HashiCorp Vault PKI
TL;DR
HashiCorp Vault PKI Secrets Engine is a dynamic certificate authority that generates short-lived certificates on-demand through API calls. Unlike traditional certificate management platforms (Venafi, Keyfactor) that manage long-lived certificates from external CAs, Vault acts as the CA itself, issuing ephemeral certificates with TTLs measured in hours or days. Best fit: cloud-native applications, microservices, DevOps teams wanting programmatic certificate generation without traditional PKI complexity.
Key differentiator: Dynamic, short-lived certificates generated via API rather than traditional long-lived certificate management.
Overview
HashiCorp Vault's PKI Secrets Engine represents a fundamentally different approach to certificates: instead of managing the lifecycle of long-lived certificates (365+ days), Vault generates short-lived certificates (minutes to days) on-demand. This shift eliminates many traditional PKI problems—no certificate inventory to track, no expiry outages (certificates auto-renew), no manual rotation workflows.
Philosophy:
- Traditional PKI: Issue 1-year certificate, manage its lifecycle, renew before expiry
- Vault PKI: Issue 1-hour certificate, regenerate automatically when needed
Target market:
- Cloud-native organizations
- Microservices architectures
- Container/Kubernetes environments
- DevOps-first companies
- API-driven infrastructure
- Organizations building modern applications
Not suitable for:
- Traditional enterprise PKI (long-lived certificates)
- Scenarios requiring external CA validation (public CAs)
- Organizations needing OV/EV certificates
- Windows Active Directory environments
- Non-API-accessible infrastructure
Core Concepts
Dynamic Certificate Generation
Traditional vs. Vault approach:
traditional_pki:
certificate_lifetime: 365_days
process:
1_generate_csr: manual_or_automated
2_submit_to_ca: hours_to_days
3_receive_certificate: manual_download
4_deploy_certificate: manual_or_automated
5_track_expiry: monitoring_required
6_renew_before_expiry: 30_days_before
7_rotate_certificate: manual_deployment
vault_pki:
certificate_lifetime: 1_hour_to_7_days
process:
1_api_request: "vault write pki/issue/my-role common_name=api.example.com"
2_receive_certificate: immediate (milliseconds)
3_use_certificate: in-memory, no disk storage
4_expires: application requests new certificate automatically
advantages:
- no_certificate_inventory
- no_expiry_tracking
- no_manual_rotation
- no_certificate_sprawl
- reduced_blast_radius # Compromised cert only valid briefly
PKI Secrets Engine Architecture
┌─────────────────────────────────────────────────────┐
│ HashiCorp Vault Cluster │
│ │
│ ┌────────────────────────────────────────────────┐ │
│ │ PKI Secrets Engine │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────────┐ │ │
│ │ │ Root CA │ │ Intermediate CA │ │ │
│ │ │ (Offline) │──────│ (Active) │ │ │
│ │ └──────────────┘ └────────┬─────────┘ │ │
│ │ │ │ │
│ │ ┌────────────────────────┘ │ │
│ │ │ │ │
│ │ ┌──────▼─────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Role: Web │ │Role: API │ │Role: DB │ │ │
│ │ │ TTL: 24h │ │TTL: 1h │ │TTL: 72h │ │ │
│ │ └────────────┘ └──────────┘ └──────────┘ │ │
│ └────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────┐ │
│ │ Storage Backend │ │
│ │ (Consul, Raft, etcd, etc.) │ │
│ └──────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
│
┌───────────┴──────────┬──────────────┐
▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌─────────┐
│ Service │ │ API │ │ K8s │
│ A │ │ Gateway │ │ Pods │
└─────────┘ └──────────┘ └─────────┘
↓ Request cert via API
↑ Receive cert immediately
Vault PKI Workflow
Setup (one-time):
# Enable PKI secrets engine
vault secrets enable pki
# Configure max TTL (10 years for root)
vault secrets tune -max-lease-ttl=87600h pki
# Generate root CA
vault write -field=certificate pki/root/generate/internal \
common_name="Example Root CA" \
ttl=87600h > root_ca.crt
# Configure URLs
vault write pki/config/urls \
issuing_certificates="http://vault.example.com:8200/v1/pki/ca" \
crl_distribution_points="http://vault.example.com:8200/v1/pki/crl"
# Create role (policy for certificate issuance)
vault write pki/roles/web-server \
allowed_domains="example.com" \
allow_subdomains=true \
max_ttl="720h" \
generate_lease=true
Certificate issuance (programmatic):
# Request certificate
vault write pki/issue/web-server \
common_name="api.example.com" \
ttl="24h"
