Comparison
Vault is capable secrets infrastructure. CertLocker is focused on operational trust workflows: certificates, ACME delivery, secrets, just-in-time host access, endpoint verification, and audit evidence.
| Feature | CertLocker | HashiCorp Vault |
|---|---|---|
| Certificate issuance (acts as CA) | ✗ (vault & ACME delivery) | ✓ (PKI engine) |
| Stores certs from any CA | ✓ | ✓ |
| ACME delivery to HAProxy, IIS, any client | ✓ via Gateway | ✗ Manual or custom |
| Automated renewal via ACME clients | ✓ ACME endpoint | ⚠ Requires custom integration |
| Just-in-time SSH access | ✓ Built-in | ✓ SSH secrets engine |
| Self-hosted option | Coming soon | ✓ |
| Managed SaaS | ✓ | ✓ HCP Vault (paid) |
| Operational complexity | 🟢 Low | 🔴 High — cluster management required |
| Setup time | 🟢 Minutes | 🔴 Hours to days |
| License cost | TBD | BSL (changed from MPL 2.0) |
| Audit log | ✓ | ✓ |
Vault is a serious piece of infrastructure. A production Vault cluster requires HA setup, storage backend (etcd, Consul, or integrated raft), unsealing strategy, DR replication, and ongoing maintenance. That's before you've written a single certificate policy.
For teams that already run Vault for secrets management, adding PKI makes sense — the operational cost is already paid. For teams that only need certificate management, adopting Vault means paying the full operational cost for one use case.
CertLocker is purpose-built for certificate operations, operational secrets, scoped access, and SSH workflows. It does not try to replace every Vault use case. That focus means faster setup for infrastructure trust work, less operational overhead, and an ACME delivery layer that Vault's PKI engine does not include — HAProxy, IIS, and any ACME-compatible client can pull certificates directly from the CertLocker Gateway.
Further reading: How to replace HashiCorp Vault for certificate management
Bring certificate delivery, secrets, JIT host access, endpoint verification, and audit into one focused workflow.