feat: add Vault PKI and DigiCert CertCentral issuer connectors (M32 + M37)

Vault PKI: synchronous issuance via /v1/{mount}/sign/{role}, token auth, revocation, CA cert retrieval, 14 tests. DigiCert CertCentral: async order model (submit → poll → download), X-DC-DEVKEY auth, OV/EV support, PEM bundle parsing, 16 tests. Both conditionally registered based on env vars. Includes OpenAPI enum updates, seed data, connector docs, architecture docs, README badges, and testing guide sign-off (Parts 38 + 39, 12 automated smoke test assertions all passing). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 19:58:55 +00:00 · 2026-03-30 17:19:46 -04:00
parent 6ef80be564
commit 078ba5ab7b
13 changed files with 2423 additions and 15 deletions
@@ -0,0 +1,372 @@
+// Package vault implements the issuer.Connector interface for HashiCorp Vault PKI
+// secrets engine.
+//
+// Vault PKI provides a full-featured private CA with certificate signing, revocation,
+// CRL, and OCSP capabilities. This connector uses the Vault HTTP API to sign CSRs
+// via the /v1/{mount}/sign/{role} endpoint, authenticated with a Vault token.
+//
+// Vault issues certificates synchronously (like step-ca), so GetOrderStatus always
+// returns "completed". CRL and OCSP are delegated to Vault's own endpoints.
+//
+// Authentication: Vault token via X-Vault-Token header.
+//
+// Vault API used:
+//
+//	GET  /v1/sys/health                      - Health check
+//	POST /v1/{mount}/sign/{role}             - Sign CSR
+//	POST /v1/{mount}/revoke                  - Revoke certificate
+//	GET  /v1/{mount}/ca/pem                  - Get CA certificate
+package vault
+
+import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+)
+
+// Config represents the Vault PKI issuer connector configuration.
+type Config struct {
+	// Addr is the Vault server address (e.g., "https://vault.example.com:8200").
+	// Required. Set via CERTCTL_VAULT_ADDR environment variable.
+	Addr string `json:"addr"`
+
+	// Token is the Vault token for authentication.
+	// Required. Set via CERTCTL_VAULT_TOKEN environment variable.
+	Token string `json:"token"`
+
+	// Mount is the PKI secrets engine mount path.
+	// Default: "pki". Set via CERTCTL_VAULT_MOUNT environment variable.
+	Mount string `json:"mount"`
+
+	// Role is the PKI role name used for signing certificates.
+	// Required. Set via CERTCTL_VAULT_ROLE environment variable.
+	Role string `json:"role"`
+
+	// TTL is the requested certificate TTL (e.g., "8760h" for 1 year).
+	// Default: "8760h". Set via CERTCTL_VAULT_TTL environment variable.
+	TTL string `json:"ttl"`
+}
+
+// Connector implements the issuer.Connector interface for Vault PKI.
+type Connector struct {
+	config     *Config
+	logger     *slog.Logger
+	httpClient *http.Client
+}
+
+// New creates a new Vault PKI connector with the given configuration and logger.
+func New(config *Config, logger *slog.Logger) *Connector {
+	if config != nil {
+		if config.Mount == "" {
+			config.Mount = "pki"
+		}
+		if config.TTL == "" {
+			config.TTL = "8760h"
+		}
+	}
+
+	return &Connector{
+		config: config,
+		logger: logger,
+		httpClient: &http.Client{
+			Timeout: 30 * time.Second,
+		},
+	}
+}
+
+// vaultResponse is the standard Vault API response wrapper.
+type vaultResponse struct {
+	Data    json.RawMessage `json:"data"`
+	Errors  []string        `json:"errors,omitempty"`
+	Warnings []string       `json:"warnings,omitempty"`
+}
+
+// signData holds the data returned from the /sign endpoint.
