The Charm Store will undergo scheduled database maintenance on July 5, 2026 22:00 to July 6, 02:00 UTC. During this time, you may be unable to access charm and bundle metadata or publish updates. No user action is required and services will automatically resume once maintenance is complete.

Vault

Platform:

Channel Revision Published Runs on
latest/edge 89 31 Jan 2024
Ubuntu 22.04 Ubuntu 20.04
latest/edge 9 27 Jan 2023
Ubuntu 22.04 Ubuntu 20.04
1.16/stable 502 20 Feb 2026
Ubuntu 22.04
1.16/candidate 502 19 Feb 2026
Ubuntu 22.04
1.16/beta 502 19 Feb 2026
Ubuntu 22.04
1.16/edge 502 19 Feb 2026
Ubuntu 22.04
2.0/candidate 565 01 Jul 2026
Ubuntu 24.04
2.0/beta 565 23 Jun 2026
Ubuntu 24.04
2.0/edge 571 03 Jul 2026
Ubuntu 24.04
2.0/edge 570 02 Jul 2026
Ubuntu 24.04
2.0/edge 569 02 Jul 2026
Ubuntu 24.04
1.19/stable 528 21 Apr 2026
Ubuntu 24.04
1.19/candidate 528 03 Apr 2026
Ubuntu 24.04
1.19/beta 528 03 Apr 2026
Ubuntu 24.04
1.19/edge 544 04 May 2026
Ubuntu 24.04
1.19/edge 543 04 May 2026
Ubuntu 24.04
1.18/stable 534 01 Jul 2026
Ubuntu 24.04
1.18/candidate 534 01 Jul 2026
Ubuntu 24.04
1.18/beta 534 01 Jul 2026
Ubuntu 24.04
1.18/edge 534 09 Apr 2026
Ubuntu 24.04
1.17/stable 354 11 Apr 2025
Ubuntu 24.04
1.17/candidate 354 11 Apr 2025
Ubuntu 24.04
1.17/beta 383 14 Jul 2025
Ubuntu 24.04
1.17/edge 491 12 Jan 2026
Ubuntu 24.04
1.15/stable 248 24 Jul 2024
Ubuntu 22.04
1.15/candidate 248 24 Jul 2024
Ubuntu 22.04
1.15/beta 248 24 Jul 2024
Ubuntu 22.04
1.15/edge 248 10 Jul 2024
Ubuntu 22.04
juju deploy vault-k8s --channel 1.19/stable

Use Vault as an intermediate CA

In this how-to guide, we will configure Vault to act as an intermediate Certificate Authority (CA) using Vault’s PKI secrets engine. Here self-signed-certificates will be the parent CA and tls-certificates-requirer will be the charm requesting a certificate to Vault.

The certificates issued by Vault will have a validity period that is half of its intermediate CA’s, which is determined by the root provider’s configuration, in this case, the self-signed certificates.

  1. Configure Vault’s common name

Vault PKI will only allow issuing certificates for the subdomains of the common_name configured here, it will reject any requests using differnt domains in their subject.

juju config vault common_name=mydomain.com
  1. Deploy the parent CA
juju deploy self-signed-certificates --channel 1/stable
  1. Integrate Vault with its parent CA
juju integrate vault:tls-certificates-pki self-signed-certificates
  1. Deploy tls-certificates-requirer

The common name must be a subdomain of the Vault common name

juju deploy tls-certificates-requirer --config common_name=demo.mydomain.com  --config sans_dns=demo.mydomain.com
  1. Integrate TLS Certificates Requirer with Vault
juju integrate tls-certificates-requirer vault:vault-pki
  1. Retrieve the certificate
juju run tls-certificates-requirer/leader get-certificate

Help improve this document in the forum (guidelines). Last updated 1 year, 3 months ago.