Automate your Certificates Lifecycle with Vault
This article is a walkthrough to learn how to manage a Vault PKI, and how to automate the deployment of private and public certificates with automatic renewal.
Update 2023–07–16
- Added: Codify Vault Internal PKI using Terraform article
By reading this and subsequent articles you will learn
- How to build an Internal PKI with Vault
- How to Issue, Deploy and Renew your Private Certificates
- How to Rotate your CA seamlessly
- How to Manage and Store your Public Certificates, then Deploy them
Before starting this walkthrough, let’s see why to automate your certificate lifecycle.
Why Automate your Certificates Lifecycle?
Here are some benefits of automating your certificates lifecycle.
- Ease the Management of your PKI Hierarchy
- Ease the CA Lifecycle (Issue, Renew, Rotate, Revoke)
- Ease the Leaf Certificate Renewal and Deployment
- Remove the use of wildcard certificates (*.example.com)
- Single Source of Trust and Audit using Vault
- Prepare for Post-Quantum Cryptography to redeploy all your certificates seamlessly
Walkthrough
The other parts of this article are placed in separate articles for easy following. Here are the parts.
- Build an Internal PKI with Vault
- Issue, Deploy and Renew your Private Certificates with Vault and Consul-Template
- Rotate your CA seamlessly using a Vault PKI
- Securely store Public Certificates in Vault, generated by acme.sh
- Codify Vault Internal PKI using Terraform
Next Steps
This series of articles shows how to manage a Vault PKI and how to automate the deployment of private and public certificates with automatic and seamless renewal.
This walkthrough is a kind of Proof Of Concept, so before going to production, you should create an MVP related to your own usage, then after in/validate the hypothesis of your MVP, build a Vault Cluster for production using one of the reference architectures.
Moreover, the configuration domain can be optimized by codifying the Vault management using the Terraform Vault provider to manage the PKI configuration, to do this, read the Codify Vault Internal PKI using Terraform article.
