vault, digicert: migrate Token / APIKey to *secret.Ref (Bundle I Phase 3)

Closes Top-10 fix #2 of the 2026-05-03 issuer-coverage audit (see
cowork/issuer-coverage-audit-2026-05-03/RESULTS.md). Pre-fix,
vault.Config.Token and digicert.Config.APIKey were plain string
fields. Practical impact:

  1. GET /api/v1/issuers responses marshalled the credential into
     the JSON body. An acquirer's procurement engineer running
     'curl /api/v1/issuers | jq' saw the token / API key in plain
     text on screen.
  2. DEBUG-level HTTP request logging printed the credential
     header verbatim.
  3. A heap dump of the running server contained the credential
     as readable bytes for the lifetime of the process.

Bundle I from the 2026-05-01 audit closed this for AWSACMPCA,
EJBCA, GlobalSign, Sectigo (Phase 1+2). Vault and DigiCert were
left out. This commit ports the same migration onto them.

Mechanics:
  - Config.Token / Config.APIKey type changed from 'string' to
    '*secret.Ref'. UnmarshalJSON of a JSON string populates the
    Ref via NewRefFromString — operator config files are
    unchanged.
  - Every header-write call site routed through Ref.Use, with the
    byte buffer zeroed after the callback returns. Vault: 3 sites
    (IssueCertificate, RevokeCertificate, GetCACertPEM). DigiCert:
    5 sites (ValidateConfig, IssueCertificate, RevokeCertificate,
    pollOrderOnce, downloadCertificate).
  - ValidateConfig nil-checks switch from 'cfg.Token == ""' to
    'cfg.Token.IsEmpty()' (mirrors Sectigo's existing pattern).
  - Tests migrated: every Config{Token:"..."} →
    Config{Token: secret.NewRefFromString("...")}. The
    'json.Marshal(config) → ValidateConfig(rawConfig)' round-trip
    pattern in DigiCert's ValidateConfig_Success test is now
    broken by the redact-on-marshal contract — switched that one
    to construct the rawConfig as a JSON literal (mirrors
    Sectigo's existing test pattern).
  - Two new tests pin the redact-on-marshal contract:
      - TestVault_Config_TokenMarshalsAsRedacted (vault_redact_test.go)
      - TestDigiCert_Config_APIKeyMarshalsAsRedacted (digicert_redact_test.go)
    Both assert the marshaled JSON contains '"[redacted]"' and
    does NOT contain the plaintext bytes.

Operator-visible: GET /api/v1/issuers responses for type=vault
and type=digicert now show the credential as '[redacted]'.
Existing config files keep working — the Ref unmarshal accepts
strings.

CHANGELOG note: certctl/CHANGELOG.md is intentionally not
hand-edited; release notes are auto-generated from commit
messages between consecutive tags. This commit's message body is
the release-note artifact.

Verified locally:
  - gofmt clean across the repo.
  - go vet ./... clean across the repo.
  - go test -race -count=1 -short
    ./internal/connector/issuer/vault/...
    ./internal/connector/issuer/digicert/...
    ./internal/secret/...  green.

Audit reference: cowork/issuer-coverage-audit-2026-05-03/
RESULTS.md Top-10 fix #2.

internal/connector/issuer/digicert/digicert.go

@@ -39,13 +39,23 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/asyncpoll"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Config represents the DigiCert CertCentral issuer connector configuration.
 type Config struct {
 	// APIKey is the CertCentral API key for authentication.
 	// Required. Set via CERTCTL_DIGICERT_API_KEY environment variable.
-	APIKey string `json:"api_key"`
+	//
+	// Type: *secret.Ref (audit fix #6 Phase 3 — Bundle I close).
+	// Wrapping the API key in a Ref means: it never stringifies (Config
+	// marshals as "[redacted]"), the bytes are zeroed after each
+	// Use/WriteTo invocation (defeats heap-dump extraction), and
+	// outbound X-DC-DEVKEY header writes go through Ref.Use so the
+	// staging buffer is short-lived. JSON unmarshal of a string value
+	// populates the Ref via NewRefFromString — operator config files
+	// are unchanged.
+	APIKey *secret.Ref `json:"api_key"`
 
