Stay organized with collections
Save and categorize content based on your preferences.
Use Hashicorp Vault CA with CA Service
Hashicorp Vault lets you
manage and store secrets on-premises. This page provides information about
how you can configure Hashicorp Vault CA to act as a proxy that forwards all
certificate issuance requests to Certificate Authority Service. This configuration allows a
currently deployed solution to work natively with CA Service.
The Vault plugin for CA Service
issues certificates through Hashicorp Vault by generating the private key and
certificate signing request (CSR), or by receiving a user-provided CSR. The
plugin doesn't perform create and delete CA operations, or manage other aspects
of the certificate authority (CA) lifecycle.
At a high level, the plugin acts as a proxy to issue certificates.
Using the Vault plugin has the following advantages:
Administrators can use a familiar workflow and the existing access-control
list (ACL) permissions in the Vault.
The administrator can define who gets to request certificates and what
specifications and limits those certificates have.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eHashicorp Vault can be configured to proxy certificate issuance requests to Certificate Authority Service.\u003c/p\u003e\n"],["\u003cp\u003eThe Vault plugin for CA Service issues certificates through Hashicorp Vault, either by generating the private key and CSR or using a user-provided CSR.\u003c/p\u003e\n"],["\u003cp\u003eThe plugin acts as a proxy for certificate issuance but does not manage CA operations like creation or deletion.\u003c/p\u003e\n"],["\u003cp\u003eAdministrators can manage certificate requests and permissions using Vault's existing workflows and ACL permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe Vault plugin does not retain any generated public or private keys, making it the certificate requester's responsibility to store them.\u003c/p\u003e\n"]]],[],null,["# Use Hashicorp Vault CA with CA Service\n======================================\n\n| This page contains a sample provided for demonstration purposes. Google does not officially support this sample. Carefully evaluate any solution before deploying it in your production environment.\n\n[Hashicorp Vault](https://www.vaultproject.io/) lets you\nmanage and store secrets on-premises. This page provides information about\nhow you can configure Hashicorp Vault CA to act as a proxy that forwards all\ncertificate issuance requests to Certificate Authority Service. This configuration allows a\ncurrently deployed solution to work natively with CA Service.\n\nThe [Vault plugin for CA Service](https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca)\nissues certificates through Hashicorp Vault by generating the private key and\ncertificate signing request (CSR), or by receiving a user-provided CSR. The\nplugin doesn't perform create and delete CA operations, or manage other aspects\nof the certificate authority (CA) lifecycle.\n\nAt a high level, the plugin acts as a proxy to issue certificates.\n| **Note:** The Vault plugin doesn't retain any public or private key that is generated during certificate issuance. The certificate requester should retain the certificate and keys that the Vault plugin generates.\n\nUsing the Vault plugin has the following advantages:\n\n- Administrators can use a familiar workflow and the existing access-control list (ACL) permissions in the Vault.\n- The administrator can define who gets to request certificates and what specifications and limits those certificates have.\n\nFor more information about setting up and using the plugin, see the [README:\nVault Plugin for CA Service](https://github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca/blob/master/README.md).\n\nWhat's next\n-----------\n\n- [GitHub: Vault Plugin for CA Service](https://github.com/googlecloudplatform/vault-plugin-secrets-gcppca)\n- [Hashicorp Vault documentation](https://www.vaultproject.io/docs)"]]
