Vault
PKI external CA secrets engine API
Enterprise
Appropriate Vault Enterprise license required
Use the PKI External CA secrets engine API to maintain centralized certificate management capabilities while using leaf certificates from external, ACME-compliant Certificate Authorities (CAs) including public CAs like Let's Encrypt and DigiCert.
Overview
The PKI External CA secrets engine provides a bridge between Vault and external ACME-compliant Certificate Authorities. It manages the complete certificate lifecycle including:
- ACME account management: Register and manage accounts with external ACME servers.
- Role-based access: Define roles that control which domains ACME accounts can request and how the CA issues certificates.
- Automated certificate acquisition: Handle the ACME protocol workflow automatically, including challenge fulfillment.
- Certificate caching: Retrieve issued certificates previously obtained through an ACME identifier workflow.
Key concepts
- ACME account: An account registered with an external ACME server (e.g., Let's Encrypt).
- Role: Policies that define certificate issuance, including allowed domains and challenge types.
- Order: An in-progress certificate request using the ACME workflow.
- Challenge: ACME validation method (HTTP-01, DNS-01, or TLS-ALPN-01) that proves domain ownership.
ACME account management
ACME accounts represent registered accounts with external ACME servers. Each account associates with a private key and email contacts for notifications.
Create ACME account
Create a new ACME account by registering with the specified ACME directory server.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/config/acme-account/:name |
Parameters
name(string: <required>)- A unique string used to reference the ACME account in roles.directory_url(string: <required>)- The ACME directory URL (e.g.,https://acme-v02.api.letsencrypt.org/directoryfor Let's Encrypt production).email_contacts(array<string>: <required>)- List of email addresses for account notifications. You must provide at least one email.key_type(string: "ec-256")- The key type to generate for the account key. Must be one of:eab_kid(string: "")- External Account Binding (EAB) key identifier. Some ACME servers require an EAB key identifier for account registration.eab_key(string: "")- External Account Binding (EAB) key (urlbase64-encoded). Some ACME servers require an EAB key for account registration.trusted_ca(string: "")- PEM-encoded trusted CA certificates for validating the TLS certificate provided by the ACME server. Usetrusted_cafor private ACME servers with custom CAs.
Sample payload
{
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"email_contacts": ["admin@example.com", "security@example.com"],
"key_type": "ec-256"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/letsencrypt-prod
Sample response
{
"data": {
"name": "letsencrypt-prod",
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"email_contacts": ["admin@example.com", "security@example.com"],
"active_key_version": 0,
"account_keys": {
"0": {
"key_type": "ec-256",
"key_version": 0,
"key_creation_date": "2026-02-24T20:00:00Z"
}
},
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:00:00Z"
}
}
Import ACME account
Import an existing ACME account using a previously registered account key.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/config/acme-account/:name/import |
Parameters
name(string: <required>)- The name for the imported ACME account.account_key(string: <required>)- PEM-encoded private key for the existing ACME account.directory_url(string: <required>)- The ACME directory URL where you registered the account.trusted_ca(string: "")- PEM-encoded trusted CA certificates for the ACME server.
Sample payload
{
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"account_key": "-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/imported-account/import
Sample response
{
"data": {
"name": "imported-account",
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"email_contacts": ["admin@example.com"],
"active_key_version": 0,
"account_keys": {
"0": {
"key_type": "ec-256",
"key_version": 0,
"key_creation_date": "2026-02-24T20:00:00Z"
}
},
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:00:00Z"
}
}
Read ACME account
Retrieve information about an ACME account.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/config/acme-account/:name |
Parameters
name(string: <required>)- The name of the ACME account to read.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/letsencrypt-prod
Sample response
{
"data": {
"name": "letsencrypt-prod",
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"email_contacts": ["admin@example.com", "security@example.com"],
"acme_account_key_id": "https://acme-v02.api.letsencrypt.org/acme/acct/123456789",
"active_key_version": 0,
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:00:00Z"
}
}
Update ACME account
Update the trusted CA certificates for an ACME account. You can only update the CA certificate field after account creation.
| Method | Path |
|---|---|
PUT | /{plugin_mount_path}/config/acme-account/:name |
Parameters
name(string: <required>)- The name of the ACME account to update.trusted_ca(string: <required>)- PEM-encoded trusted CA certificates for the ACME server.
