Hashicorp Vault is a popular tool for encryption services and secrets management. The Vault is available both as open source and Enterprise versions. It can be deployed as a container in any cloud environment. The Vault allows applications to generate certificates on demand using the Vault REST API and EJBCA can be configured to be the PKI that issues those certificates. If you are using Vault for secrets management this integration enables you to streamline your certificate services for all your needs met by Vault, including TLS certificates for secure communication between your applications in your cloud environment.
Setting up a new PKI infrastructure for every application need is not recommended.
- Managing several PKI software will make your security infrastructure complex and involve manual processes.
- Implementing a consistent security policy across your certificate use cases will be impossible.
- Potentially sprawling PKI infrastructures make monitoring for security, compliance and expiration hard.
- Accelerating administration costs and potential security problems because of limited or lack of control will be the end result.
With EJBCA you can implement centralized control and harmonized security policies for all your PKI services including the Hashicorp Vault. EJBCA is multi-tenant and allows multiple stakeholders and use cases to securely co-exist and create and manage one or several CA hierarchies in one single installation of the software. In addition, EJBCA Enterprise provides the capability of serving both small-scale and larger implementations with millions of users or devices in high availability environments without compromising on security.
The EJBCA integration with Hashicorp Vault can be used to:
- Fully replace all existing PKIs including the built-in Vault CA. This enables a central, compliant and monitored PKI, for issuance to all applications including those with secrets managed using Vault.
- Issue a Subordinate CA in the Vault, from a Root CA in EJBCA. This enables control of the Subordinate CA from the central corporate PKI. In addition, the EJBCA integration can be configured to monitor certificates issued from the Subordinate Vault CA.
Read more about the EJBCA plugin to Hashicorp Vault and other resources on PrimeKey Doc. Including such as sample Ansible playbooks and best practices, available to ease your implementation of certificate services for your applications that are already levering the Vault features.