# Returns:
# {
# "lease_duration": 86400,
# "data": {
# "certificate": "-----BEGIN CERTIFICATE-----\n...",
# "issuing_ca": "-----BEGIN CERTIFICATE-----\n...",
# "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
# "serial_number": "39:dd:2e:90:b7:23:1f:8d:d3:7d:31:c5:1b:da:84:d0:5b:65:31:58"
# }
# }
Automatic renewal:
import hvac
import time
from datetime import datetime, timedelta
class VaultCertificateManager:
"""
Automatic certificate renewal with Vault
"""
def __init__(self, vault_addr: str, vault_token: str, role: str):
self.client = hvac.Client(url=vault_addr, token=vault_token)
self.role = role
self.current_cert = None
self.cert_expiry = None
def request_certificate(self, common_name: str, ttl: str = "24h") -> dict:
"""
Request new certificate from Vault
"""
response = self.client.write(
f'pki/issue/{self.role}',
common_name=common_name,
ttl=ttl
)
self.current_cert = {
'certificate': response['data']['certificate'],
'private_key': response['data']['private_key'],
'ca_chain': response['data']['issuing_ca'],
'serial': response['data']['serial_number']
}
# Calculate expiry (Vault returns lease_duration in seconds)
lease_duration = response['lease_duration']
self.cert_expiry = datetime.now() + timedelta(seconds=lease_duration)
return self.current_cert
def auto_renew_loop(self, common_name: str, ttl: str = "24h"):
"""
Automatically renew certificate before expiry
"""
# Initial certificate
cert = self.request_certificate(common_name, ttl)
print(f"Initial certificate issued, expires: {self.cert_expiry}")
while True:
# Calculate time until expiry
time_until_expiry = (self.cert_expiry - datetime.now()).total_seconds()
# Renew at 50% of lifetime (or 1 hour before, whichever is less)
lease_duration = (self.cert_expiry - datetime.now()).total_seconds()
renew_at = min(lease_duration * 0.5, time_until_expiry - 3600)
if renew_at <= 0:
renew_at = 60 # Renew in 1 minute if we're past renewal time
print(f"Sleeping {renew_at}s until renewal...")
time.sleep(renew_at)
# Renew certificate
cert = self.request_certificate(common_name, ttl)
print(f"Certificate renewed, new expiry: {self.cert_expiry}")
# Application should hot-reload certificate here
self.reload_certificate(cert)
def reload_certificate(self, cert: dict):
"""
Signal application to reload certificate
Implementation depends on application
"""
# Option 1: Write to file, signal process
with open('/etc/ssl/current.crt', 'w') as f:
f.write(cert['certificate'])
with open('/etc/ssl/current.key', 'w') as f:
f.write(cert['private_key'])
# Send SIGHUP to nginx, etc.
os.system('systemctl reload nginx')
# Usage
manager = VaultCertificateManager(
vault_addr='https://vault.example.com:8200',
vault_token='s.xyz123...',
role='web-server'
)
# Run forever, automatically renewing
manager.auto_renew_loop('api.example.com', ttl='24h')
Integration Patterns
Kubernetes Integration
Using Vault Agent Injector:
# Deployment with Vault sidecar
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/role: "web-server"
vault.hashicorp.com/agent-inject-secret-cert.pem: "pki/issue/web-server"
vault.hashicorp.com/agent-inject-template-cert.pem: |
{{- with secret "pki/issue/web-server" "common_name=api.example.com" "ttl=24h" -}}
{{ .Data.certificate }}
{{ .Data.issuing_ca }}
{{- end }}
vault.hashicorp.com/agent-inject-secret-key.pem: "pki/issue/web-server"
vault.hashicorp.com/agent-inject-template-key.pem: |
{{- with secret "pki/issue/web-server" "common_name=api.example.com" "ttl=24h" -}}
{{ .Data.private_key }}
{{- end }}
spec:
serviceAccountName: web-app
containers:
- name: app
image: myapp:latest
volumeMounts:
- name: vault-secrets
mountPath: /vault/secrets
readOnly: true
# Application reads certificates from /vault/secrets/cert.pem and key.pem
Using cert-manager with Vault Issuer:
# Configure Vault as certificate issuer
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: https://vault.example.com:8200
path: pki/sign/web-server
auth:
kubernetes:
role: cert-manager
mountPath: /v1/auth/kubernetes
secretRef:
name: cert-manager-vault-token
key: token
---
# Request certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: api-tls
spec:
secretName: api-tls-secret
duration: 24h
renewBefore: 12h # Renew at 50% of lifetime
issuerRef:
name: vault-issuer
kind: Issuer
dnsNames:
- api.example.com
- www.api.example.com
Service Mesh Integration
Consul Connect with Vault:
# Consul configuration
connect {
enabled = true
ca_provider = "vault"
ca_config {
address = "https://vault.example.com:8200"
token = "s.abc123..."