Sample payload
{
"trusted_ca": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request PUT \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/letsencrypt-prod
Sample response
{
"data": {
"name": "letsencrypt-prod",
"directory_url": "https://acme-v02.api.letsencrypt.org/directory",
"email_contacts": ["admin@example.com", "security@example.com"],
"acme_account_key_id": "https://acme-v02.api.letsencrypt.org/acme/acct/123456789",
"active_key_version": 0,
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:30:00Z"
}
}
Delete ACME account
Delete and deactivate an ACME account with the ACME server. You cannot delete the account if any roles reference it.
| Method | Path |
|---|---|
DELETE | /{plugin_mount_path}/config/acme-account/:name |
Parameters
name(string: <required>)- The name of the ACME account to delete.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request DELETE \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/letsencrypt-prod
List ACME accounts
List all configured ACME accounts.
| Method | Path |
|---|---|
LIST | /{plugin_mount_path}/config/acme-account |
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request LIST \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account
Sample response
{
"data": {
"keys": ["letsencrypt-prod", "letsencrypt-staging", "digicert"]
}
}
Rotate ACME account key
Generate a new key pair and perform an ACME key change operation with the upstream server to rotate an existing ACME account key.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/config/acme-account/:name/rotate-key |
Parameters
name(string: <required>)- The name of the ACME account.key_type(string: "ec-256")- The key type to generate for the new account key. Must be one of:force(bool: false)- Force rotation even if pending orders for the key exist. Use with caution.
Sample payload
{
"key_type": "ec-384"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/config/acme-account/letsencrypt-prod/rotate-key
Sample response
{
"data": {
"name": "letsencrypt-prod",
"old_active_key_version": 0,
"new_active_key_version": 1,
"key_type": "ec-384",
"rotated_at": "2026-02-24T20:45:00Z"
}
}
Role management
Roles define policies for certificate issuance, including which domains you can request and what challenge types you can use.
Create/update role
Create or update a role. You cannot modify acme_account_name after role creation.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/role/:name |
Parameters
name(string: <required>)- The name of the role.acme_account_name(string: <required>)- The name of the ACME account to use for certificate requests. You cannot change the account name after role creation.allowed_domains(array<string>: [])- List of domains the role accepts for certificates. You can use templates with ACL Path Templating (e.g.,{{identity.entity.name}}.example.com).allowed_domain_options(array<string>: [])- Configure how Vault interpretsallowed_domains:bare_domains- Allow domains without a subdomain prefix such asexample.com.subdomains- Allow subdomains of the specified domains.wildcards- Allow wildcard certificates.globs- Allow glob patterns in domain specifications.
allowed_challenge_types(array<string>: ["http-01", "dns-01", "tls-alpn-01"])- List of ACME challenge types clients can use:. Must be from the following:http-01- HTTP-01 challengedns-01- DNS-01 challengetls-alpn-01- TLS-ALPN-01 challenge
csr_generate_key_type(string: "ec-256")- Key type to generate when using the identifier workflow (not providing a CSR). Must be one of:csr_identifier_population(string: "cn_first")- Tell Vault how to populate the CSR from provided identifiers in the identifier workflow. Must be one of:
Sample payload
{
"acme_account_name": "letsencrypt-prod",
"allowed_domains": ["example.com", "*.example.com"],
"allowed_domain_options": ["bare_domains", "subdomains", "wildcards"],
"allowed_challenge_types": ["http-01", "dns-01"],
"csr_generate_key_type": "ec-256",
"csr_identifier_population": "cn_first"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server
Sample response
{
"data": {
"name": "web-server",
"acme_account_name": "letsencrypt-prod",
"allowed_domains": ["example.com", "*.example.com"],
"allowed_domain_options": ["bare_domains", "subdomains", "wildcards"],
"allowed_challenge_types": ["http-01", "dns-01"],
"csr_generate_key_type": "ec-256",
"csr_identifier_population": "cn_first",
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:00:00Z"
}
}
Read role
Retrieve information about a role.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/role/:name |
Parameters
name(string: <required>)- The name of the role to read.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server
Sample response
{
"data": {
"name": "web-server",
"acme_account_name": "letsencrypt-prod",
"allowed_domains": ["example.com", "*.example.com"],
"allowed_domain_options": ["bare_domains", "subdomains", "wildcards"],
"allowed_challenge_types": ["http-01", "dns-01"],
"csr_generate_key_type": "ec-256",
"csr_identifier_population": "cn_first",
"creation_date": "2026-02-24T20:00:00Z",
"last_updated_date": "2026-02-24T20:00:00Z"
}
}
Delete role
Deletes a role. To delete roles with active orders, you must use the force option.
| Method | Path |
|---|---|
DELETE | /{plugin_mount_path}/role/:name |
Parameters
name(string: <required>)- The name of the role to delete.force(bool: false)- Force deletion even when active orders exist. Use with caution.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request DELETE \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server
List roles
List all configured roles.
| Method | Path |
|---|---|
LIST | /{plugin_mount_path}/role |
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request LIST \
${VAULT_ADDR}/v1/pki-external-ca/role
Sample response
{
"data": {
"keys": ["web-server", "api-server", "internal-services"]
}
}
Certificate order workflow
The certificate order workflow manages the complete lifecycle of acquiring certificates from external ACME CAs.