+type signData struct {
+	Certificate  string   `json:"certificate"`
+	IssuingCA    string   `json:"issuing_ca"`
+	CAChain      []string `json:"ca_chain"`
+	SerialNumber string   `json:"serial_number"`
+	Expiration   int64    `json:"expiration"`
+}
+
+// ValidateConfig checks that the Vault configuration is valid and the server is reachable.
+func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(rawConfig, &cfg); err != nil {
+		return fmt.Errorf("invalid Vault config: %w", err)
+	}
+
+	if cfg.Addr == "" {
+		return fmt.Errorf("Vault addr is required")
+	}
+
+	if cfg.Token == "" {
+		return fmt.Errorf("Vault token is required")
+	}
+
+	if cfg.Role == "" {
+		return fmt.Errorf("Vault role is required")
+	}
+
+	if cfg.Mount == "" {
+		cfg.Mount = "pki"
+	}
+	if cfg.TTL == "" {
+		cfg.TTL = "8760h"
+	}
+
+	// Health check
+	healthURL := cfg.Addr + "/v1/sys/health"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, healthURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create health check request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("Vault not reachable at %s: %w", cfg.Addr, err)
+	}
+	defer resp.Body.Close()
+
+	// Vault health returns 200 for initialized+unsealed, 429 for standby, 472 for DR secondary,
+	// 473 for perf standby, 501 for uninitialized, 503 for sealed
+	if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusTooManyRequests {
+		return fmt.Errorf("Vault health check returned status %d", resp.StatusCode)
+	}
+
+	c.config = &cfg
+	c.logger.Info("Vault PKI configuration validated",
+		"addr", cfg.Addr,
+		"mount", cfg.Mount,
+		"role", cfg.Role)
+
+	return nil
+}
+
+// IssueCertificate submits a CSR to Vault PKI for signing.
+func (c *Connector) IssueCertificate(ctx context.Context, request issuer.IssuanceRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing Vault PKI issuance request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs))
+
+	// Build the sign request body
+	signBody := map[string]interface{}{
+		"csr":         request.CSRPEM,
+		"common_name": request.CommonName,
+		"ttl":         c.config.TTL,
+	}
+
+	if len(request.SANs) > 0 {
+		signBody["alt_names"] = strings.Join(request.SANs, ",")
+	}
+
+	body, err := json.Marshal(signBody)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal sign request: %w", err)
+	}
+
+	// POST /v1/{mount}/sign/{role}
+	signURL := fmt.Sprintf("%s/v1/%s/sign/%s", c.config.Addr, c.config.Mount, c.config.Role)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, signURL, bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sign request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Vault-Token", c.config.Token)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("Vault sign request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read sign response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		var vaultResp vaultResponse
+		if jsonErr := json.Unmarshal(respBody, &vaultResp); jsonErr == nil && len(vaultResp.Errors) > 0 {
+			return nil, fmt.Errorf("Vault sign returned status %d: %s", resp.StatusCode, strings.Join(vaultResp.Errors, "; "))
+		}
+		return nil, fmt.Errorf("Vault sign returned status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	// Parse the Vault response
+	var vaultResp vaultResponse
+	if err := json.Unmarshal(respBody, &vaultResp); err != nil {
+		return nil, fmt.Errorf("failed to parse Vault response: %w", err)
+	}
+
+	var data signData
+	if err := json.Unmarshal(vaultResp.Data, &data); err != nil {
+		return nil, fmt.Errorf("failed to parse Vault sign data: %w", err)
+	}
+
+	if data.Certificate == "" {
+		return nil, fmt.Errorf("no certificate in Vault sign response")
+	}
+
+	// Parse the leaf certificate to extract metadata
+	certPEM := data.Certificate
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode certificate PEM from Vault")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate: %w", err)
+	}
+
+	// Build chain PEM from ca_chain or issuing_ca
+	var chainPEM string
+	if len(data.CAChain) > 0 {
+		chainPEM = strings.Join(data.CAChain, "\n")
+	} else if data.IssuingCA != "" {
+		chainPEM = data.IssuingCA
+	}
+
+	// Normalize serial: Vault uses colon-separated hex (e.g., "aa:bb:cc"), convert to plain string
+	serial := normalizeSerial(data.SerialNumber)
+
+	orderID := fmt.Sprintf("vault-%s", serial)
+
+	c.logger.Info("Vault PKI certificate issued",
+		"common_name", request.CommonName,
+		"serial", serial,
+		"not_after", cert.NotAfter)
+
+	return &issuer.IssuanceResult{
+		CertPEM:   certPEM,
+		ChainPEM:  chainPEM,
+		Serial:    serial,
+		NotBefore: cert.NotBefore,
+		NotAfter:  cert.NotAfter,
+		OrderID:   orderID,
+	}, nil
+}
+
+// RenewCertificate renews a certificate by creating a new signing request.