root_pki_path = "connect-root"
intermediate_pki_path = "connect-intermediate"
# Leaf certificate TTL
leaf_cert_ttl = "72h"
}
}
Istio with Vault CA:
# Istio mesh config
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
values:
global:
caAddress: vault.example.com:8200
caName: "Vault"
pilot:
env:
# Configure Vault certificate provider
VAULT_ADDR: "https://vault.example.com:8200"
VAULT_ROLE: "istio-ca"
CERT_TTL: "24h"
Application Integration
Go application example:
package main
import (
"crypto/tls"
"crypto/x509"
"fmt"
"time"
"github.com/hashicorp/vault/api"
)
type VaultTLSManager struct {
client *api.Client
role string
cn string
}
func (m *VaultTLSManager) GetCertificate() (*tls.Certificate, error) {
// Request certificate from Vault
secret, err := m.client.Logical().Write(
fmt.Sprintf("pki/issue/%s", m.role),
map[string]interface{}{
"common_name": m.cn,
"ttl": "24h",
},
)
if err != nil {
return nil, err
}
// Parse certificate and private key
certPEM := []byte(secret.Data["certificate"].(string))
keyPEM := []byte(secret.Data["private_key"].(string))
caPEM := []byte(secret.Data["issuing_ca"].(string))
cert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
return nil, err
}
// Add CA to certificate
cert.Certificate = append(cert.Certificate, caPEM...)
return &cert, nil
}
func (m *VaultTLSManager) StartAutoRenewal() {
ticker := time.NewTicker(12 * time.Hour) // Renew every 12h for 24h cert
for range ticker.C {
cert, err := m.GetCertificate()
if err != nil {
fmt.Printf("Failed to renew certificate: %v\n", err)
continue
}
// Update server's TLS config
updateServerCertificate(cert)
}
}
func main() {
// Initialize Vault client
config := api.DefaultConfig()
config.Address = "https://vault.example.com:8200"
client, _ := api.NewClient(config)
client.SetToken("s.xyz123...")
manager := &VaultTLSManager{
client: client,
role: "web-server",
cn: "api.example.com",
}
// Get initial certificate
cert, _ := manager.GetCertificate()
// Start HTTPS server
server := &http.Server{
Addr: ":443",
TLSConfig: &tls.Config{
GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return cert, nil
},
},
}
// Auto-renew in background
go manager.StartAutoRenewal()
// Start server
server.ListenAndServeTLS("", "")
}
Deployment Options
Self-Hosted Vault
Single server (dev/test only):
# Start Vault in dev mode
vault server -dev -dev-root-token-id="root"
# For production, use persistent storage
vault server -config=/etc/vault/config.hcl
High Availability Cluster:
# config.hcl
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/etc/vault/tls/vault.crt"
tls_key_file = "/etc/vault/tls/vault.key"
}
api_addr = "https://vault.example.com:8200"
cluster_addr = "https://vault.example.com:8201"
ui = true
Kubernetes deployment:
# Using official Helm chart
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault \
--set='server.ha.enabled=true' \
--set='server.ha.replicas=3' \
--set='server.ha.raft.enabled=true'
HashiCorp Cloud Platform (HCP) Vault
Managed service:
- Fully managed by HashiCorp
- Multi-region availability
- Automatic upgrades
- Built-in backup and DR
- No infrastructure management
Pricing (approximate):
- Development tier: $0.50/hour (~$360/month)
- Starter tier: $1.66/hour (~$1,200/month)
- Standard tier: Custom pricing
- Plus: Enterprise features
Pricing Model
Open Source (Self-Hosted):
- Free (community edition)
- Infrastructure costs only (VMs, storage, networking)
- No licensing fees
- No per-certificate costs
- Community support only
Enterprise (Self-Hosted):
Enterprise Features:
├── HSM Support: Hardware security module integration
├── Replication: Multi-datacenter disaster recovery
├── Namespaces: Multi-tenancy isolation
├── Sentinel Policies: Advanced policy engine
├── FIPS 140-2: Compliance mode
└── Enterprise Support: 24/7 support with SLA
Pricing:
├── Contact HashiCorp for quote
