Build a certificate authority (CA)

Certificate authorities (CAs) play a crucial role in X.509 by issuing trusted certificates and maintaining a repository of certificates. CAs help you verify and authenticate identities across networks.

Certificate chain reference and signing flow from root CA to intermediate CA to identity certificate

One of a security operator's responsibilities is managing those digital certificates. HashiCorp Vault provides features to ease the burden of certificate lifecycle management through automation. Vault offers a central place to secure and control access to tokens, passwords, certificates, and encryption keys. Dynamic secrets provide credentials to third party services which match your password policies for complexity and lifecycle. Vault can also manage the revocation and rotation of secrets for you. Vault dynamic secrets extend to X.509 public key infrastructure (PKI) certificates, where Vault acts as a root or intermediate CA to manage the lifecycle of short-lived certificates. The Vault PKI secrets engine enables your applications to generate managed certificates on-demand. Vault also supports a rich set of functionality around TLS certificates, including Online Certificate Status Protocol (OCSP), Automatic Certificate Management Environment (ACME), and Certificate Issuance External Policy Services (CIEPS).

Vault as the root and intermediate CA for example.com with certificate and key issuance example — Vault can act as both root and intermediate CA to handle issuance and signing of TLS certificates and keys

HashiCorp resources:

External resources:

Next steps

In this section of Secure applications, you learned how Vault acts as a root or intermediate CA to manage the lifecycle of short-lived certificates. Build a certificate authority is part of the Secure systems pillar.