From f133fe014dc66188b5c3c5a7eac251a56ba2115a Mon Sep 17 00:00:00 2001
From: Ryan Treat <tr1ck3r@users.noreply.github.com>
Date: Tue, 29 Sep 2020 20:04:56 -0700
Subject: [PATCH] Forward standby/secondary issue/sign requests to primary
 (#57)

---
 plugin/pki/path_issue_sign.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/plugin/pki/path_issue_sign.go b/plugin/pki/path_issue_sign.go
index 41651575..1f3f7a1c 100644
--- a/plugin/pki/path_issue_sign.go
+++ b/plugin/pki/path_issue_sign.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -189,6 +190,12 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
 }
 
 func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry, useCSR, useCSRValues bool) (*logical.Response, error) {
+	// If storing the certificate and on a performance standby or secondary, forward this request on to the primary
+	if !role.NoStore && b.System().ReplicationState().
+		HasState(consts.ReplicationPerformanceStandby|consts.ReplicationPerformanceSecondary) {
+		return nil, logical.ErrReadOnly
+	}
+
 	format := getFormat(data)
 	if format == "" {
 		return logical.ErrorResponse(