What is the value returned with vault read keyfactor/cert/<serial number>

[fredwlau]

The example is showing what looks to be a PEM Base64 encoded certificate but when I try

vault read keyfactor/cert/<serial number>

in our dev environment and then try to read the certificate with openssl it is not valid.

It's also different than the response payload from

vault write keyfactor/issue/<role>

which responds with the leaf, issuing, and private key entries separately.

[fredwlau]

Upon further inspection it looks like the returned response from

vault read keyfactor/cert/<serial number>

is a Base64 encoded PEM Base64 certificate which means it was originally a well formatted PEM certificate with header and footer and then it was Base64 encoded again and then an additional header and footer were appended to it.

Stripping the header and footer from the vault response and then running

cat stripped.pem | base64 -d | openssl x509 -text

provides a correct parsing. Is this intentional to Base 64 encode an already PEM encoded certificate?