Hashicorp's Vault PKI Management

I am interested how do you setup and manage Vault cluster TLS certificates/keys. For me it seems to be a big chicken-egg problem.

For example; if you have in a private cloud 3 instances acting as Vault servers and 10 instances that have Vault Agents, those Vault Agents need a TLS connection to the servers. So where do the 3 servers get their certificates in the first place, how do you get the crts and keys into agents instance and how would you manage it’s life cycle?

Are you using Vault to do the initial setup and manage it’s own Certificates life cycle or you manage it outside the Vault ecosystem with something like Anisble and Openssl?

Hi @kingindanord; this question seems specific to Vault but has been posted in the Nomad topic. I would suggest posting this to the Vault specific topic as it will garner response from people with much better expertise in this area. If this question is related to Nomad, could you clarify this so I can better understand and respond.

Thanks,
jrasell and the Nomad team