Difficulty: beginner
Estimated Time: 5 minutes


HashiCorp Vault's PKI secret engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and Certificate Signing Request (CSR), submitting to a Certificate Authority (CA), and waiting for a verification and signing process to complete. Vault's build-in authentication and authorization mechanisms provide the verification functionality.

In this tutorial, we’ll be setting up Vault to act as an intermediate CA to issue certificates specific to the Example application.

This lab demonstrates the following:

  • Write

You learned the vault CLI commands to interact with the cubbyhole secret engines.

  • Wrote secrets in Cubbyhole
  • Created a new token for apps which was wrapped
  • Unwrapped the wrapped token and tested its permissions


Don’t stop now! The next scenario will only take about 10 minutes to complete.

Vault Secret Engines - PKI

Step 1 of 3

Getting Started

Enter the following command to start the Vault server in development mode.

Click on the command () will automatically copy it into the terminal and execute it.

vault server -dev -dev-root-token-id="root"

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address:
                     Cgo: disabled
         Cluster Address:
              Listener 1: tcp (addr: "", cluster address: "", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v0.10.2
             Version Sha: 3ee0802ed08cb7f4046c2151ec4671a076b76166

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

When Vault is running in development mode, it runs entirely in-memory that the data does not get persisted. This build-in, pre-configured server is useful for local development, testing and exploration.

Login with root token

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR=''

Login with the generated root token.

vault login root

Now, you are ready to write some secrets!