Vault PKI for Modern Infrastructure
HashiCorp Vault's PKI secrets engine enables organizations to implement dynamic, short-lived certificates that align with zero-trust security principles. Unlike traditional PKI with long-lived certificates, Vault PKI issues certificates on-demand with lifetimes measured in hours or days.
Why Vault PKI?
- Short-Lived Certificates: Minutes to hours, not years
- Dynamic Issuance: Certificates generated on-demand
- No Key Distribution: Private keys never leave the requesting system
- Audit Logging: Complete visibility into certificate operations
- Policy Enforcement: Fine-grained access control
PKI Secrets Engine Setup
Enable PKI Engine
Enable the PKI secrets engine and configure max TTL for the engine.
Generate Root CA
Generate the root CA with internal key generation, common name, and TTL. Configure CA and CRL URLs for certificate distribution.
Create Intermediate CA
For production, use an intermediate CA:
- Enable intermediate PKI
- Generate intermediate CSR
- Sign with root CA
- Set signed intermediate certificate
PKI Roles
Roles define certificate issuance policies with:
- Allowed domains and subdomain settings
- Max TTL and lease generation
- Key type and size requirements
Create separate roles for different use cases (web servers, service mesh, etc.).
Issuing Certificates
Direct CLI
Issue certificates using vault write with role, common name, SANs, and TTL.
API Request
Use the HTTP API to issue certificates programmatically.
Kubernetes Integration
Vault Agent Injector
Use annotations to inject certificates into pods:
- Enable agent injection
- Specify role and secret path
- Define templates for certificate and key files
cert-manager Integration
Configure ClusterIssuer with Vault path, server URL, and Kubernetes authentication.
Short-Lived Certificate Patterns
Sidecar Pattern
Vault Agent as a sidecar watches files and renews certificates automatically, reloading applications when certificates change.
Auto-Renewal
Configure automatic certificate renewal at a percentage of TTL (typically 70%).
Monitoring
Audit Logging
Enable Vault audit logging for complete certificate operation visibility.
Metrics
Monitor key Vault PKI metrics:
- vault.secrets.pki.tidy.success/failure
- vault.secrets.pki.sign
- vault.secrets.pki.issue
Best Practices
- Use short TTLs - Hours, not days or weeks
- Separate intermediates - Different CAs for different use cases
- Enable audit logging - Track all certificate operations
- Automate renewal - Vault Agent handles this automatically
- Use Kubernetes auth - Leverage native K8s authentication
- Monitor expiration - Even short-lived certs need monitoring
Conclusion
HashiCorp Vault PKI enables a fundamentally different approach to certificate management—dynamic, short-lived, and fully automated. This model aligns perfectly with cloud-native, zero-trust architectures where identity verification happens continuously rather than at initial certificate issuance.