+// For Vault PKI, renewal is functionally identical to issuance (new cert signed from CSR).
+func (c *Connector) RenewCertificate(ctx context.Context, request issuer.RenewalRequest) (*issuer.IssuanceResult, error) {
+	c.logger.Info("processing Vault PKI renewal request",
+		"common_name", request.CommonName,
+		"san_count", len(request.SANs))
+
+	return c.IssueCertificate(ctx, issuer.IssuanceRequest{
+		CommonName: request.CommonName,
+		SANs:       request.SANs,
+		CSRPEM:     request.CSRPEM,
+		EKUs:       request.EKUs,
+	})
+}
+
+// RevokeCertificate revokes a certificate at Vault PKI.
+func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.RevocationRequest) error {
+	c.logger.Info("processing Vault PKI revocation request", "serial", request.Serial)
+
+	revokeBody := map[string]interface{}{
+		"serial_number": request.Serial,
+	}
+
+	body, err := json.Marshal(revokeBody)
+	if err != nil {
+		return fmt.Errorf("failed to marshal revoke request: %w", err)
+	}
+
+	revokeURL := fmt.Sprintf("%s/v1/%s/revoke", c.config.Addr, c.config.Mount)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, revokeURL, bytes.NewReader(body))
+	if err != nil {
+		return fmt.Errorf("failed to create revoke request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-Vault-Token", c.config.Token)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("Vault revoke request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		respBody, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("Vault revoke returned status %d: %s", resp.StatusCode, string(respBody))
+	}
+
+	c.logger.Info("Vault PKI certificate revoked", "serial", request.Serial)
+	return nil
+}
+
+// GetOrderStatus returns the status of a Vault PKI order.
+// Vault signs synchronously, so orders are always "completed" immediately.
+func (c *Connector) GetOrderStatus(ctx context.Context, orderID string) (*issuer.OrderStatus, error) {
+	return &issuer.OrderStatus{
+		OrderID:   orderID,
+		Status:    "completed",
+		UpdatedAt: time.Now(),
+	}, nil
+}
+
+// GenerateCRL is not supported because Vault serves CRL directly at /v1/{mount}/crl.
+func (c *Connector) GenerateCRL(ctx context.Context, revokedCerts []issuer.RevokedCertEntry) ([]byte, error) {
+	return nil, fmt.Errorf("Vault serves CRL directly at /v1/%s/crl; use Vault's endpoint", c.config.Mount)
+}
+
+// SignOCSPResponse is not supported because Vault serves OCSP directly at /v1/{mount}/ocsp.
+func (c *Connector) SignOCSPResponse(ctx context.Context, req issuer.OCSPSignRequest) ([]byte, error) {
+	return nil, fmt.Errorf("Vault serves OCSP directly at /v1/%s/ocsp; use Vault's endpoint", c.config.Mount)
+}
+
+// GetCACertPEM retrieves the CA certificate from Vault PKI.
