f3df55ad58
* Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>
60 lines
2.8 KiB
Plaintext
60 lines
2.8 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: PKI - Secrets Engines
|
|
description: The PKI secrets engine for Vault generates TLS certificates.
|
|
---
|
|
|
|
# PKI Secrets Engine
|
|
|
|
@include 'x509-sha1-deprecation.mdx'
|
|
|
|
-> **Vault as Consul CA provider:** If you are using Vault 1.11.0+ as a Connect CA, run a Consul version which includes the fix for [GH-15525](https://github.com/hashicorp/consul/pull/15525). Refer to this [Knowledge Base article](https://support.hashicorp.com/hc/en-us/articles/11308460105491) for more details.
|
|
|
|
The PKI secrets engine generates dynamic X.509 certificates. With this secrets
|
|
engine, services can get certificates without going through the usual manual
|
|
process of generating a private key and CSR, submitting to a CA, and waiting for
|
|
a verification and signing process to complete. Vault's built-in authentication
|
|
and authorization mechanisms provide the verification functionality.
|
|
|
|
By keeping TTLs relatively short, revocations are less likely to be needed,
|
|
keeping CRLs short and helping the secrets engine scale to large workloads. This
|
|
in turn allows each instance of a running application to have a unique
|
|
certificate, eliminating sharing and the accompanying pain of revocation and
|
|
rollover.
|
|
|
|
In addition, by allowing revocation to mostly be forgone, this secrets engine
|
|
allows for ephemeral certificates. Certificates can be fetched and stored in
|
|
memory upon application startup and discarded upon shutdown, without ever being
|
|
written to disk.
|
|
|
|
## Table of Contents
|
|
|
|
The PKI Secrets Engine documentation is split into the following pieces:
|
|
|
|
- [Overview](/vault/docs/secrets/pki) - this document.
|
|
- [Setup and Usage](/vault/docs/secrets/pki/setup) - a brief description of setting
|
|
up and using the PKI Secrets Engine to issue certificates.
|
|
- [Quick Start - Root CA Setup](/vault/docs/secrets/pki/quick-start-root-ca) - A
|
|
quick start guide for setting up a root CA.
|
|
- [Quick Start - Intermediate CA Setup](/vault/docs/secrets/pki/quick-start-intermediate-ca) - A
|
|
quick start guide for setting up an intermediate CA.
|
|
- [Considerations](/vault/docs/secrets/pki/considerations) - A list of helpful
|
|
considerations to keep in mind when using and operating the PKI Secrets
|
|
Engine.
|
|
- [Rotation Primitives](/vault/docs/secrets/pki/rotation-primitives) - A document
|
|
which explains different types of certificates used to achieve rotation.
|
|
|
|
## Tutorial
|
|
|
|
Refer to the [Build Your Own Certificate Authority (CA)](https://learn.hashicorp.com/vault/secrets-management/sm-pki-engine)
|
|
guide for a step-by-step tutorial.
|
|
|
|
Have a look at the [PKI Secrets Engine with Managed Keys](/vault/tutorials/enterprise/managed-key-pki)
|
|
for more about how to use externally managed keys with PKI.
|
|
|
|
## API
|
|
|
|
The PKI secrets engine has a full HTTP API. Please see the
|
|
[PKI secrets engine API](/vault/api-docs/secret/pki) for more
|
|
details.
|