Mail Icon contact@ksolves.com Phone Icon 1800 121 0218 , +1 (646) 203-1075 , +971 551395627
img
whatsapp

Project Name

Legacy CA Replaced With Vault PKI, 3 Days to 30 Seconds

Legacy CA Replaced With Vault PKI, 3 Days to 30 Seconds
Industry
Manufacturing
Technology
HashiCorp Vault, Vault PKI Secrets Engine, ACME Protocol, cert-manager, Kubernetes, Prometheus

Loading
Legacy CA Replaced With Vault PKI, 3 Days to 30 Seconds
Client Overview

A global manufacturer with 10,000+ employees across multiple continents ran a just-in-time manufacturing environment where hundreds of services, IoT devices, and Kubernetes clusters generated certificate requests daily. Every request required a manual ticket and up to three days to process. Expired certificates caused shop-floor outages. Teams deployed shadow self-signed certificates to bypass the bottleneck. The legacy CA was end-of-life with no API automation. Applying its AI-First approach, Ksolves deployed HashiCorp Vault PKI as a modern intermediate CA, replacing the manual workflow with zero-touch certificate automation that issues in under 30 seconds and auto-renews before expiration.

Key Challenges
  • Three-Day Certificate Issuance Cycle: Every TLS certificate required a manual ticket, tiered approvals, and human review - averaging three days. Engineers waited longer for a certificate than it took to deploy the service.
  • Repeated Expiry Outages: With no automated renewal and thousands of certificates in motion, expiration dates were routinely missed. Expired certificates caused service failures and unplanned shop-floor downtime.
  • Shadow Self-Signed Certificates: Teams deployed self-signed certificates to bypass the slow process. Security had zero visibility into these, creating an uncontrolled trust boundary that contradicted compliance requirements.
  • No Centralised Certificate Inventory: The legacy CA offered no view of issued certificates, expiry dates, or ownership. Audits required weeks of manual spreadsheet reconciliation across dozens of teams.
  • Legacy CA at End-of-Life: The incumbent CA had reached end-of-support, lacked API-driven automation, and could not integrate with Kubernetes-native tools.
  • Compliance and Audit Exposure: The manual, fragmented approach made it nearly impossible to demonstrate consistent certificate lifecycle governance during audits.
Our Solution

Ksolves deployed HashiCorp Vault's PKI Secrets Engine as a modern internal intermediate CA. The governing principle was zero-touch renewal: every certificate auto-renews before expiration and every certificate is tracked from a single pane. ACME protocol support enables Kubernetes-native tools and device fleets to request certificates without human intervention.

  • Vault PKI Secrets Engine as Intermediate CA: Vault configured as a subordinate CA chained to the organisation's root - programmatic certificate issuance via REST API and CLI. Every service, pod, and device requests a short-lived certificate in under 30 seconds with no ticket required.
  • ACME Protocol Integration: ACME endpoint enabled within Vault - cert-manager in Kubernetes clusters automatically requests, renews, and rotates certificates for ingress controllers, service meshes, and workload identities.
  • Cert-manager for Kubernetes Lifecycle: Deployed cert-manager across the Kubernetes fleet with ClusterIssuer resources pointing to the Vault ACME endpoint. Every certificate provisioned declaratively, renewed automatically, rotated without application restart.
  • Unified Certificate Dashboard and Audit Trail: Vault audit logging, Prometheus metrics, and a centralised dashboard give the security team real-time visibility into every certificate, issuer, expiry, and owner. Audit evidence available instantly, not in weeks.
  • Policy-as-Code Governance: Vault roles and policies enforce issuance constraints - maximum TTL, allowed domains, key types - ensuring automated requests comply with corporate standards without manual gates.

