Vault as server certificate storage for TLS protocol

Any idea on how to modify OpenSSL to use Vault as the storage for the server certificate? I also looked up for a vault-tls-helper kind of plugin on the internet but no joy.

Any direction will be greatly appreciated.

1 Like

Hi @kanelandry,

I’m not quite sure if I got your question right, but it is indeed possible to store certificates inside Vault’s KV secret engine. Remember to encode your certificates with Base64 before you store them to avoid any potential character misbehavior.


Hello @michelvocks,

Thanks for your feedback. I’m aware of the use of Vault as a certificate storage. What I’m looking for more specifically is the set of configuration and changes that I have to make in openSSL in order for it to call Vault during the server certificate lookup of the TLS protocol.

Hi @kanelandry,

never heard of that use-case. Most people automate their TLS certificate deployment which is triggered regularly. What would be the use-case behind this?


Hey @kanelandry, I haven’t heard of any OpenSSL plugins for Vault. Have you considered something like using consul-template to write the keys to a tmpfs directory and keep them up to date and then signal your application to reload when the keys are updated? I believe that would be the more common pattern.


The use-case is that I have a server A that is frequently communicating with another server B over TLS but the TLS certificate’s private key is stored on A. I want to protect the key from insiders who have access to A. So the solution I had in mind to achieve it was to store the key in Vault and configure TLS to use it when needed.

I’m not aware of consul-template, but after reading these articles and, it seems like consul-template is a daemon that is used to managed secrets of a application servers at scale using config templates, which might help me fix my problem. However, I couldn’t find any consul-template for openssl servers. Do you have any idea where I can get it?