Hashicorp Vault CA integration

Hashicorp Vault is commonly used for managing and storing secrets on-premises. This page provides information about how Hashicorp Vault CA can be configured to act as a proxy that forwards all certificate issuance requests to Certificate Authority Service. This configuration allows a currently deployed solution to work natively with CA Service.


The Vault plugin for CA Service issues certificates through Hashicorp Vault by generating the private key and Certificate Signing Request (CSR), or by receiving a user-provided CSR. The plugin doesn't perform create and delete CA operations, or manage other aspects of the certificate authority (CA) lifecycle.

At a high level, the plugin acts as a proxy to issue certificates.

The advantage of using the Vault plugin is that administrators can use a familiar workflow and existing ACL permissions in Vault. The administrator can define who gets to issue certificates and define what specifications and limits those certificates have.

For more information about setting up and using the plugin, see the README: Vault Plugin for CA Service.

What's next