├── Typical: $100,000-500,000/year
└── Based on: Cluster size, features, support level
HCP Vault (SaaS):
- Consumption-based pricing
- ~$360-1,200/month minimum
- No per-certificate fees
- Included support and updates
- Scales automatically
Total Cost Examples:
- Small deployment (3-node self-hosted): ~$10K/year infrastructure + $0 license = $10K/year
- Medium (HA + DR): ~$30K/year infrastructure + $150K enterprise = $180K/year
- HCP Vault: ~$15K-50K/year depending on usage
Cost comparison:
- Dramatically cheaper than Venafi/Keyfactor for equivalent certificate volume
- No per-certificate fees (unlimited issuance)
- Main costs: infrastructure and enterprise licensing (if needed)
Strengths
Dynamic, Short-Lived Certificates
Eliminates traditional PKI problems:
- No certificate inventory management
- No expiry tracking required
- No manual rotation workflows
- Automatic renewal before expiry
- Reduced blast radius (compromised cert valid <24h)
Security advantages:
- Credentials ephemeral by default
- Reduced attack surface
- Simplified revocation (just wait for expiry)
- Key material never stored on disk (optional)
Cloud-Native Architecture
Built for modern infrastructure:
- API-first design
- Kubernetes-native integration
- Service mesh support (Consul Connect, Istio)
- Container-friendly
- Immutable infrastructure compatible
DevOps friendly:
- Infrastructure-as-code via Terraform
- GitOps workflows
- CI/CD pipeline integration
- Programmatic certificate generation
- No manual processes required
Cost-Effective at Scale
No per-certificate fees:
- Issue millions of certificates at no additional cost
- Only infrastructure and licensing costs
- Scales efficiently with usage
- Predictable costs
Open-source option:
- Community edition fully functional
- Can start free, upgrade to Enterprise later
- No vendor lock-in
Unified Secrets Management
Beyond just certificates:
- Single platform for all secrets (DB passwords, API keys, certs)
- Consistent access patterns
- Unified audit logging
- One tool to learn
Weaknesses
Not Traditional PKI
Different mental model:
- Requires application changes to support short-lived certs
- Can't use for long-lived certificate use cases
- Not suitable for certificates requiring external validation (OV/EV)
- Different from established PKI practices
Adoption challenges:
- Development team effort required
- Legacy applications may not support
- Organizational change management
- Training requirements
Limited Out-of-Box Integrations
Not a turnkey solution:
- Requires application code changes
- No automatic deployment to endpoints
- No certificate discovery features
- Limited platform-specific integrations (vs. Venafi's 200+)
DIY approach:
- Must build automation yourself
- Application owners responsible for integration
- No pre-built workflows for common scenarios
- Requires strong engineering capability
Operational Complexity
Running production Vault is non-trivial:
- High availability requires expertise
- Unsealing procedures critical
- Disaster recovery planning essential
- Monitoring and alerting required
- Security hardening necessary
Learning curve:
- Vault concepts (tokens, policies, auth methods)
- PKI-specific configuration
- Troubleshooting issues
- Performance tuning
Not Suitable for All Use Cases
Poor fit for:
- Windows Active Directory environments
- Long-lived certificates (multi-year)
- Public CA requirements (OV/EV validation)
- Legacy applications that can't auto-renew
- Organizations wanting turnkey solution
- Teams without strong DevOps capability
Use Cases
Microservices mTLS
Profile: E-commerce platform, 500+ microservices Challenge: Service-to-service authentication and encryption Solution: Vault PKI with 1-hour certificate TTL Results:
- Zero-trust networking implemented
- Automatic certificate rotation
