PKI - Short lived certificates & distribution

Hey guys,

Within Build Your Own Certificate Authority (CA) and the pki secrets engine.

There’s the Keep certificate lifetimes short to align with Vault’s philosophy of short-lived secrets.

To this end, can I get some clarification on best approach for distributing certificates. As the article falls a bit short on approaches for this.
I.e, in the given example we generate a 24h certificate.

Let’s take nginx as a sample, the server will source it’s certificates from /etc/ssl.
What is the mechanism that should be distributing these certificates? I.e:

  • Is there some part within the base OS or the nginx daemon that be requesting these certificates.
  • Should another process on the target machine be requesting the certificates? I.e by using a token that has enough privileges to request from the vault.
  • Is this something that’s usually handled with Teraform?
  • Should an orchestrater such as Chef automation, or a build runner on TeamCity be doing the job of updating the certificates each day?

I assume in the last scenario, we’d use AppRole to deploy?

As you’ve already determined, there are several ways in which this can be accomplished.

A couple of the options that I would investigate are Vault Agent or VaultBot

VaultBot, based on CertBot, is purpose built to retrieve and update certs on web servers. Vault Agent, on the other hand, is more general purpose and can retrieve any supported secret type in Vault, drop it in a file, and optionally run a command at the end. Vault Agent is built into the normal Vault binary and leverages HCL for configuration - the templating feature (where to write the secrets) may be a little tricky to sort out at first, at least it was for me.

In any case you’d need to set up an appropriate authentication mechanism for your server. I recommend using the cloud-native options first (e.g. AWS, Kube, etc.) and fall back to AppRole if you have no other viable option or you’re using a shared service that you want to further segment access.


You can use consul template to deploy the certificates.

1 Like

Perfect! Exactly what I needed, it’s often just knowing the names of these tools.
Both look like good options.

It’s an on-prem deploy, so I’m without much of the scaffording of cloud orchastrators. But good to know best practices for the future.