Technology Stack

Category Technology
Security HashiCorp Vault
Security PKI Secrets Engine
Automation ACME Protocol
Orchestration cert-manager
Results
  • Certificate Issuance Cut From 3 Days to 30 Seconds: Vault API and ACME deliver certificates in under 30 seconds, a 99.7% reduction from the 72-hour manual ticketing workflow.
  • Expiry Outages Eliminated: Automated renewal via cert-manager ensures zero expiry-related outages since deployment. Shop-floor systems no longer go dark from missed renewals.
  • Shadow Certificates Eliminated: Vault's centralised inventory provides complete visibility. Shadow self-signed certificates systematically migrated to the managed PKI, uncontrolled trust boundary closed.
  • Audit Readiness Transformed: Real-time certificate inventory replaces weeks of manual spreadsheet reconciliation. Compliance evidence available as a dashboard export from day one.
  • Full Certificate Visibility Achieved: Centralised dashboard tracks every certificate with expiry and ownership, proactive renewal management and first-time governance confidence for the security team.
Data Flow Diagram
stream-dfd
Conclusion

A global manufacturer whose legacy CA required three days per certificate, causing shop-floor outages, shadow certificate proliferation, and weeks of audit reconciliation, was transformed into a zero-touch PKI operation through Ksolves DevOps consulting services. Vault PKI, ACME, and cert-manager replaced the manual workflow entirely. Issuance dropped from three days to 30 seconds. Expiry outages eliminated. Shadow certificates closed. Real-time visibility across the entire enterprise certificate estate achieved for the first time.

Have A Project Idea?
What is 10 + 4 ? * icon

Is Your Legacy CA Slowing Down Engineering and Creating Compliance Exposure?

Other Success Stories
Terraform Cloud Drift Detection and Infrastructure Governance Transformation

Terraform Cloud Drift Detection and Infrastructure Governance Transformation

Read the Story
HashiCorp Vault Dynamic Secrets Deployment for Secure Database Access Management

HashiCorp Vault Dynamic Secrets Deployment for Secure Database Access Management

Read the Story
Ksolves Eliminated 4,000+ Hard-Coded Secrets for a US Fintech in 90 Days with HashiCorp Vault

Ksolves Eliminated 4,000+ Hard-Coded Secrets for a US Fintech in 90 Days with HashiCorp Vault

Read the Story
img
img
img
img
img
img
img

We Build. We Deliver. We are ai-enabled

Ksolves India Limited is an AI-first Software Development company delivering end-to-end digital transformation services across cutting-edge technologies such as AI, Big Data, Salesforce®, Odoo, and more. With 600+ AI-certified professionals consistently delivering innovative and customized software solutions, we are constantly setting the benchmark higher in driving growth, efficiency, and success for your businesses. With our outstanding IT services and solutions, we have earned the unwavering trust of clients spanning the globe with a staggering 90% retention rate.

Get in Touch With Us
phone 1800 121 0218 , +1 (646) 203-1075 , +971 551395627
investors+91 8527471031
mail sales@ksolves.com
Services
Quick Links
Global Presence
india gate

India

  • locationNoida
  • locationPune
  • locationIndore

    • 2nd Floor, Smartworks, Tower-D,
    Logix Cyber Park, Sector 62, Noida-201301

    View on Map

    Smartworks, 5th Floor, 44 H. No. 8/1 (P), Plot A, opp. Bhartiya Vidyapeeth School, Balewadi, Pune, Maharashtra 411045

    View on Map

    503-504 Brilliant Solitaire
    Scheme Number 78, Part II, Vijay Nagar,
    Indore, Madhya Pradesh 452010

    View on Map
statue of liberty
  • USA
  • usaWyoming

    • Ksolves IT USA Inc.
    30 N Gould St Ste R, Sheridan, Wyoming, USA 82801

    View on Map
statue of liberty
  • UAE
  • usaDubai

    • Kingpin Technology Consultants LLC
    Unit# 2707-34A, Prime Tower, Business Bay, P.O.Box:112037, Dubai, UAE

    View on Map
Follow Us
  • icons
  • icons
  • icons
  • icons
  • icons
  • icons
Have A Project Idea?
What is 3 + 8 ? * icon
Copyright 2026© Ksolves.com | All Rights Reserved
Ksolves USP