In modern enterprises, security is only as strong as its weakest link. For most organizations, that link is often the manual, fragmented process of managing X.509 certificates. While HashiCorp Vault (now IBM Vault) has long been the gold standard for automating internal PKI (private key infrastructure), a significant hurdle remained: the "public trust" boundary.
Today, we are excited to announce a major expansion of Vault Enterprise’s PKI capabilities. You can now integrate and orchestrate public certificate authorities (CAs) directly within Vault, providing a single, automated workflow for every certificate your organization needs — whether it’s for an internal microservice or a customer-facing website.
»The pain of fragmented certificate management
Many organizations have successfully automated their internal workflows using Vault’s private PKI. However, when a service requires a certificate trusted by external browsers or public networks, the automation stops. This creates a "dual-track" management problem that introduces several critical pain points:
• Operational overhead: Without native public CA integration, teams must step outside their automated pipelines to manually request, renew, and revoke certificates via external CA portals. This human intervention is the primary cause of errors and missed renewals.
• The "outage clock": Every manual certificate is a ticking clock. Fragmented management means you lack a central view of expiration dates across different providers, leading to unexpected downtime when a public-facing API or website certificate expires.
• Siloed governance: Organizations are forced to split governance between one tool for private certs and another for public certs. This inconsistency makes it nearly impossible to enforce unified security policies or maintain a complete audit trail for compliance standards like NIST, PCI DSS, or SOC2.
• Limited external utility: Private CAs are excellent for internal trust, but they don't work for customer-facing services. Relying on separate tools for public trust limits Vault’s utility in hybrid and multi-cloud scenarios where external trust is a hard requirement.
»A single pane of glass for PKI
Enterprises are looking for a way to centralize the entire certificate lifecycle. Our new public CA integration does exactly that. By acting as a central proxy, Vault now securely manages upstream CA credentials and orchestrates the complex validation challenges required for public issuance.
This feature allows your development teams to request publicly trusted certificates using the same Vault APIs and workflows they already use for private ones. The result? A centralized, automated approach that removes manual silos and provides a unified "single pane of glass" view of your organization's entire certificate footprint.
»How it works: Orchestrating public trust
This new integration leverages the ACME (Automated Certificate Management Environment) protocol to provide a vendor-agnostic interface for public CA orchestration.
»Native integration with leading CAs
Vault now supports native integration with the most prominent public certificate authorities, allowing you to centralize credentials and automate workflows for:
● Let’s Encrypt
● DigiCert
● GlobalSign (beta)
● Sectigo (beta)
»Orchestration via Vault agent
The Vault agent has been updated to act as the primary orchestrator. It manages communication between Vault and the public CA, handling the heavy lifting of domain validation.
In this initial release, we are implementing support for the HTTP-01 challenge. This means Vault can automate the process of proving domain ownership by serving a specific token over HTTP. For teams managing diverse infrastructures, we are also working to add DNS-01 challenge support in the very near future to handle wildcard certificates and non-web-accessible environments.
CSR workflow with Vault Agent
»Streamlined workflows
The integration supports both secure CSR-based workflows (where the private key never leaves your infrastructure) and flexible identifier-based workflows for rapid issuance.
»What you can do today
With this new feature, your security and platform teams can perform the following tasks directly within the Vault ecosystem:
● Set up integrations: Easily configure secure connections with your desired public CA using native Vault configuration.
● Request and download: Dev teams can request public certificates via the Vault API, CLI, or UI and download them immediately upon issuance.
● Manual renewal: Maintain control by manually triggering renewals for public certificates through the Vault interface.
● Revocation: Instantly revoke public certificates created via Vault if a compromise is suspected, ensuring your external security posture is always up to date.
● Leverage the Terraform Vault provider: Fully automate the setup and management of these public CA integrations using the updated Terraform Vault provider.
»Conclusion: Taking control of the lifecycle
The goal of Vault Enterprise has always been to simplify the complex. By bringing public CA management into the Vault ecosystem, we are eliminating the manual friction that has long plagued security teams. You no longer have to choose between automation and public trust —with Vault, you can have both.
Whether you are a technical decision-maker looking to reduce the risk of outages or a practitioner aiming to automate manual portal logins, this new integration provides the tools you need for a truly modern, end-to-end PKI strategy.
To learn more, check out the PKI external CA feature documentation. You can also learn more about great new Vault 2.0 features in the release blog.
