The CACert utility prepares and manages the certificate that the Vault will use to create a secure channel to a client, so that users can authenticate to the third party securely. After the CACert utility has run, a log file is created which contains details about the process that was carried out.

  • Distributed Vault for session management only supports root certificates, and doesn't support using intermediate certificates.
  • The following procedures can be run without stopping the Vault. However, you must restart the Vault application to use the new Certificate.

See Certificate requirements for detailed requirements.

The following procedures must be executed on each Vault Server, according to its configuration.


The configuration described below shows the recommended settings for most use cases. See below for all the CACert options.