The Vault team is announcing the release candidate of Vault 1.14, as well as 1.13.3, 1.12.7, and 1.11.11.
Open-source binaries can be downloaded at [1, 2, 3, 4]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing firstname.lastname@example.org and do not use the public issue tracker. Our security policy and our PGP key can be found at .
The major features and improvements in the 1.14 release are:
- Vault PKI - ACME: Support for the ACME certificate lifecycle management protocol is now added to the Vault PKI plugin. Enables standard ACME clients, such as EFF’s certbot, CNCF’s k8s cert-manager etc., to request certificates from a Vault server without needing to know Vault APIs or auth mechanisms.
- Vault PKI - New UI: Revamped PKI UI goes live. Was released as beta in 1.13. Delivers superior user experience via UI in areas such as - workflows, metadata, issuer info, mount and tidy configuration, cross signing, multi-issuers etc.
- Agent Proxy Mode: Vault Agent’s proxy mode is now available as a separate command.
- Automated License Utilization Reporting: Added automated license utilization reporting, which sends minimal product-license metering data  to HashiCorp without requiring you to manually collect and report them.
- New UI Navigation: Implemented a new sidebar-based navigation system using the new HashiCorp Design System and re-organized some of the items in the nav to streamline HCPv <> Vault movement, remove UX challenges, make the system status clearer, and make features more discoverable.
- AWS Secrets Engine - Static Roles: The engine now supports creation of static roles to manage static credentials for AWS IAM users.
- MongoDB Atlas Database Engine - User X.509 Certificates: The engine now supports generating X.509 credentials for dynamic roles for client authentication against MongoDB instances in Atlas.
See the Changelog at  for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page  for our upcoming feature deprecation plans.
Note: In Vault 1.14 we will stop publishing official Dockerhub images and publish only our Verified Publisher images. Users of Docker images should pull from “hashicorp/vault” instead of “vault”.
OSS  and Enterprise  Docker images will be available soon.
See  for general upgrade instructions, and  for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at .
We hope you enjoy Vault 1.14!
Sincerely, The Vault Team