our vault storage keep cluttering up with massive amount of expired certificates.
there is an option to revoke a certificate using api or a lease id, but they are still available and can be queried.
following will only revoke a certificate,
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/pki/revoke
is there a way to permanently remove expired certificates?
there is an endpoint for it,
tidy
This endpoint allows tidying up the storage backend and/or CRL by removing certificates that have expired and are past a certain buffer period beyond their expiration time.
So to remove all expired certificates make a POST request to https://<vault-api-url>:<api-port>/v1/<pki-role>/tidy with "tidy_cert_store": true as payload,
using cURL,
curl -X POST \
https://<vault-api-url>:<api-port>/v1/<pki-role>/tidy \
-H 'content-type: application/json' \
-H 'x-vault-token: c32165c4-212f-2dc2e-cd9f-acf63bdce91c' \
-d '{
"tidy_cert_store": true
}'