- No certificate management overhead
- Reduced lateral movement risk
Kubernetes Certificate Management
Profile: SaaS company, 1,000+ pods across 20 clusters Challenge: TLS certificates for ingress and inter-pod communication Solution: cert-manager + Vault issuer Results:
- Automatic cert provisioning for new pods
- 15-minute certificate TTL
- Zero manual certificate work
- $0 certificate costs
IoT Device Onboarding
Profile: Smart home manufacturer, 10M devices Challenge: Certificate provisioning for device authentication Solution: Vault PKI with device-specific roles Results:
- Automated device certificate issuance
- Unique certificate per device
- 30-day certificate TTL with auto-renewal
- Scalable to 100M+ devices
Implementation Guide
Getting Started
Phase 1: Setup (Week 1):
# 1. Install Vault
# 2. Initialize and unseal
vault operator init
vault operator unseal
# 3. Enable PKI
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
# 4. Generate root CA
vault write -field=certificate pki/root/generate/internal \
common_name="My Root CA" \
ttl=87600h > root_ca.crt
# 5. Create intermediate CA (recommended)
vault secrets enable -path=pki_int pki
vault secrets tune -max-lease-ttl=43800h pki_int
vault write -format=json pki_int/intermediate/generate/internal \
common_name="My Intermediate CA" \
| jq -r '.data.csr' > pki_intermediate.csr
vault write -format=json pki/root/sign-intermediate \
csr=@pki_intermediate.csr \
format=pem_bundle ttl="43800h" \
| jq -r '.data.certificate' > intermediate.cert.pem
vault write pki_int/intermediate/set-signed \
certificate=@intermediate.cert.pem
# 6. Create roles
vault write pki_int/roles/web-server \
allowed_domains="example.com" \
allow_subdomains=true \
max_ttl="720h"
Phase 2: Integration (Weeks 2-4):
- Integrate with authentication system (Kubernetes, AWS, etc.)
- Update applications to request certificates via API
- Implement auto-renewal logic
- Set up monitoring
Phase 3: Production (Week 5+):
- Pilot with non-critical services
- Expand to production workloads
- Monitor and tune TTLs
- Establish operational procedures
Best Practices
Certificate TTLs:
- Start longer (24-72h) while building confidence
- Gradually reduce to 1-8h for maximum security
- Match TTL to deployment frequency
- Consider service restart time
Root CA management:
- Generate root CA offline
- Store root key in HSM or secure offline storage
- Use intermediate CAs for day-to-day issuance
- Rotate intermediates annually
High availability:
- Run 3+ Vault servers
- Use persistent storage (Consul, Raft)
- Implement automated unsealing
- Test failover procedures regularly
Conclusion
HashiCorp Vault PKI represents a paradigm shift from traditional certificate management to dynamic, ephemeral credentials. It excels in cloud-native, microservices, and container environments where applications can be modified to embrace short-lived certificates.
Choose Vault PKI if:
- Building cloud-native applications
- Microservices or service mesh architecture
- Can modify applications for auto-renewal
- Want to eliminate certificate management overhead
- Cost-sensitive (need unlimited certs)
- Strong DevOps/platform engineering team
- Kubernetes or container-focused
Consider alternatives if:
- Need long-lived certificates (1+ year)
- Require public CA validation (OV/EV)
- Legacy applications that can't auto-renew
- Want turnkey, no-code solution
- Lack DevOps engineering capacity
- Windows/Active Directory focused
- Need extensive pre-built integrations
Vault PKI's revolutionary approach eliminates traditional PKI pain points but requires embracing a new paradigm. For organizations with the technical capability to integrate it, Vault offers unmatched flexibility, security, and cost-effectiveness. For those seeking traditional PKI management, Venafi or Keyfactor remain better choices.