Create new order
Create a new certificate order for automatic processing by the ACME workflow.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/role/:name/new-order |
Parameters
name(string: <required>)- The name of the role to use for the order.identifiers(array<string>: "")- List of domain names to include in the certificate (e.g.,["example.com", "www.example.com"]). You must provide eitheridentifiersorcsr, but not both.csr(string: "")- PEM-encoded Certificate Signing Request. Providecsrto use the CSR workflow. Leavecsrunset to use the identifier workflow and have Vault generate the key pair. You must provide eitheridentifiersorcsr, but not both.
Sample payload (identifier workflow)
{
"identifiers": ["example.com", "www.example.com"]
}
Sample payload (CSR workflow)
{
"csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/new-order
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"order_status": "new",
"identifiers": ["example.com", "www.example.com"],
"workflow_type": "identifiers",
"creation_date": "2026-02-24T20:00:00Z",
"next_work_date": "2026-02-24T20:00:01Z",
"expires": "2026-02-24T20:30:00Z"
}
}
Check order status
Retrieve the current status of a certificate order.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/role/:name/order/:order_id/status |
Parameters
name(string: <required>)- The name of the role.order_id(string: <required>)- The order ID previously returned when creating the order.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/order/01936d8e-7c3a-7890-b123-456789abcdef/status
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"order_status": "awaiting_challenge_fulfillment",
"identifiers": ["example.com", "www.example.com"],
"workflow_type": "identifiers",
"authorizations": [
{
"identifier": "example.com",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/...",
"token": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0",
"ready": false
},
{
"type": "dns-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/...",
"token": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0",
"ready": false
}
]
}
],
"creation_date": "2026-02-24T20:00:00Z",
"last_update": "2026-02-24T20:00:05Z",
"next_work_date": "2026-02-24T21:00:05Z",
"expires": "2026-02-24T20:30:00Z"
}
}
Get order challenges
Retrieve the ACME challenges for a certificate order to determine the validation requirements.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/role/:name/order/:order_id/challenge |
Parameters
name(string: <required>)- The name of the role.order_id(string: <required>)- The order ID.identifier(string: <required>)- The identifier (domain) for which the challenge was fulfilled.challenge_type(string: <required>)- The type of challenge fulfilled. Must be one of:http-01- HTTP-01 challengedns-01- DNS-01 challengetls-alpn-01- TLS-ALPN-01 challenge
Sample payload
{
"identifier": "example.com",
"challenge_type": "http-01"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/order/01936d8e-7c3a-7890-b123-456789abcdef/challenge
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"authorizations": [
{
"identifier": "example.com",
"challenges": [
{
"type": "http-01",
"token": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0",
"key_authorization": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
"validation_url": "http://example.com/.well-known/acme-challenge/LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0"
},
{
"type": "dns-01",
"token": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0",
"key_authorization": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0.9jg46WB3rR_AHD-EBXdN7cBkH1WOu0tA3M9fm21mqTI",
"dns_record_name": "_acme-challenge.example.com",
"dns_record_value": "gfj9Xq...Rg85nM"
}
]
}
]
}
}
Mark challenge as fulfilled
Tell This Vault that a challenge is fulfilled and ready for validation by the ACME server.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/role/:name/order/:order_id/fulfilled-challenge |
Parameters
name(string: <required>)- The name of the role.order_id(string: <required>)- The order ID.identifier(string: <required>)- The identifier (domain) for which the challenge was fulfilled.challenge_type(string: <required>)- The type of challenge fulfilled. Must be one of:http-01- HTTP-01 challengedns-01- DNS-01 challengetls-alpn-01- TLS-ALPN-01 challenge
Sample payload
{
"identifier": "example.com",
"challenge_type": "http-01"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/order/01936d8e-7c3a-7890-b123-456789abcdef/fulfilled-challenge
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"identifier": "example.com",
"challenge_type": "http-01",
"marked_ready": true
}
}
Fetch certificate
Retrieve the issued certificate for a completed order.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/role/:name/order/:order_id/fetch-cert |
Parameters
name(string: <required>)- The name of the role.order_id(string: <required>)- The order ID.certificate_format(string: "pem")- The format of the returned certificate. Must be one of:pem- PEM format (default)der- DER formatpem_bundle- PEM format with full certificate chain
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/order/01936d8e-7c3a-7890-b123-456789abcdef/fetch-cert
Sample response
{
"data": {
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"issuing_ca": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"ca_chain": ["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"],
"private_key": "-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----",
"private_key_type": "ec",
"serial_number": "03:e7:1f:...:a2:3d"
}
}
Revoke certificate
Revoke a certificate.
