Does external CA integration still store issuer credentials locally?

We might have the use case, that secrets of specific types are only allowed to be stored within systems with a appropriate “protection class”, thus not inside the Kubernetes cluster. An example for such a secret would be the issuer cert’s private-key.

  1. If we use Vault as a CA, can it issue certificates for the services directly / independently, or does it require to copy issuer credentials into a Kubernetes Secret?

  2. If we use ACM Private CA as a CA, can t issue certificates for the services directly / independently, or does it require to copy issuer credentials into a Kubernetes Secret?