RFE: Support rotating Vault’s own TLS certificate

[DemiMarie]

Is your feature request related to a problem? Please describe. Having to manually rotate certificates is annoying.

Describe the solution you'd like Vault has a built-in PKI. If Vault is using a TLS certificate it itself issued, Vault should rotate that certificate automatically.

Describe alternatives you've considered External scripting.

Explain any additional use-cases None

Additional context None

[sgmiller]

One small challenge here is file permissions. In the past I've had the TLS files be read only.

[harningt]

A solution could be for vault to skip writing the certificate to the filesystem and just issue it "virtually" - instead of a ssl referencing the filesystem, it could issue it using a pki path and keep the cert+key in memory - although authentication might be tricky since you'd have vault prove that it jas permissions to issue from that path ... chicken an egg problem of sorts.

[DemiMarie]

A solution could be for vault to skip writing the certificate to the filesystem and just issue it "virtually" - instead of a ssl referencing the filesystem, it could issue it using a pki path and keep the cert+key in memory - although authentication might be tricky since you'd have vault prove that it jas permissions to issue from that path ... chicken an egg problem of sorts.

I would skip the access check. Enabling this feature would require either sudo permissions or write access to the configuration file, either of which is sufficient to bypass any access check.