| Method | Path |
|---|---|
POST | /{plugin_mount_path}/role/:name/order/:order_id/revoke |
Parameters
name(string: <required>)- The name of the role.order_id(string: <required>)- The order ID.reason(string: "unspecified")- The reason for revocation. Valid values:unspecified: no specific reason is provided or the reason does not fit into any other category.key_compromise: known or suspected that the private key corresponding to the certificate has been compromised.ca_compromise: known or suspected that the CA's private key has been compromised.affiliation_changed: the subject of the certificate has changed its affiliation (e.g., company name change).superseded: the certificate has been superseded by a new certificate.cessation_of_operation: the certificate is no longer needed and will no longer be used.certificate_hold: the certificate is on hold and should not be considered valid.remove_from_crl: indicates that a certificate is being removed from a Delta CRL listprivilege_withdrawn: the issuing CA has withdrawn the certificate's privileges.aa_compromise: one of the attribute authorities has been compromised.
Sample payload
{
"reason": "key_compromise"
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request POST \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/order/01936d8e-7c3a-7890-b123-456789abcdef/revoke
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"revoked": true,
"revocation_time": "2026-02-24T21:00:00Z"
}
}
List active orders
List all active (non-terminal) orders for a role.
| Method | Path |
|---|---|
LIST | /{plugin_mount_path}/role/:name/active-orders |
Parameters
name(string: <required>)- The name of the role.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request LIST \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/active-orders
Sample response
{
"data": {
"keys": [
"01936d8e-7c3a-7890-b123-456789abcdef",
"01936d8f-1234-5678-9abc-def012345678"
]
}
}
Get cached certificate
Retrieve the most recently issued (cached) certificate certificate for a role without going through the order workflow.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/role/:name/cached |
Parameters
name(string: <required>)- The name of the role.identifiers(array<string>: "")- List of domain names to include in the certificate.min_validity_duration(int)- The minimum duration remaining of the certificate. You must provide eithermin_validity_durationormin_validity_percentage, but not both.min_validity_percentage(int)- The minimum percentage remaining of the certificate. You must provide eithermin_validity_percentageormin_validity_duration, but not both.certificate_format(string: "pem")- The format of the returned certificate:pem- PEM format (default)der- DER formatpem_bundle- PEM format with full certificate chain
Sample payload
{
"identifiers": ["example.com", "www.example.com"],
"min_validity_percentage": 75
}
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--data @payload.json \
${VAULT_ADDR}/v1/pki-external-ca/role/web-server/cached
Sample response
{
"data": {
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"issuing_ca": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"ca_chain": ["-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"],
"serial_number": "03:e7:1f:...:a2:3d",
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef"
}
}
Lookup operations
Lookup operations provide ways to query certificate and order information.
Lookup certificate by serial
Looks up certificate information by serial number.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/lookup/cert/:serial |
Parameters
serial(string: <required>)- The serial number of the certificate, including any colons or hyphens.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/lookup/cert/03:e7:1f:a2:3d
Sample response
{
"data": {
"order_status": "completed",
"role_name": "web-server",
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"identifiers": ["example.com", "www.example.com"],
"not_before": "2026-02-24T20:00:00Z",
"not_after": "2026-05-25T20:00:00Z"
}
}
Lookup order by ID
Look up order information by order ID.
| Method | Path |
|---|---|
GET | /{plugin_mount_path}/lookup/order/:order_id |
Parameters
order_id(string: <required>)- The order ID.
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
${VAULT_ADDR}/v1/pki-external-ca/lookup/order/01936d8e-7c3a-7890-b123-456789abcdef
Sample response
{
"data": {
"order_id": "01936d8e-7c3a-7890-b123-456789abcdef",
"order_status": "completed",
"role_name": "web-server",
"identifiers": ["example.com", "www.example.com"],
"workflow_type": "identifiers",
"creation_date": "2026-02-24T20:00:00Z",
"last_update": "2026-02-24T20:15:00Z",
"expires": "2026-02-24T20:30:00Z"
}
}
List all orders
List all active and complete orders.
| Method | Path |
|---|---|
LIST | /{plugin_mount_path}/lookup/orders |
Sample request
$ curl \
--header "X-Vault-Token: ${VAULT_TOKEN}" \
--request LIST \
${VAULT_ADDR}/v1/pki-external-ca/lookup/orders
Sample response
{
"data": {
"keys": [
"01936d8e-7c3a-7890-b123-456789abcdef",
"01936d8f-1234-5678-9abc-def012345678",
"01936d90-abcd-ef01-2345-6789abcdef01"
]
}
}