+func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
+	caURL := fmt.Sprintf("%s/v1/%s/ca/pem", c.config.Addr, c.config.Mount)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, caURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("failed to create CA cert request: %w", err)
+	}
+	req.Header.Set("X-Vault-Token", c.config.Token)
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("Vault CA cert request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("Vault CA cert returned status %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("failed to read CA cert response: %w", err)
+	}
+
+	return string(body), nil
+}
+
+// GetRenewalInfo returns nil, nil as Vault does not support ACME Renewal Information (ARI).
+func (c *Connector) GetRenewalInfo(ctx context.Context, certPEM string) (*issuer.RenewalInfoResult, error) {
+	return nil, nil
+}
+
+// normalizeSerial converts Vault's colon-separated hex serial (e.g., "aa:bb:cc:dd")
+// to a plain string representation suitable for storage.
+func normalizeSerial(serial string) string {
+	return strings.ReplaceAll(serial, ":", "-")
+}
+
+// Ensure Connector implements the issuer.Connector interface.
+var _ issuer.Connector = (*Connector)(nil)
@@ -0,0 +1,527 @@
+package vault_test
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"log/slog"
+	"math/big"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/connector/issuer/vault"
+)
+
+func TestVaultConnector(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	t.Run("ValidateConfig_Success", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == "/v1/sys/health" {
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"initialized":true,"sealed":false,"standby":false}`))
+				return
+			}
+			http.NotFound(w, r)
+		}))
+		defer srv.Close()
+
+		config := vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token-12345",
+			Mount: "pki",
+			Role:  "web-certs",
+			TTL:   "8760h",
+		}
+
+		connector := vault.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err != nil {
+			t.Fatalf("ValidateConfig failed: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_MissingAddr", func(t *testing.T) {
+		config := vault.Config{
+			Token: "s.test-token",
+			Role:  "web-certs",
+		}
+
+		connector := vault.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for missing addr")
+		}
+		if !strings.Contains(err.Error(), "addr is required") {
+			t.Errorf("Expected addr required error, got: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_MissingToken", func(t *testing.T) {
+		config := vault.Config{
+			Addr: "https://vault.example.com:8200",
+			Role: "web-certs",
+		}
+
+		connector := vault.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for missing token")
+		}
+		if !strings.Contains(err.Error(), "token is required") {
+			t.Errorf("Expected token required error, got: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_MissingRole", func(t *testing.T) {
+		config := vault.Config{
+			Addr:  "https://vault.example.com:8200",
+			Token: "s.test-token",
+		}
+
+		connector := vault.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for missing role")
+		}
+		if !strings.Contains(err.Error(), "role is required") {
+			t.Errorf("Expected role required error, got: %v", err)
+		}
+	})
+
+	t.Run("ValidateConfig_UnreachableVault", func(t *testing.T) {
+		config := vault.Config{
+			Addr:  "http://localhost:19999",
+			Token: "s.test-token",
+			Role:  "web-certs",
+		}
+
+		connector := vault.New(nil, logger)
+		rawConfig, _ := json.Marshal(config)
+		err := connector.ValidateConfig(ctx, rawConfig)
+		if err == nil {
+			t.Fatal("Expected error for unreachable Vault")
+		}
+	})
+
+	t.Run("IssueCertificate_Success", func(t *testing.T) {
+		testCertPEM, _ := generateTestCert(t)
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"initialized":true,"sealed":false}`))
+			case strings.HasPrefix(r.URL.Path, "/v1/pki/sign/"):
+				// Verify auth header
+				if r.Header.Get("X-Vault-Token") != "s.test-token" {
+					w.WriteHeader(http.StatusForbidden)
+					w.Write([]byte(`{"errors":["permission denied"]}`))
+					return
+				}
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				resp := fmt.Sprintf(`{
+					"data": {
+						"certificate": %q,
+						"issuing_ca": %q,
+						"ca_chain": [%q],
+						"serial_number": "aa:bb:cc:dd:ee:ff",
+						"expiration": 1893456000
+					}
+				}`, testCertPEM, testCertPEM, testCertPEM)
+				w.Write([]byte(resp))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+			TTL:   "8760h",
+		}
+		connector := vault.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "app.example.com")
+
+		req := issuer.IssuanceRequest{
+			CommonName: "app.example.com",
+			SANs:       []string{"app.example.com", "www.example.com"},
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.IssueCertificate(ctx, req)
+		if err != nil {
+			t.Fatalf("IssueCertificate failed: %v", err)
+		}
+
+		if result.CertPEM == "" {
+			t.Error("CertPEM is empty")
+		}
+		if result.Serial == "" {
+			t.Error("Serial is empty")
+		}
+		if result.OrderID == "" {
+			t.Error("OrderID is empty")
+		}
+		if !strings.HasPrefix(result.OrderID, "vault-") {
+			t.Errorf("Expected OrderID to start with 'vault-', got '%s'", result.OrderID)
+		}
+		// Verify serial normalization (colons replaced with dashes)
+		if strings.Contains(result.Serial, ":") {
+			t.Errorf("Serial should not contain colons, got '%s'", result.Serial)
+		}
+		t.Logf("Vault issued cert: serial=%s, orderID=%s", result.Serial, result.OrderID)
+	})
+
+	t.Run("IssueCertificate_ServerError", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+			case strings.HasPrefix(r.URL.Path, "/v1/pki/sign/"):
+				w.WriteHeader(http.StatusBadRequest)
+				w.Write([]byte(`{"errors":["invalid CSR"]}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "test.example.com")
+		req := issuer.IssuanceRequest{
+			CommonName: "test.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err := connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error for server error response")
+		}
+		if !strings.Contains(err.Error(), "invalid CSR") {
+			t.Logf("Got error: %v", err)
+		}
+	})
+
+	t.Run("IssueCertificate_Forbidden", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+			case strings.HasPrefix(r.URL.Path, "/v1/pki/sign/"):
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"errors":["permission denied"]}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.bad-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "test.example.com")
+		req := issuer.IssuanceRequest{
+			CommonName: "test.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		_, err := connector.IssueCertificate(ctx, req)
+		if err == nil {
+			t.Fatal("Expected error for forbidden response")
+		}
+		if !strings.Contains(err.Error(), "permission denied") {
+			t.Logf("Got error: %v", err)
+		}
+	})
+
+	t.Run("RenewCertificate_Success", func(t *testing.T) {
+		testCertPEM, _ := generateTestCert(t)
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+			case strings.HasPrefix(r.URL.Path, "/v1/pki/sign/"):
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				resp := fmt.Sprintf(`{
+					"data": {
+						"certificate": %q,
+						"issuing_ca": %q,
+						"serial_number": "11:22:33:44:55:66",
+						"expiration": 1893456000
+					}
+				}`, testCertPEM, testCertPEM)
+				w.Write([]byte(resp))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		_, csrPEM := generateTestCSR(t, "renew.example.com")
+		renewReq := issuer.RenewalRequest{
+			CommonName: "renew.example.com",
+			CSRPEM:     csrPEM,
+		}
+
+		result, err := connector.RenewCertificate(ctx, renewReq)
+		if err != nil {
+			t.Fatalf("RenewCertificate failed: %v", err)
+		}
+
+		if result.Serial == "" {
+			t.Error("Serial is empty")
+		}
+	})
+
+	t.Run("RevokeCertificate_Success", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+			case r.URL.Path == "/v1/pki/revoke":
+				// Verify token
+				if r.Header.Get("X-Vault-Token") == "" {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"data":{"revocation_time":1234567890}}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		reason := "keyCompromise"
+		revokeReq := issuer.RevocationRequest{
+			Serial: "aa-bb-cc-dd-ee-ff",