 	// OrgID is the DigiCert organization ID for certificate orders.
 	// Required. Set via CERTCTL_DIGICERT_ORG_ID environment variable.
@@ -149,7 +159,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("invalid DigiCert config: %w", err)
 	}
 
-	if cfg.APIKey == "" {
+	if cfg.APIKey.IsEmpty() {
 		return fmt.Errorf("DigiCert api_key is required")
 	}
 
@@ -170,7 +180,12 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 	if err != nil {
 		return fmt.Errorf("failed to create API test request: %w", err)
 	}
-	req.Header.Set("X-DC-DEVKEY", cfg.APIKey)
+	if err := cfg.APIKey.Use(func(buf []byte) error {
+		req.Header.Set("X-DC-DEVKEY", string(buf))
+		return nil
+	}); err != nil {
+		return fmt.Errorf("digicert apikey use: %w", err)
+	}
 	req.Header.Set("Content-Type", "application/json")
 
 	resp, err := c.httpClient.Do(req)
@@ -226,7 +241,12 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	if err != nil {
 		return nil, fmt.Errorf("failed to create order request: %w", err)
 	}
-	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	if err := c.config.APIKey.Use(func(buf []byte) error {
+		req.Header.Set("X-DC-DEVKEY", string(buf))
+		return nil
+	}); err != nil {
+		return nil, fmt.Errorf("digicert apikey use: %w", err)
+	}
 	req.Header.Set("Content-Type", "application/json")
 
 	resp, err := c.httpClient.Do(req)
@@ -329,7 +349,12 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca
 	if err != nil {
 		return fmt.Errorf("failed to create revoke request: %w", err)
 	}
-	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	if err := c.config.APIKey.Use(func(buf []byte) error {
+		req.Header.Set("X-DC-DEVKEY", string(buf))
+		return nil
+	}); err != nil {
+		return fmt.Errorf("digicert apikey use: %w", err)
+	}
 	req.Header.Set("Content-Type", "application/json")
 
 	resp, err := c.httpClient.Do(req)
@@ -415,7 +440,12 @@ func (c *Connector) pollOrderOnce(ctx context.Context, orderID string) (*issuer.
 	if err != nil {
 		return nil, asyncpoll.Failed, fmt.Errorf("failed to create status request: %w", err)
 	}
-	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	if err := c.config.APIKey.Use(func(buf []byte) error {
+		req.Header.Set("X-DC-DEVKEY", string(buf))
+		return nil
+	}); err != nil {
+		return nil, asyncpoll.Failed, fmt.Errorf("digicert apikey use: %w", err)
+	}
 	req.Header.Set("Content-Type", "application/json")
 
 	resp, err := c.httpClient.Do(req)
@@ -518,7 +548,13 @@ func (c *Connector) downloadCertificate(ctx context.Context, certificateID int)
 		err = fmt.Errorf("failed to create download request: %w", reqErr)
 		return
 	}
-	req.Header.Set("X-DC-DEVKEY", c.config.APIKey)
+	if useErr := c.config.APIKey.Use(func(buf []byte) error {
+		req.Header.Set("X-DC-DEVKEY", string(buf))
+		return nil
+	}); useErr != nil {
+		err = fmt.Errorf("digicert apikey use: %w", useErr)
+		return
+	}
 
