HashiCorp Vault provides a central place to secure, store, and control access to sensitive data, including secrets management and protection of tokens, passwords, certificates, and encryption keys. It offers a dynamic secret approach to X.509 public key infrastructure (PKI) certificates, allowing for the generation of short-lived certificates on-demand and automatic rotation. To configure Vault to manage PKI certificates with self-signed and offline root certificate authorities (CAs), enable the PKI secrets engine at the pki/ path using `$ vault secrets enable pki`. The validity period of certificates can be configured by adjusting the global maximum time-to-live (TTL) for the secrets engine. A hierarchical CA hierarchy is recommended to protect the root CA, and each intermediate CA issues leaf certificates to applications and services. Each PKI secrets engine requires a URL configuration, certificate revocation list (CRL) distribution points, and online Certificate Status Protocol (OCSP) server endpoints. To generate certificates, users must supply a Vault role, which defines the conditions under which a certificate can be generated. Roles are created using `$ vault write pki/roles/<name>`, and templates are used to extract values from the `pki/issue` endpoint. Vault Agent uses the role and secret ID to authenticate to Vault and retrieve certificate information, writing it to files defined by the template source and destination directives. Vault Agent renews certificates at half the lease duration of the original, providing a secure and centralized way to manage certificate rotation and revocation.