A vault certificate is a digital certificate stored securely within a secrets vault (HashiCorp Vault, CyberArk, Azure Key Vault) — used for machine authentication, TLS, code signing, or encryption, with lifecycle management handled by the vault platform.
⚙️ How Does It Work?
Vault platforms act as intermediate CAs, issuing short-lived certificates on demand. Applications request certificates via API, receive them with a defined TTL (e.g., 24 hours), and the vault handles renewal. No long-lived certificates to manage or rotate manually.
📍 Where Is It Used?
Microservices needing mTLS, applications requiring client certificates, CI/CD pipelines needing code signing certificates.
💡 Real-World Example
A company uses HashiCorp Vault's PKI secrets engine to issue 24-hour TLS certificates to 200 microservices. Instead of managing 200 long-lived certificates manually, Vault issues them automatically on request. A certificate compromise means at most 24 hours of exposure — vs years with traditional static certificates.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →