1. Home
  2. /
  3. Use EJBCA PKI with HashiCorp Vault

Use EJBCA PKI with HashiCorp Vault

Deploy a three-node Vault cluster and configure the ejbca-vault-pki-engine plugin to issue certificates from EJBCA through Vault.

Logotype HashiCorp Vault

Secure management of secrets and protection of sensitive data with HashiCorp Vault

HashiCorp Vault is a tool for managing sensitive information such as API keys, passwords, and certificates. It offers a unified interface for accessing any secret and includes access control and audit log functionality. 

Engineers who are looking for a unified solution can benefit from the integration of EJBCA and HashiCorp Vault. The solution simplifies certificate issuance by providing a single CA/PKI platform for multiple needs and ensuring consistent security policies to comply with regulatory standards.

How to get started

In this tutorial, you will learn how to deploy the EJBCA Vault plugin in a highly available (HA) HashiCorp Vault deployment. You will learn how to create a role in EJBCA for the EJBCA Vault plugin and understand how easy it is to issue certificates from EJBCA.

Here are the steps:

  1. Create keys, and CSR’s to request certs from EJBCA for the HashiCorp Vault EJBCA plugin​
  2. Configure EJBCA for the HashiCorp Vault EJBCA plugin​
  3. Issue TLS & RA certificates for HashiCorp Vault EJBCA plugin deployment​
  4. Deploy HashiCorp Vault with the EJBCA plugin​
  5. Configure the EJBCA Plugin to issue certificates from EJBCA


Before you begin, you need Kubernetes running in the background. To download and install, refer to the YouTube Tutorials to Install MicroK8s and deploy the EJBCA container.

You also need a running EJBCA instance with an active Certificate Authority (CA) in EJBCA, certificate and end-entity profiles, and roles configured. To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.

Additionally, you should have a basic understanding of how to use the Kubernetes command line tool kubectl.




Check out the supplementary documentation that goes hand-in-hand with our tutorial video.

Docker Hub

Get your hands on the EJBCA Docker container by downloading it now.


Take a peek at our tutorial video on YouTube, and browse through some of our other videos as well.

EJBCA PKI Vault plugin 

You find the EJBCA PKI Secrets Engine for HashiCorp Vault on GitHub together with some additional documentation


You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.