BlogSecrets
Short-lived TLS certificates from Vault PKI
Run an internal CA in Vault and issue certs that live for hours, not years — rotation becomes a non-event.
Long-lived TLS certificates are a liability: they leak, they expire at the worst time, and rotating them is a project. Run Vault as an internal CA and issue certificates that live for hours. Rotation stops being an event because everything already re-fetches constantly.
Mount the PKI engine
bash
vault secrets enable pkivault secrets tune -max-lease-ttl=87600h pkivault write pki/root/generate/internal \common_name="Acme Internal CA" ttl=87600h
A role with a short max TTL
bash
vault write pki/roles/internal \allowed_domains="svc.acme.internal" \allow_subdomains=true \max_ttl=24h
Issue a certificate
vault write pki/issue/internal common_name=api.svc.acme.internal ttl=1hcertificate -----BEGIN CERTIFICATE-----private_key -----BEGIN PRIVATE KEY-----expiration in 1 hour — fetched fresh, no rotation dramaShort TTL is the security
A stolen 1-hour cert is worthless within the hour. Pair with Vault Agent or cert-manager (vault issuer) so workloads renew automatically.