+			Reason: &reason,
+		}
+
+		err := connector.RevokeCertificate(ctx, revokeReq)
+		if err != nil {
+			t.Fatalf("RevokeCertificate failed: %v", err)
+		}
+	})
+
+	t.Run("RevokeCertificate_ServerError", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/sys/health":
+				w.WriteHeader(http.StatusOK)
+			case r.URL.Path == "/v1/pki/revoke":
+				w.WriteHeader(http.StatusBadRequest)
+				w.Write([]byte(`{"errors":["serial not found"]}`))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		revokeReq := issuer.RevocationRequest{
+			Serial: "00-00-00-00",
+		}
+
+		err := connector.RevokeCertificate(ctx, revokeReq)
+		if err == nil {
+			t.Fatal("Expected error for server error response")
+		}
+	})
+
+	t.Run("GetCACertPEM_Success", func(t *testing.T) {
+		expectedPEM := "-----BEGIN CERTIFICATE-----\nTESTCA\n-----END CERTIFICATE-----\n"
+
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			switch {
+			case r.URL.Path == "/v1/pki/ca/pem":
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(expectedPEM))
+			default:
+				http.NotFound(w, r)
+			}
+		}))
+		defer srv.Close()
+
+		config := &vault.Config{
+			Addr:  srv.URL,
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		caPEM, err := connector.GetCACertPEM(ctx)
+		if err != nil {
+			t.Fatalf("GetCACertPEM failed: %v", err)
+		}
+
+		if caPEM != expectedPEM {
+			t.Errorf("Expected CA PEM %q, got %q", expectedPEM, caPEM)
+		}
+	})
+
+	t.Run("GetOrderStatus_Synchronous", func(t *testing.T) {
+		config := &vault.Config{
+			Addr:  "https://vault.example.com:8200",
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		status, err := connector.GetOrderStatus(ctx, "vault-aa-bb-cc")
+		if err != nil {
+			t.Fatalf("GetOrderStatus failed: %v", err)
+		}
+
+		if status.Status != "completed" {
+			t.Errorf("Expected status 'completed', got '%s'", status.Status)
+		}
+		if status.OrderID != "vault-aa-bb-cc" {
+			t.Errorf("Expected OrderID 'vault-aa-bb-cc', got '%s'", status.OrderID)
+		}
+	})
+
+	t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) {
+		config := &vault.Config{
+			Addr:  "https://vault.example.com:8200",
+			Token: "s.test-token",
+			Mount: "pki",
+			Role:  "web-certs",
+		}
+		connector := vault.New(config, logger)
+
+		result, err := connector.GetRenewalInfo(ctx, "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----")
+		if err != nil {
+			t.Fatalf("GetRenewalInfo should not return error, got: %v", err)
+		}
+		if result != nil {
+			t.Fatal("GetRenewalInfo should return nil for Vault")
+		}
+	})
+}
+
+// generateTestCert creates a self-signed test certificate and returns the PEM strings.
+func generateTestCert(t *testing.T) (certPEM string, keyPEM string) {
+	t.Helper()
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	serial, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	template := &x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName: "Test Certificate",
+		},
+		DNSNames:              []string{"test.example.com"},
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	certBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("Failed to create certificate: %v", err)
+	}
+
+	certPEM = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes}))
+	keyPEM = string(pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}))
+
+	return certPEM, keyPEM
+}
+
+// generateTestCSR creates a test CSR for the given common name.
+func generateTestCSR(t *testing.T, commonName string) (*x509.CertificateRequest, string) {
+	t.Helper()
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("Failed to generate key: %v", err)
+	}
+
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
+		DNSNames:           []string{commonName},
+		SignatureAlgorithm: x509.SHA256WithRSA,
+	}
+
+	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, key)
+	if err != nil {
+		t.Fatalf("Failed to create CSR: %v", err)
+	}
+
+	csrPEM := string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrBytes,
+	}))
+
+	csr, err := x509.ParseCertificateRequest(csrBytes)
+	if err != nil {
+		t.Fatalf("Failed to parse CSR: %v", err)
+	}
+
+	return csr, csrPEM
+}