mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/secrets/pki/index.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

97 lines
4.8 KiB
Plaintext
Raw Permalink Blame History

---
layout: docs
page_title: PKI secrets engine
description: Dynamically generate X.509 certificates with the PKI secrets engine plugin.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# PKI secrets engine
@include 'x509-sha1-deprecation.mdx'
<Note title="Vault as Consul CA provider">
If you are using Vault 1.11.0+ as a Connect CA, run a Consul version which
includes the fix for [GH-15525](https://github.com/hashicorp/consul/pull/15525).
Refer to this [Knowledge Base
article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
more details.
</Note>
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
engine, services can get certificates without going through the usual manual
process of generating a private key and CSR, submitting to a CA, and waiting for
a verification and signing process to complete. Vault's built-in authentication
and authorization mechanisms provide the verification functionality.
By keeping TTLs relatively short, revocations are less likely to be needed,
keeping CRLs short and helping the secrets engine scale to large workloads. This
in turn allows each instance of a running application to have a unique
certificate, eliminating sharing and the accompanying pain of revocation and
rollover.
In addition, by allowing revocation to mostly be forgone, this secrets engine
allows for ephemeral certificates. Certificates can be fetched and stored in
memory upon application startup and discarded upon shutdown, without ever being
written to disk.
## Table of contents
The PKI Secrets Engine documentation is split into the following pieces:
- [Overview](/vault/docs/secrets/pki) - this document.
- [Setup and Usage](/vault/docs/secrets/pki/setup) - a brief description of setting
up and using the PKI Secrets Engine to issue certificates.
- [Quick Start - Root CA Setup](/vault/docs/secrets/pki/quick-start-root-ca) - A
quick start guide for setting up a root CA.
- [Quick Start - Intermediate CA Setup](/vault/docs/secrets/pki/quick-start-intermediate-ca) - A
quick start guide for setting up an intermediate CA.
- [Considerations](/vault/docs/secrets/pki/considerations) - A list of helpful
considerations to keep in mind when using and operating the PKI Secrets
Engine.
- [Rotation Primitives](/vault/docs/secrets/pki/rotation-primitives) - A document
which explains different types of certificates used to achieve rotation.
- [CIEPS Protocol <EnterpriseAlert inline="true" />](/vault/docs/secrets/pki/cieps) - A
document which explains the Certificate Issuance External Policy Service (CIEPS)
protocol (request and response structure), along with an overview of the difference
between it and `/pki/sign-verbatim`.
- Issuance Protocols: Using standard certificate management protocols with Vault PKI.
- [EST <EnterpriseAlert inline="true" />](/vault/docs/secrets/pki/est) -
Explains Vault's implementation of the EST protocol, from configuration
to limitations.
- [CMPv2 <EnterpriseAlert inline="true" />](/vault/docs/secrets/pki/cmpv2) -
Explains Vault's implementation of the CMPv2 protocol, from configuration
to limitations.
- [SCEP <EnterpriseAlert inline="true" />](/vault/docs/secrets/pki/scep) -
Explains Vault's implementation of the SCEP protocol, from configuration
to limitations.
- [Troubleshooting ACME](/vault/docs/secrets/pki/troubleshooting-acme) - A list of
advice for troubleshooting failures with ACME issuance and Vault PKI.
## Tutorial
Refer to the following tutorials for PKI secrets engine usage examples:
- [Build Your Own Certificate Authority (CA)](/vault/tutorials/secrets-management/pki-engine)
- [Build Certificate Authority (CA) in Vault with an offline Root](/vault/tutorials/secrets-management/pki-engine-external-ca)
- [Enable ACME with PKI secrets engine](/vault/tutorials/secrets-management/pki-acme-caddy)
- [PKI Secrets Engine with Managed Keys](/vault/tutorials/enterprise/managed-key-pki)
- [PKI Unified CRL and OCSP With Cross Cluster
Revocation](/vault/tutorials/secrets-management/pki-unified-crl-ocsp-cross-cluster)
- [Configure Vault as a Certificate Manager in Kubernetes with
Helm](/vault/tutorials/kubernetes/kubernetes-cert-manager)
- [Generate mTLS Certificates for Nomad using
Vault](/vault/tutorials/secrets-management/vault-pki-nomad)
## API
The PKI secrets engine has a full HTTP API. Please see the
[PKI secrets engine API](/vault/api-docs/secret/pki) for more
details.
Reference in New Issue View Git Blame Copy Permalink