X509 Certs with Vault/Rabbitmq


Having a play with vault and rabbitmq and was wondering if anyone could answer a question…

Both are TLS (letsencrypt) to secure coms to the platforms from client and between each other. I am using AppRole to identify a bunch of client machines, which have associated policies to acquire short-lived tokens from vault which are used to get short-lived credentials on rabbitmq. This works well.

The next stage could be to use client side certificates which I can use to prove identity but not sure how this would help in practise.

I could setup a PKI with vault and then issue short-lived client certificates. Which I can verify prior to any comms. I can rotate these on each client machine with consul template from the vault. But what does this actually buy me over just not bothering with client certificates? As at the moment I can prove a devices id via the approle secret-id which I can also revoke to remove there permissions. So not entirely sure how it helps or why I should them in this case…

Any comments?