Is HashiCorp Vault good for PKI and certificate management?

Vault's PKI secrets engine is excellent for short-lived, ephemeral certificates — dynamic issuance in milliseconds via API, with TTLs measured in hours or days. It excels for microservices and service mesh authentication, CI/CD pipeline certificates, development environments, zero-trust network architectures, and Kubernetes-native workloads via cert-manager integration. However, Vault PKI is a certificate issuance tool, not a certificate management strategy. It falls short for long-lived public TLS certificates, hybrid and legacy environments that cannot call APIs, audit and compliance requirements, cross-environment certificate discovery, and operational intelligence about infrastructure dependencies.

What is the difference between Vault PKI and a certificate lifecycle management platform?

Vault PKI treats certificates as ephemeral tokens — generate on demand, let them expire naturally, don't track individually. Certificate lifecycle management platforms (Keyfactor, Venafi) treat certificates as managed assets requiring inventory, lifecycle tracking, policy enforcement, and renewal evidence. Vault knows what it issued but nothing about certificates from your Windows CA, public CA relationships, or AWS-generated certificates. For most enterprises, Vault PKI handles one segment of the certificate estate (cloud-native, short-lived) while a CLM platform or operational process manages the rest (public TLS, legacy systems, compliance-tracked certificates).

Does HashiCorp Vault support HSM integration for PKI?

Yes, Vault supports HSM integration through its managed keys feature via three options: PKCS#11 for on-premises HSMs like Thales Luna or Entrust nShield (root and intermediate CA keys stored in HSM, Vault handles certificate operations), cloud KMS integration with AWS KMS, Azure Key Vault, or GCP Cloud KMS for cloud-native deployments, and Vault Enterprise HSM seal for auto-unseal and data encryption. HSM integration adds operational complexity requiring HSM infrastructure, network connectivity, failover planning, and dual-skilled staff. For ephemeral certificates with 24-hour lifetimes HSM may be overkill, but for intermediate CAs issuing across the enterprise it is often required by policy.

When should I use Vault PKI vs a traditional certificate authority?

Use Vault PKI when your workloads are API-native (can request certificates programmatically), certificates are short-lived (hours to days), the environment is cloud-native or containerised, and you need high-volume dynamic issuance (thousands per minute). Use a traditional CA or CLM platform when certificates need long lifetimes (public TLS), the environment includes legacy systems without API access, compliance requires certificate inventory and lifecycle tracking, you need discovery across your entire certificate estate, or you need visibility into certificate dependencies and infrastructure topology. Most enterprises end up using both — Vault for cloud-native workloads and a CLM platform or process for everything else.

Part of the Certificate Automation Guide

HashiCorp Vault PKI: When Dynamic Certificates Make Sense

Vault's PKI secrets engine is excellent for short-lived, ephemeral certificates. It's not a certificate management strategy.

HashiCorp Vault PKI has become the default answer for DevOps teams who need certificates in automated pipelines. Enable the secrets engine, configure a role, issue certificates programmatically. It's elegant, it's fast, and it solves the immediate problem of getting certificates into containers and microservices.

What it doesn't solve is certificate management at enterprise scale. Vault PKI is a tool, not a strategy. Understanding where it fits — and where it doesn't — will save you from architectural decisions you'll regret in two years.

What Vault PKI Actually Does

The Vault PKI secrets engine turns Vault into a Certificate Authority. It can generate root CAs, intermediate CAs, and issue certificates dynamically through API calls.

Core capabilities:

Dynamic issuance: Request a certificate, get a certificate. Milliseconds, not hours. Certificates are generated on demand rather than pre-provisioned.
Short-lived certificates: Default Vault PKI patterns use TTLs measured in hours or days, not years. A compromised certificate expires before it's useful.
API-native: Everything is an API call. Fits naturally into Terraform, Ansible, CI/CD pipelines, and Kubernetes operators.
Built-in revocation: CRL and OCSP endpoints included. Revocation is handled automatically when certificates expire.

The architectural philosophy:

Traditional PKI treats certificates as valuable assets that must be carefully managed over multi-year lifetimes. Vault PKI treats certificates as ephemeral tokens — generate them as needed, let them expire naturally, don't bother tracking them individually.

For the right use cases, this is brilliant. For the wrong ones, it's a disaster.

Where Vault PKI Excels

Microservices and service mesh. If you're running hundreds of services that need to authenticate to each other, issuing individual long-lived certificates is operationally impossible. Vault PKI with cert-manager or Consul Connect gives each service short-lived identity certificates that rotate automatically.

CI/CD pipelines. Build processes that need to sign artifacts, authenticate to services, or establish secure connections. Issue a certificate at pipeline start, use it for the build, let it expire. No certificate management overhead.

Development and staging environments. Engineers who need certificates for local development or testing. Generate what you need, throw it away when done. Stop sharing long-lived certificates across teams.

Zero-trust network architectures. When every connection must be authenticated and encrypted, you need certificates everywhere. Vault PKI scales to the volume that zero-trust requires.

Kubernetes native workloads. With cert-manager integration, Vault PKI provides certificates to pods automatically. Certificates rotate transparently. Applications don't need to know about certificate management.

