Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, or certificates. Vault provides encryption services that are gated by authentication and authorization methods. Access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and audited using Vault's UI, CLI, or HTTP API.
While using Vault's PKI secrets engine to generate dynamic X.509 certificates, an organization may require its private keys to be created or stored within PKCS#11 hardware security modules (HSMs) to meet regulatory requirements. The PKI secrets engine can be configured to store the private key for an intermediate or root certificate authority (CA) in the HSM.