2022-05-13 15:22:07 +00:00
|
|
|
|
---
|
|
|
|
|
|
layout: docs
|
|
|
|
|
|
page_title: PKI - Secrets Engines
|
|
|
|
|
|
description: The PKI secrets engine for Vault generates TLS certificates.
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
|
|
# PKI Secrets Engine
|
|
|
|
|
|
|
2022-06-01 19:41:11 +00:00
|
|
|
|
@include 'x509-sha1-deprecation.mdx'
|
|
|
|
|
|
|
2022-11-17 18:09:41 +00:00
|
|
|
|
!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault
|
|
|
|
|
|
v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consul’s Connect CA
|
|
|
|
|
|
provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh,
|
|
|
|
|
|
and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication.
|
|
|
|
|
|
If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base
|
|
|
|
|
|
article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
|
|
|
|
|
|
more information about the underlying cause and recommended workaround.
|
|
|
|
|
|
|
2022-05-13 15:22:07 +00:00
|
|
|
|
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
|
|
|
|
|
|
engine, services can get certificates without going through the usual manual
|
|
|
|
|
|
process of generating a private key and CSR, submitting to a CA, and waiting for
|
|
|
|
|
|
a verification and signing process to complete. Vault's built-in authentication
|
|
|
|
|
|
and authorization mechanisms provide the verification functionality.
|
|
|
|
|
|
|
|
|
|
|
|
By keeping TTLs relatively short, revocations are less likely to be needed,
|
|
|
|
|
|
keeping CRLs short and helping the secrets engine scale to large workloads. This
|
|
|
|
|
|
in turn allows each instance of a running application to have a unique
|
|
|
|
|
|
certificate, eliminating sharing and the accompanying pain of revocation and
|
|
|
|
|
|
rollover.
|
|
|
|
|
|
|
|
|
|
|
|
In addition, by allowing revocation to mostly be forgone, this secrets engine
|
|
|
|
|
|
allows for ephemeral certificates. Certificates can be fetched and stored in
|
|
|
|
|
|
memory upon application startup and discarded upon shutdown, without ever being
|
|
|
|
|
|
written to disk.
|
|
|
|
|
|
|
|
|
|
|
|
## Table of Contents
|
|
|
|
|
|
|
|
|
|
|
|
The PKI Secrets Engine documentation is split into the following pieces:
|
|
|
|
|
|
|
|
|
|
|
|
- [Overview](/docs/secrets/pki) - this document.
|
|
|
|
|
|
- [Setup and Usage](/docs/secrets/pki/setup) - a brief description of setting
|
|
|
|
|
|
up and using the PKI Secrets Engine to issue certificates.
|
|
|
|
|
|
- [Quick Start - Root CA Setup](/docs/secrets/pki/quick-start-root-ca) - A
|
|
|
|
|
|
quick start guide for setting up a root CA.
|
|
|
|
|
|
- [Quick Start - Intermediate CA Setup](/docs/secrets/pki/quick-start-intermediate-ca) - A
|
|
|
|
|
|
quick start guide for setting up an intermediate CA.
|
|
|
|
|
|
- [Considerations](/docs/secrets/pki/considerations) - A list of helpful
|
|
|
|
|
|
considerations to keep in mind when using and operating the PKI Secrets
|
|
|
|
|
|
Engine.
|
2022-05-17 15:44:17 +00:00
|
|
|
|
- [Rotation Primitives](/docs/secrets/pki/rotation-primitives) - A document
|
|
|
|
|
|
which explains different types of certificates used to achieve rotation.
|
2022-05-13 15:22:07 +00:00
|
|
|
|
|
2022-05-20 01:04:46 +00:00
|
|
|
|
## Tutorial
|
2022-05-13 15:22:07 +00:00
|
|
|
|
|
|
|
|
|
|
Refer to the [Build Your Own Certificate Authority (CA)](https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine)
|
|
|
|
|
|
guide for a step-by-step tutorial.
|
|
|
|
|
|
|
|
|
|
|
|
Have a look at the [PKI Secrets Engine with Managed Keys](https://learn.hashicorp.com/tutorials/vault/managed-key-pki?in=vault/enterprise)
|
|
|
|
|
|
for more about how to use externally managed keys with PKI.
|
|
|
|
|
|
|
|
|
|
|
|
## API
|
|
|
|
|
|
|
|
|
|
|
|
The PKI secrets engine has a full HTTP API. Please see the
|
|
|
|
|
|
[PKI secrets engine API](/api-docs/secret/pki) for more
|
|
|
|
|
|
details.
|
