Devoured - May 01, 2026
Bridging the trust gap: Unified public CA orchestration with IBM Vault (4 minute read)

Bridging the trust gap: Unified public CA orchestration with IBM Vault (4 minute read)

DevOps infrastructuresecurity Read original

IBM Vault Enterprise now automates public certificate authority workflows alongside private PKI, eliminating manual renewal processes that cause outages when certificates expire unexpectedly.

What: Vault Enterprise added native integration with public certificate authorities (Let's Encrypt, DigiCert, GlobalSign, Sectigo) using the ACME protocol, allowing teams to request, renew, and revoke both internal and publicly-trusted certificates through a single API and governance framework instead of juggling separate CA portals.
Why it matters: Most organizations successfully automate internal certificates but still manually manage public-facing ones through external portals, creating a dual-track system where missed renewals cause website and API outages, governance policies split across tools, and compliance audits become fragmented across multiple systems.
Takeaway: Check the PKI external CA feature documentation to configure public CA integrations in your Vault deployment, or use the updated Terraform Vault provider to automate the setup.
Deep dive
  • The core problem is the "public trust boundary" where Vault automated internal PKI but organizations still manually requested public certificates through CA portals, breaking automation pipelines
  • Manual certificate management is the primary cause of outage-inducing errors, with expired public certificates bringing down customer-facing services when renewals are missed
  • Organizations were forced to maintain split governance with one tool for private certs and separate systems for public certs, making unified security policies and complete audit trails nearly impossible for compliance standards
  • The integration uses ACME protocol as a vendor-agnostic interface, with Vault acting as a central proxy that securely manages upstream CA credentials
  • Current implementation supports HTTP-01 challenge for domain validation (proving ownership by serving a token over HTTP), with DNS-01 challenge support planned for wildcard certificates
  • Vault Agent handles orchestration between Vault and the public CA, managing the domain validation process
  • Supports both CSR-based workflows (where private keys never leave your infrastructure) and identifier-based workflows for faster issuance
  • Teams can now configure CA integrations, request/download public certificates via Vault API/CLI/UI, manually trigger renewals, and instantly revoke compromised certificates all within Vault
  • The Terraform Vault provider has been updated to fully automate setup and management of public CA integrations as code
  • This unifies the entire certificate lifecycle under "a single pane of glass" with consistent APIs, centralized expiration tracking, and unified audit trails across all certificate types
Decoder
  • PKI (Public Key Infrastructure): System for creating, managing, and revoking digital certificates and public-private key pairs that establish trust and encryption
  • X.509 certificates: Standard format for digital certificates used in TLS/SSL to prove identity and encrypt communications between servers and clients
  • Public CA: Certificate authority trusted by browsers and operating systems (like Let's Encrypt or DigiCert) whose certificates work for external users, unlike private CAs only trusted internally
  • ACME (Automated Certificate Management Environment): Protocol that automates the process of requesting certificates from CAs by proving domain ownership through challenges
  • HTTP-01 challenge: Domain validation method where you prove ownership by serving a specific token at a particular URL on your domain
  • DNS-01 challenge: Alternative validation method using DNS records, required for wildcard certificates covering multiple subdomains
  • CSR (Certificate Signing Request): File containing your public key and domain information that you send to a CA to get a certificate, while keeping the private key secure on your infrastructure
Original article

Vault Enterprise now integrates public certificate authorities via ACME, unifying private and public PKI workflows to eliminate manual processes, reduce outage risk, and centralize governance while enabling automated issuance, renewal, and revocation through a single platform.