Integration with third-party tools

This document provides an overview of the third-party tools that have an integration with Certificate Authority Service.

Hashicorp Vault

Hashicorp Vault lets you manage and store secrets on-premises. You can configure Hashicorp Vault CA to act as a proxy that forwards all certificate issuance requests to Certificate Authority Service.

The Vault plugin for CA Service issues certificates through Hashicorp Vault by generating the private key and certificate signing request (CSR), or by receiving a user-provided CSR. The plugin doesn't perform create and delete CA operations, or manage other aspects of the certificate authority (CA) lifecycle.

At a high level, the plugin acts as a proxy to issue certificates.

Using the Vault plugin has the following advantages:

  • Administrators can use a familiar workflow and the existing access-control list (ACL) permissions in the Vault.
  • The administrator can define who gets to request certificates and what specifications and limits those certificates have.

For more information about setting up and using the plugin, see the README: Vault Plugin for CA Service.


Jetstack Cert-Manager is an open source Kubernetes add-on that automates the management and issuance of TLS certificates from various issuing sources.

Cert-Manager manages the lifecycle of certificates issued by CA pools that are created using Certificate Manager. Cert-Manager ensures certificates are valid and duly renewed before they expire.

For instructions on using Cert-Manager with Certificate Manager, see README: Certificate Authority Service Issuer for Cert-Manager.

For more information, see Use CA Service with Certificate Manager.

What's next