/Value Secrets │
│ pki/ │ pki │ PKI Certificate Engine│
│ cubbyhole│ cubbho │ Per-token private │
│ identity/│ identi │ Identity store │
│ sys/ │ system │ System backend │
└──────────┴────────┴───────────────────────┘backup
Backup Vault data.
# Backup to local file
netapi vault backup -o /tmp/vault-backup.snap
# Backup and upload to NAS
netapi vault backup --upload-nasBackup uploads to the location specified in:
-
VAULT_BACKUP_HOST- NAS hostname -
VAULT_BACKUP_PATH- NAS path -
VAULT_BACKUP_USER- SSH user
pki-status
Show PKI secrets engine status.
netapi vault pki-statusShows configured PKI URLs (CRL distribution points, issuing certificates, OCSP servers).
pki-issue
Issue a certificate from Vault PKI secrets engine.
# Issue certificate (default 1 year TTL)
netapi vault pki-issue web-01.inside.domusdigitalis.dev
# Custom TTL and output directory
netapi vault pki-issue db-01.inside.domusdigitalis.dev --ttl 720h -o /etc/ssl/certsParameters:
| Parameter | Description |
|---|---|
|
Certificate CN (required) |
|
Certificate validity (default: 8760h = 1 year) |
|
Output directory for cert/key files |
Output Files:
<cn>.crt # Certificate
<cn>.key # Private key (mode 600)
<cn>.chain.crt # CA chainEnvironment Variables
| Variable | Description |
|---|---|
|
Vault server URL (required) |
|
Vault access token |
|
Root token (fallback if VAULT_TOKEN not set) |
|
Shamir unseal keys |
|
Number of keys required to unseal |
|
PKI secrets engine mount path |
|
Intermediate CA mount path |
|
PKI role for issuing certificates |
|
NAS hostname for backups |
|
NAS path for backups |
|
SSH user for NAS backup |
Common Workflows
After System Reboot
# Load credentials
dsource d000 dev/vault
# Auto-unseal Vault
netapi vault unseal --auto
# Verify status
netapi vault status