Bridging the trust gap: Unified public CA orchestration with IBM Vault
Source: HashiCorp Blog
Introduction
In modern enterprises, security is only as strong as its weakest link. For most organizations, that link is often the manual, fragmented process of managing X.509 certificates. While HashiCorp Vault (now IBM Vault) has long been the gold standard for automating internal PKI (private key infrastructure), a significant hurdle remained: the public trust boundary.
Today, we are excited to announce a major expansion of Vault Enterprise’s PKI capabilities. You can now integrate and orchestrate public certificate authorities (CAs) directly within Vault, providing a single, automated workflow for every certificate your organization needs — whether it’s for an internal microservice or a customer‑facing website.
The pain of fragmented certificate management
Many organizations have successfully automated their internal workflows using Vault’s private PKI. However, when a service requires a certificate trusted by external browsers or public networks, the automation stops. This creates a dual‑track management problem that introduces several critical pain points:
- Operational overhead – Without native public CA integration, teams must step outside their automated pipelines to manually request, renew, and revoke certificates via external CA portals. Human intervention is the primary cause of errors and missed renewals.
- The “outage clock” – Every manual certificate is a ticking clock. Fragmented management means you lack a central view of expiration dates across different providers, leading to unexpected downtime when a public‑facing API or website certificate expires.
- Siloed governance – Organizations are forced to split governance between one tool for private certs and another for public certs. This inconsistency makes it nearly impossible to enforce unified security policies or maintain a complete audit trail for compliance standards like NIST, PCI DSS, or SOC2.
- Limited external utility – Private CAs are excellent for internal trust, but they don’t work for customer‑facing services. Relying on separate tools for public trust limits Vault’s utility in hybrid and multi‑cloud scenarios where external trust is a hard requirement.
A single pane of glass for PKI
Enterprises are looking for a way to centralize the entire certificate lifecycle. Our new public CA integration does exactly that. By acting as a central proxy, Vault now securely manages upstream CA credentials and orchestrates the complex validation challenges required for public issuance.
This feature allows development teams to request publicly trusted certificates using the same Vault APIs and workflows they already use for private ones. The result is a centralized, automated approach that removes manual silos and provides a unified “single pane of glass” view of your organization’s entire certificate footprint.
How it works: Orchestrating public trust
The integration leverages the ACME (Automated Certificate Management Environment) protocol to provide a vendor‑agnostic interface for public CA orchestration.
Native integration with leading CAs
Vault now supports native integration with the most prominent public certificate authorities, allowing you to centralize credentials and automate workflows for:
- Let’s Encrypt
- DigiCert
- GlobalSign (beta)
- Sectigo (beta)
Orchestration via Vault agent
The Vault agent has been updated to act as the primary orchestrator. It manages communication between Vault and the public CA, handling the heavy lifting of domain validation.
In this initial release, support for the HTTP‑01 challenge is available. Vault can automate the process of proving domain ownership by serving a specific token over HTTP. Support for the DNS‑01 challenge—required for wildcard certificates and non‑web‑accessible environments—is in development and will be added soon.
Streamlined workflows
The integration supports both:
- Secure CSR‑based workflows – the private key never leaves your infrastructure.
- Identifier‑based workflows – rapid issuance using simple identifiers.
What you can do today
With this new feature, security and platform teams can perform the following tasks directly within the Vault ecosystem:
- Set up integrations – configure secure connections with your desired public CA using native Vault configuration.
- Request and download – developers can request public certificates via the Vault API, CLI, or UI and download them immediately upon issuance.
- Manual renewal – trigger renewals for public certificates through the Vault interface when needed.
- Revocation – instantly revoke public certificates created via Vault if a compromise is suspected.
- Leverage the Terraform Vault provider – fully automate the setup and management of these public CA integrations using the updated Terraform provider.
Conclusion: Taking control of the lifecycle
The goal of Vault Enterprise has always been to simplify the complex. By bringing public CA management into the Vault ecosystem, we are eliminating the manual friction that has long plagued security teams. You no longer have to choose between automation and public trust — with Vault, you can have both.
Whether you are a technical decision‑maker looking to reduce the risk of outages or a practitioner aiming to automate manual portal logins, this new integration provides the tools you need for a truly modern, end‑to‑end PKI strategy.
Learn more: