From fd52499843bb07346e1d9584f0eb4d000047a7b0 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Tue, 9 Sep 2025 13:55:34 -0600
Subject: [PATCH] Batch Certificate Endpoint Addition (#8800) (#9223)

* Base batchFetch functionality.

* Finished Path work, simple test.

* Add Changelog.

* Re-Alphabetize Test; add new endpoint to auth-test.

* Improvement formatting changelog.

* Fix CE tests; PR-feedback on err responses.

* Add Test Go Docs.

Co-authored-by: Kit Haines <khaines@mit.edu>
---
 builtin/logical/pki/backend_test.go | 8 ++++----
 changelog/_8800.txt                 | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 changelog/_8800.txt

diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index c6c16e2028..3e69bfeb5c 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -6959,6 +6959,8 @@ func TestProperAuthing(t *testing.T) {
 	eabKid := "13b80844-e60d-42d2-b7e9-152a8e834b90"
 	acmeKeyId := "hrKmDYTvicHoHGVN2-3uzZV_BPGdE0W_dNaqYTtYqeo="
 	paths := map[string]pathAuthChecker{
+		"acme/mgmt/account/keyid/":               shouldBeAuthed,
+		"acme/mgmt/account/keyid/" + acmeKeyId:   shouldBeAuthed,
 		"ca_chain":                               shouldBeUnauthedReadList,
 		"cert/ca_chain":                          shouldBeUnauthedReadList,
 		"ca":                                     shouldBeUnauthedReadList,
@@ -6996,6 +6998,8 @@ func TestProperAuthing(t *testing.T) {
 		"crl/delta/pem":                          shouldBeUnauthedReadList,
 		"crl/rotate":                             shouldBeAuthed,
 		"crl/rotate-delta":                       shouldBeAuthed,
+		"eab/":                                   shouldBeAuthed,
+		"eab/" + eabKid:                          shouldBeAuthed,
 		"intermediate/cross-sign":                shouldBeAuthed,
 		"intermediate/generate/exported":         shouldBeAuthed,
 		"intermediate/generate/internal":         shouldBeAuthed,
@@ -7075,10 +7079,6 @@ func TestProperAuthing(t *testing.T) {
 		"unified-crl/delta/pem":                  shouldBeUnauthedReadList,
 		"unified-ocsp":                           shouldBeUnauthedWriteOnly,
 		"unified-ocsp/dGVzdAo=":                  shouldBeUnauthedReadList,
-		"eab/":                                   shouldBeAuthed,
-		"eab/" + eabKid:                          shouldBeAuthed,
-		"acme/mgmt/account/keyid/":               shouldBeAuthed,
-		"acme/mgmt/account/keyid/" + acmeKeyId:   shouldBeAuthed,
 	}
 
 	entPaths := getEntProperAuthingPaths(serial)
diff --git a/changelog/_8800.txt b/changelog/_8800.txt
new file mode 100644
index 0000000000..8c73f338a7
--- /dev/null
+++ b/changelog/_8800.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki (enterprise): add new batch/certs endpoint to allow multiple certificates to be fetched at once.
+```
\ No newline at end of file