π Issues, signs and revokes x509 certificates
π Reads ACME certs written by acmevault (e.g. issued by LetsEncrypt)
β Reads the CA / CA chain of a PKI
π Reads the CRL of a PKI
π Supports DER and PEM formats
β° Automatically renews certificates based on its lifetime
π Authenticate against Vault using Kubernetes, AppRole, (explicit) token or implicit auth
π Supports multiple sinks: Kubernetes, plain files, in-memory
π» Runs effortlessly both on your workstation's CLI via command line flags or automated via systemd and config files on your server
π Provides metrics to increase observability for robust automation
mTLS is a strong and proven authentication mechanism and vault-pki-cli deals with some of its challenges
| mTLS challenges | How vault-pki-cli can help |
|---|---|
| Certificate Management | Dramatically removes complexity for issuing, renewing, and revoking certificates and downloading CRLs |
| Key Distribution | Safely distributes certificates using Vault's API |
| Revocation Challenges | Revocation is easy and can be performed automatically |
| Key Storage | Observability and automation allows for short-lived certificates to limit the blast-radius of compromised certificates |
| Certificate Expiration | Unless Vault is down, certificates are automatically renewed after a user-defined threshold passes |
$ docker run ghcr.io/soerenschneider/vault-pki-cli:mainHead over to the prebuilt binaries and download the correct binary for your system.
As a prerequesite, you need to have Golang SDK installed. After that, you can install vault-pki-cli from source by invoking:
$ go install github.com/soerenschneider/vault-pki-cli@latest
The full changelog can be found here