Uninstalling the Plugin

Uninstalling will permanently delete all certificates, private keys, and configurations stored in Vault. Backup your data before proceeding if you need to retain it.

To remove the Sectigo Vault PKI plugin from HashiCorp Vault:

  1. Export certificates you want to keep (Optional).

    List configurations:

    vault list sectigo-vault-pki/configs

    List certificates for a config:

    vault list sectigo-vault-pki/certs/<config_name>

    Export certificate:

    vault read -format=json sectigo-vault-pki/certs/<config_name>/<cert_id> > backup.json

    Extract certificate:

    jq -r '.data.sectigo_certificate_string' backup.json > certificate.pem

    Extract private key:

    jq -r '.data.sectigo_private_key_string' backup.json > private_key.pem

  2. Disable the Secrets Engine.

    vault secrets disable sectigo-vault-pki

    This permanently deletes all data stored in the plugin.

  3. Deregister the Plugin.

    List plugins to find exact name:

    vault plugin list secret

    Deregister the plugin (use the exact name from the list above):

    vault plugin deregister secret <plugin-name>

  4. Delete the plugin binary file from Vault’s plugin directory on the file system.

  5. Verify that the plugin is no longer on either list:

    vault secrets list

    vault plugin list secret

  6. Verify that the binary file no longer exists in the plugin directory.