HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

Certificate counting

Enterprise

Appropriate Vault Enterprise  license required

Vault Enterprise clusters running v1.21 and later maintain a count of every certificate issued across all mounts of the built-in PKI secrets engine.

Vault does not deduplicate certificate counts. For example, if you request two certificates with the same Common Name (CN) and Subject Alternative Names (SANs), Vault counts them as two separate certificates.

To retrieve the current certificate usage counts, query the sys/billing/certificates API endpoint.

Considerations

Be aware of the following considerations with respect to certificate counting in Vault:

  1. Vault aggregates and persists certificate counts approximately every two minutes. If a cluster node terminates before persisting its in-memory counts, Vault may lose the counts of certificates issued during that interval.

  2. Vault assigns certificate issuance counts to the day it persists those counts to storage. As a result, certificates issued at the very end of a day, month, or year may be counted on the following day, month, or year.

  3. The sys/billing/certificates API endpoint only provides certificate counts. API responses do not provide attribution to namespaces, mounts, roles, or entities. To attribute certificate issuance, you must correlate the counts with your audit logs.

Edit this page on GitHub