luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/secrets/pki/index.mdx
Yoko Hyakuna 59cec0a96c
Add known issue about PKI secrets engine with Consul (#18003) 
* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 10:09:41 -08:00

66 lines
3 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: docs
page_title: PKI - Secrets Engines
description: The PKI secrets engine for Vault generates TLS certificates.
---
# PKI Secrets Engine
@include 'x509-sha1-deprecation.mdx'
!> **Vault 1.11.0+ incompatible as Consul CA provider:** Do not use [Vault
v1.11.0+](/vault/docs/release-notes/1.11.0#known-issues) as Consuls Connect CA
provider — the intermediate CA will become unable to issue the leaf nodes required by service mesh,
and by Consul client agents if using auto-encrypt or auto-config and using TLS for agent communication.
If you are already using Vault 1.11+ as a Connect CA, refer to this [Knowledge Base
article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for
more information about the underlying cause and recommended workaround.
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
engine, services can get certificates without going through the usual manual
process of generating a private key and CSR, submitting to a CA, and waiting for
a verification and signing process to complete. Vault's built-in authentication
and authorization mechanisms provide the verification functionality.
By keeping TTLs relatively short, revocations are less likely to be needed,
keeping CRLs short and helping the secrets engine scale to large workloads. This
in turn allows each instance of a running application to have a unique
certificate, eliminating sharing and the accompanying pain of revocation and
rollover.
In addition, by allowing revocation to mostly be forgone, this secrets engine
allows for ephemeral certificates. Certificates can be fetched and stored in
memory upon application startup and discarded upon shutdown, without ever being
written to disk.
## Table of Contents
The PKI Secrets Engine documentation is split into the following pieces:
- [Overview](/docs/secrets/pki) - this document.
- [Setup and Usage](/docs/secrets/pki/setup) - a brief description of setting
up and using the PKI Secrets Engine to issue certificates.
- [Quick Start - Root CA Setup](/docs/secrets/pki/quick-start-root-ca) - A
quick start guide for setting up a root CA.
- [Quick Start - Intermediate CA Setup](/docs/secrets/pki/quick-start-intermediate-ca) - A
quick start guide for setting up an intermediate CA.
- [Considerations](/docs/secrets/pki/considerations) - A list of helpful
considerations to keep in mind when using and operating the PKI Secrets
Engine.
- [Rotation Primitives](/docs/secrets/pki/rotation-primitives) - A document
which explains different types of certificates used to achieve rotation.
## Tutorial
Refer to the [Build Your Own Certificate Authority (CA)](https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine)
guide for a step-by-step tutorial.
Have a look at the [PKI Secrets Engine with Managed Keys](https://learn.hashicorp.com/tutorials/vault/managed-key-pki?in=vault/enterprise)
for more about how to use externally managed keys with PKI.
## API
The PKI secrets engine has a full HTTP API. Please see the
[PKI secrets engine API](/api-docs/secret/pki) for more
details.
Reference in a new issue View git blame Copy permalink