Where Vault PKI Falls Short

Long-lived certificates. TLS certificates for public-facing websites, certificates embedded in IoT devices, certificates that partners expect to remain valid for a year. Vault PKI can issue these, but it's not designed for them. You lose the ephemeral-certificate security model without gaining management capabilities.

Hybrid and legacy environments. Vault PKI assumes everything can call an API. Mainframes, legacy applications, network appliances, third-party SaaS — they can't. You'll end up with a parallel certificate management process for everything that doesn't fit the Vault model.

Audit and compliance. Regulated industries often require certificate inventory, lifecycle tracking, and renewal evidence. Vault PKI's philosophy is "certificates are ephemeral, don't track them." That conflicts with compliance requirements that assume certificates are managed assets.

Discovery. Vault knows what it issued. It doesn't know about certificates from your Windows CA, your public CA relationships, that EJBCA instance someone set up in 2019, or the certificates your AWS services generate. Certificate visibility requires more than a single issuance point.

Operational intelligence. Vault tells you what certificates exist. It doesn't tell you which services depend on them, what breaks if they fail, or how they relate to your infrastructure topology. That's metadata Vault doesn't have.

Vault PKI with HSM Integration

For enterprises that need hardware-backed key protection, Vault supports HSM integration through its managed keys feature.

Options:

PKCS#11: Connect Vault to on-premises HSMs like Thales Luna or Entrust nShield. Root and intermediate CA keys are generated and stored in the HSM; Vault handles certificate operations.
Cloud KMS: AWS KMS, Azure Key Vault, GCP Cloud KMS. Key material stays in the cloud provider's HSM infrastructure. Useful for cloud-native deployments where on-prem HSMs don't make sense.
Vault Enterprise HSM seal: Not the same as PKI HSM integration, but relevant. Enterprise Vault can use HSMs for auto-unseal and data encryption. Defence in depth.

The HSM consideration:

HSM integration adds operational complexity. You need HSM infrastructure, network connectivity, failover planning, and staff who understand both Vault and HSM operations. The security benefit is real, but so is the operational cost.

For ephemeral certificates with 24-hour lifetimes, HSM-backed keys may be overkill. For intermediate CAs issuing certificates across your enterprise, HSM protection is often required by policy.

HashiCorp Vault Certificate Management at Scale

Vault PKI handles issuance volume well. The secrets engine can generate thousands of certificates per minute. That's not usually the bottleneck.

What does become a bottleneck:

CA hierarchy management. Most enterprises end up with multiple Vault PKI mounts: one for production, one for staging, one for that team that wanted their own namespace. Managing multiple CA hierarchies, cross-signing, and trust relationships requires planning that Vault doesn't enforce.

Namespace sprawl. Vault Enterprise namespaces are powerful for multi-tenancy. They're also powerful for creating certificate silos that nobody has visibility across. "Each team manages their own PKI mount" sounds like autonomy; it often becomes chaos.

ACME integration. Vault supports ACME protocol (RFC 8555) for automated certificate issuance. This is useful for compatibility with tools expecting Let's Encrypt-style flows. But ACME in Vault still requires Vault infrastructure — it's not a replacement for public CA automation.

Operational visibility. Vault's audit logs tell you what API calls happened. They don't tell you about certificate expiration risk, renewal patterns, or infrastructure dependencies. You need additional tooling to turn Vault activity into operational intelligence.

The Vault PKI Decision Framework

Use Vault PKI as your primary certificate infrastructure if:

Your estate is predominantly Kubernetes/containerised workloads
You have engineering capacity to build and maintain Vault infrastructure
Your compliance requirements accept ephemeral certificate models
You're willing to solve discovery and management separately

Use Vault PKI as one component in a broader strategy if:

You have hybrid infrastructure with legacy systems
You need certificate visibility across multiple issuance sources
Compliance requires certificate lifecycle tracking
You want operational intelligence, not just issuance automation

Reconsider Vault PKI if:

You're treating it as a management platform rather than an issuance engine
You're issuing long-lived certificates and tracking them manually anyway
You have no visibility into certificates outside Vault
Your teams are building spreadsheets to track Vault-issued certificates

How 3AM Works with Vault PKI

Vault PKI is often one of several certificate sources in enterprise environments. You might have Vault for microservices, Windows CA for internal infrastructure, DigiCert for public TLS, and AWS Certificate Manager for cloud-native services.

3AM provides the unified visibility and operational intelligence layer:

Discovery across sources: See certificates from Vault PKI alongside everything else. Single inventory, regardless of issuance origin.
Dependency mapping: Understand which services use which certificates, including Vault-issued ones. Know what breaks if something fails.
Policy consistency: Apply governance policies across Vault and non-Vault certificates. Consistent profiles, consistent compliance posture.
Operational intelligence: Predictive analytics, anomaly detection, and infrastructure understanding that Vault doesn't provide.

Vault PKI remains your issuance engine for dynamic certificates. 3AM provides the operational layer that makes the whole estate manageable.

Calculate Your Certificate Costs

Whether you're using Vault PKI or evaluating it, understand your real certificate operations costs first. The hidden labour, the firefighting, the engineering time that isn't building products.

Certificate cost calculator →

See Your Complete Certificate Estate

Vault shows you what Vault issued. 3AM shows you everything. Four weeks to complete visibility, no disruption to existing workflows.

Book a discovery conversation →