 	resp, doErr := c.httpClient.Do(req)
 	if doErr != nil {

internal/connector/issuer/digicert/digicert_failure_test.go

@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"github.com/shankar0123/certctl/internal/connector/issuer/digicert"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Bundle N.A/B-extended: digicert failure-mode round-out (81.0% → ≥85%).
@@ -23,7 +24,7 @@ func buildDigicertConnector(t *testing.T, baseURL string) *digicert.Connector {
 	// status returns within ~1s instead of the 10-minute production
 	// default. Tests that exercise issued/failed/parse-error paths
 	// don't block on the wait.
-	cfg := digicert.Config{APIKey: "k", OrgID: "1", ProductType: "ssl_basic", BaseURL: baseURL, PollMaxWaitSeconds: 1}
+	cfg := digicert.Config{APIKey: secret.NewRefFromString("k"), OrgID: "1", ProductType: "ssl_basic", BaseURL: baseURL, PollMaxWaitSeconds: 1}
 	raw, _ := json.Marshal(cfg)
 	if err := c.ValidateConfig(context.Background(), raw); err != nil {
 		t.Fatalf("ValidateConfig: %v", err)

internal/connector/issuer/digicert/digicert_redact_test.go

@@ -0,0 +1,38 @@
+package digicert_test
+
+// Phase 3 of the secret.Ref migration (audit fix #6 → 2026-05-03 Top-10
+// fix #2). Pins the operator-visible contract: GET /api/v1/issuers
+// responses for type=digicert marshal APIKey as "[redacted]" rather
+// than the plaintext value. Regression guard for any future refactor
+// that changes the field type back to string.
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer/digicert"
+	"github.com/shankar0123/certctl/internal/secret"
+)
+
+func TestDigiCert_Config_APIKeyMarshalsAsRedacted(t *testing.T) {
+	cfg := digicert.Config{
+		APIKey:      secret.NewRefFromString("dc-real-api-key-must-not-leak"),
+		OrgID:       "12345",
+		ProductType: "ssl_basic",
+		BaseURL:     "https://www.digicert.com/services/v2",
+	}
+
+	out, err := json.Marshal(cfg)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	got := string(out)
+
+	if !strings.Contains(got, `"api_key":"[redacted]"`) {
+		t.Errorf("expected api_key redacted, got: %s", got)
+	}
+	if strings.Contains(got, "dc-real-api-key-must-not-leak") {
+		t.Fatalf("plaintext api_key leaked into marshaled JSON: %s", got)
+	}
+}

internal/connector/issuer/digicert/digicert_test.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/digicert"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 func TestDigiCertConnector(t *testing.T) {
@@ -41,15 +42,16 @@ func TestDigiCertConnector(t *testing.T) {
 		}))
 		defer srv.Close()
 
-		config := digicert.Config{
+		// Build rawConfig as a JSON literal so the secrets round-trip
-			APIKey:      "dc-test-api-key",
+		// intact via UnmarshalJSON (json.Marshal redacts *secret.Ref →
-			OrgID:       "12345",
+		// "[redacted]" by design; it MUST NOT be used to construct a
-			ProductType: "ssl_basic",
+		// rawConfig that ValidateConfig will then header-write back).
-			BaseURL:     srv.URL,
+		rawConfig := []byte(fmt.Sprintf(
-		}
+			`{"api_key":"dc-test-api-key","org_id":"12345","product_type":"ssl_basic","base_url":%q}`,
+			srv.URL,
+		))
 
 		connector := digicert.New(nil, logger)
-		rawConfig, _ := json.Marshal(config)
 		err := connector.ValidateConfig(ctx, rawConfig)
 		if err != nil {
 			t.Fatalf("ValidateConfig failed: %v", err)
@@ -74,7 +76,7 @@ func TestDigiCertConnector(t *testing.T) {
 
 	t.Run("ValidateConfig_MissingOrgID", func(t *testing.T) {
 		config := digicert.Config{
-			APIKey: "dc-test-key",
+			APIKey: secret.NewRefFromString("dc-test-key"),
 		}
 
