PKI secrets engine
The PKI secrets engine generates dynamic X.509 certificates.
Use case
Automated PKI infrastructure
Quickly create X.509 certificates on demand and reduce the manual overhead.
Challenge
Creating, rotating, and managing certificates is cumbersome and time consuming
Organizations should protect their infrastructure. However, traditional PKI process workflow takes a long time, which motivates organizations to create certificates which do not expire for a year or more.
Solution
Vault's PKI secrets engine can dynamically generate X.509 certificates on demand. This allows services to acquire certificates without going through the usual manual process of generating a private key and Certificate Signing Request (CSR), submitting to a Certificate Authority (CA), and then waiting for the verification and signing process to complete.
Resources
Docs
Explore all
Tutorials
Explore all
Build your own certificate authority (CA)
Use Vault to create X.509 certificates for usage in Mutual Transport Layer Security (MTLS) or other arbitrary PKI encryption.
Offline root certificate authority (CA) with Vault
Create the CA chain hierarchy with an offline root and online intermediate CAs in Vault.
Configure Vault as a certificate manager in Kubernetes
Cert-manager enables Vault's PKI secrets engine to dynamically generate X.509 certificates within Kubernetes.
Streamline certificate management
Certificates are at the nexus of modern secure communication. This will show you how to leverage Vault to quickly and securely generate PKI (x509) and SSH certificates. A demo showing how to leverage this information will help give you ideas how to integrate this into your environments.