Understanding the integration

Backend plugins in Vault are essentially separate, standalone applications that Vault executes and communicates with over RPC. Each backend plugin acts as a server and exposes certain API endpoints, which Vault then interacts with.

The Sectigo Vault PKI plugin is a custom secrets backend plugin which makes use of the Sectigo REST API to send HTTP requests to SCM. The plugin exposes its own API endpoints which each correspond to a specific path that builds on top of a starting base path prefix. In this guide, the path prefix sectigo-vault-pki is used.

You can rename this path prefix when you mount the Sectigo Vault PKI plugin into your Vault server.

Components

The Sectigo HashiCorp Vault integration is based on the component Sectigo Vault PKI Plugin, which integrates with Vault and mediates the interaction between the user, Vault, and the Sectigo REST API.

Path endpoints

The Sectigo Vault PKI plugin exposes several paths that users can interact with. Different paths are defined for different use cases. Depending on the applicable functionality, each path accepts different input parameters.

The following table lists all the paths that are supported by the Sectigo Vault PKI plugin and displays the operations that are supported by each path. Sample CLI commands can be found in Using the Vault CLI.

Path Operation

Path	Operation
Write	Read	List	Delete
`configs`	✓	✓	✓	✓
`enroll`	✓
`certs`		✓	✓	✓
`revoke`	✓
`replace`	✓
`renew`	✓
`fetch`	✓
`profile`	✓	✓	✓	✓

Write

Read

List

Delete

configs

✓

enroll

✓

certs

✓

revoke

✓

replace

✓

renew

✓

fetch

✓

profile

✓

You can retrieve in-code API help for each individual path in Vault by using the built-in path-help CLI command. For more information on path-help, see Vault documentation.

To enroll and manage certificates on Vault through SCM, users must first create a config entry in Vault. This config entry may be used for downloading certificate profiles, and for enrolling and managing multiple certificates that correspond to the same SCM configuration. The following diagram illustrates a typical certificate enrollment scenario using the Sectigo Vault PKI plugin.