References
Official HashiCorp Resources
-
Vault PKI Secrets Engine Documentation
Hashicorp - Secrets
Complete PKI engine reference -
Vault API Documentation
Hashicorp - Api Docs
REST API reference -
Vault Tutorials
Hashicorp - Tutorials
Step-by-step implementation guides -
HCP Vault (Cloud)
Hashicorp - Vault
Managed Vault service -
Vault GitHub Repository
Github - Vault
Open-source code and issues
Integration Guides
-
Kubernetes Integration
Hashicorp - Platform
Vault Agent Injector and CSI driver -
cert-manager Vault Issuer
Cert-manager - Vault
Kubernetes certificate automation -
Consul Connect with Vault CA
Hashicorp - Connect
Service mesh integration -
Istio with Vault CA
Istio - Tasks
Alternative service mesh integration -
Terraform Vault Provider
Terraform - Hashicorp
Infrastructure-as-code integration
Client Libraries
-
Vault Go API Client
Github - Vault
Official Go SDK -
Python hvac Library
Github - Hvac
Python client for Vault -
Vault Ruby Client
Github - Vault Ruby
Ruby SDK -
Node.js Vault Client
Github - Node Vault
JavaScript/TypeScript integration -
Java Vault Driver
Github - Vault Java Driver
Java application integration
Authentication Methods
-
Kubernetes Auth Method
Hashicorp - Auth
Pod-based authentication -
AWS IAM Auth
Hashicorp - Auth
AWS instance authentication -
Azure Auth Method
Hashicorp - Auth
Azure managed identity auth -
GCP Auth Method
Hashicorp - Auth
Google Cloud authentication -
AppRole Auth
Hashicorp - Auth
Machine identity authentication
Deployment and Operations
-
Vault Production Hardening
Hashicorp - Tutorials
Security best practices -
Vault High Availability
Hashicorp - Concepts
HA architecture and setup -
Vault Backup and Restore
Hashicorp - Tutorials
Disaster recovery procedures -
Vault Monitoring
Hashicorp - Internals
Metrics and observability -
Vault Helm Chart
Github - Vault Helm
Kubernetes deployment
PKI-Specific Resources
-
PKI Secrets Engine Tutorial
Hashicorp - Tutorials
Complete PKI setup guide -
Build Your Own CA
Hashicorp - Tutorials
Root and intermediate CA configuration -
Certificate Rotation Best Practices
Hashicorp - Tutorials
Short-lived certificate strategies -
ACME Protocol Support
Github - Vault
ACME endpoint configuration -
EST Protocol Support
Feature request and implementation discussions
Security and Compliance
-
Vault Security Model
Hashicorp - Internals
Security architecture and threat model -
Vault Seal/Unseal Process
Hashicorp - Concepts
Key management and unsealing -
Auto Unseal with Cloud KMS
Hashicorp - Concepts
Automated unsealing configuration -
Vault Audit Logging
Hashicorp - Audit
Comprehensive audit trails -
FIPS 140-2 Compliance
Hashicorp - Enterprise
Federal compliance mode
Architecture Patterns
-
Zero Trust with Vault
HashiCorp Zero Trust Security
Architecture patterns and use cases -
Service Mesh Certificate Management
Hashicorp - Service Mesh Certificate Management
mTLS patterns -
Multi-Region Vault Architecture
Hashicorp - Tutorials
Global deployment patterns -
Disaster Recovery Setup
Hashicorp - Tutorials
DR replication configuration -
Namespaces for Multi-Tenancy
Hashicorp - Enterprise
Enterprise isolation patterns
Case Studies and Use Cases
-
Cruise Automation - Autonomous Vehicles
Hashicorp - Cruise
Certificate management for vehicle fleet -
Robinhood - Financial Services
Hashicorp - Robinhood
Secrets and certificate management -
SAP Concur - Travel Platform
Hashicorp - Sap Concur
Multi-cloud PKI implementation -
Adobe - Creative Cloud
HashiCorp - Running Vault at Adobe
Microservices certificate automation -
Citadel - Cryptocurrency Exchange
HashiCorp - Citadel Scaling with Nomad and Consul
High-security PKI requirements
Community and Support
-
HashiCorp Discuss Forum
Hashicorp - Vault
Community Q&A and discussions -
Vault GitHub Issues
Github - Vault
Bug reports and feature requests -
HashiCorp Learn Platform
Hashicorp - Vault
Interactive tutorials -
Vault Community Slack
HashiCorp Community
Real-time community support -
HashiCorp Events and Training
Hashicorp - Events
Conferences, webinars, certification
Standards and Protocols
-
RFC 5280 - X.509 Certificates
Ietf - Rfc5280
Certificate format standards -
RFC 8555 - ACME Protocol
Ietf - Rfc8555
Automated certificate management -
RFC 7030 - EST Protocol
Ietf - Rfc7030
Enrollment over secure transport -
SPIFFE/SPIRE Specifications
Spiffe
Workload identity standards -
mTLS Best Practices
Ietf - Draft Ietf Uta Rfc6125Bis 10.Html
Mutual TLS implementation guidance
Books and Comprehensive Resources
-
"Vault: Securing, Storing, and Tightly Controlling Access to Tokens, Passwords, Certificates..." - Hashicorp
Official Vault book -
"Zero Trust Networks" - Gilman & Barth (2017)
O'Reilly - Zero trust architecture including certificate management -
"Site Reliability Engineering" - Google (2016)
O'Reilly - Secrets management in production -
"Kubernetes Security" - Rice & Hausenblas (2018)
O'Reilly - Certificate management in K8s -
"Infrastructure as Code" - Morris (2020)
O'Reilly - Automating PKI with Terraform and Vault