Does Vault support two CA intermediates to sign two different environment certs?

There are multiple non-production environments, such as DEV, TEST, QA, SIT, PKG, and if we want to manage a separate CA for each environment to sign certs, should we set up a separate vault cluster for each environment?

Is there any way that we can manage all these CA in the same vault cluster?

Hi @deveshmehta

This is a really good question. You won’t need separate clusters, you just need to mount the PKI secrets engine at a different paths for each CA.

So for example you could run the following to manage a CA for dev:

vault secrets enable -path=dev-pki pki

Then the test environment CA would be:

vault secrets enable -path=test-pki pki

and the same for the rest of your environments.

I hope this helps