Engineer for the future of Cloud
June 10-13, 2019
San Jose, CA

X.509 certificate management with Vault

Christie Koehler (HashiCorp)
1:25pm2:05pm Wednesday, June 12, 2019
Building Secure Systems
Location: LL21 E/F



Prerequisite knowledge

  • Some understanding of public key certificates, why they are needed, and how applications and services typically use them

What you'll learn

  • Understand the value proposition of dynamic secrets
  • Get started with open source Vault
  • Learn how to use Vault to manage public key certificates for a variety of use cases


Vault provides secrets management and protection of sensitive data, a central place to secure, store, and control access to tokens, passwords, certificates, and encryption keys. There are challenges of centralized secrets management, particularly related to applications. Applications don’t keep secrets, and secrets are often shared among different applications.

Vault offers an answer to these problems in the form of dynamic secrets, which are generated on demand and are unique to a client. This is as opposed to static secrets, which are defined ahead of time and are often shared by different clients. Vault associates each dynamic secret with a lease and automatically destroys the credentials when the lease expires. Static secrets, by contrast, often have much longer lifecycles.

Dynamic secrets allows you to manage intentions (e.g., web server needs database access) instead of managing credentials (e.g., authentication data provided to web servers requiring database access). This allows you to achieve the same end goal while solving major challenges, including leaky applications, nonrepudiation, automatic rotation, and practical revocation. Vault applies a dynamic secret approach to public key certificates as well, acting as a signing intermediary to generate short-lived certificates. This allows certificates to be generated on demand, as needed, and rotated automatically.

Christie Koehler gives a brief introduction to Vault and dynamic secrets and then shares the most common operator activities involved in certificate management using Vault, including enabling and configuring public key infrastructure (PKI) engine(s), creating roles and generating certificates, revoking certificates and updating certificate revocation lists (CRLs), and integrating with applications.

Photo of Christie Koehler

Christie Koehler


Christie Koehler is a developer advocate at HashiCorp, where she uses her hybrid experience as an operator and a developer to create resources to help practitioners use HashiCorp’s suite of open source cloud automation tools. She’s a longtime open source contributor and an expert on open source culture and governance.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)