 		connector := digicert.New(nil, logger)
@@ -100,7 +102,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := digicert.Config{
-			APIKey:  "dc-bad-key",
+			APIKey:  secret.NewRefFromString("dc-bad-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -136,7 +138,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:      "dc-test-key",
+			APIKey:      secret.NewRefFromString("dc-test-key"),
 			OrgID:       "12345",
 			ProductType: "ssl_basic",
 			BaseURL:     srv.URL,
@@ -180,7 +182,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:      "dc-test-key",
+			APIKey:      secret.NewRefFromString("dc-test-key"),
 			OrgID:       "12345",
 			ProductType: "ssl_ev_basic",
 			BaseURL:     srv.URL,
@@ -217,7 +219,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:      "dc-test-key",
+			APIKey:      secret.NewRefFromString("dc-test-key"),
 			OrgID:       "12345",
 			ProductType: "ssl_basic",
 			BaseURL:     srv.URL,
@@ -255,7 +257,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -289,7 +291,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:             "dc-test-key",
+			APIKey:             secret.NewRefFromString("dc-test-key"),
 			OrgID:              "12345",
 			BaseURL:            srv.URL,
 			PollMaxWaitSeconds: 1, // keep async-pending tests fast
@@ -321,7 +323,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -350,7 +352,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:      "dc-test-key",
+			APIKey:      secret.NewRefFromString("dc-test-key"),
 			OrgID:       "12345",
 			ProductType: "ssl_basic",
 			BaseURL:     srv.URL,
@@ -388,7 +390,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -414,7 +416,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -446,7 +448,7 @@ func TestDigiCertConnector(t *testing.T) {
 		defer srv.Close()
 
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: srv.URL,
 		}
@@ -463,7 +465,7 @@ func TestDigiCertConnector(t *testing.T) {
 
 	t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) {
 		config := &digicert.Config{
-			APIKey:  "dc-test-key",
+			APIKey:  secret.NewRefFromString("dc-test-key"),
 			OrgID:   "12345",
 			BaseURL: "https://api.digicert.com",
 		}
@@ -480,7 +482,7 @@ func TestDigiCertConnector(t *testing.T) {
 
 	t.Run("DefaultProductType", func(t *testing.T) {
 		config := &digicert.Config{
-			APIKey: "dc-test-key",
+			APIKey: secret.NewRefFromString("dc-test-key"),
 			OrgID:  "12345",
 			// ProductType intentionally left empty
 		}

internal/connector/issuer/vault/vault.go

@@ -32,6 +32,7 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Config represents the Vault PKI issuer connector configuration.
@@ -42,7 +43,16 @@ type Config struct {
 
 	// Token is the Vault token for authentication.
 	// Required. Set via CERTCTL_VAULT_TOKEN environment variable.
-	Token string `json:"token"`
+	//
+	// Type: *secret.Ref (audit fix #6 Phase 3 — Bundle I close).
+	// Wrapping the token in a Ref means: it never stringifies (Config
+	// marshals as "[redacted]"), the bytes are zeroed after each
+	// Use/WriteTo invocation (defeats heap-dump extraction), and
+	// outbound X-Vault-Token header writes go through Ref.Use so the
+	// staging buffer is short-lived. JSON unmarshal of a string value
+	// populates the Ref via NewRefFromString — operator config files
+	// are unchanged.
+	Token *secret.Ref `json:"token"`
 
 	// Mount is the PKI secrets engine mount path.
 	// Default: "pki". Set via CERTCTL_VAULT_MOUNT environment variable.
@@ -111,7 +121,7 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 		return fmt.Errorf("Vault addr is required")
 	}
 
-	if cfg.Token == "" {
+	if cfg.Token.IsEmpty() {
 		return fmt.Errorf("Vault token is required")
 	}
 
@@ -189,7 +199,12 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 		return nil, fmt.Errorf("failed to create sign request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-Vault-Token", c.config.Token)
+	if err := c.config.Token.Use(func(buf []byte) error {
+		req.Header.Set("X-Vault-Token", string(buf))
+		return nil
+	}); err != nil {
+		return nil, fmt.Errorf("vault token use: %w", err)
+	}
 
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
@@ -300,7 +315,12 @@ func (c *Connector) RevokeCertificate(ctx context.Context, request issuer.Revoca
 		return fmt.Errorf("failed to create revoke request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("X-Vault-Token", c.config.Token)
+	if err := c.config.Token.Use(func(buf []byte) error {
+		req.Header.Set("X-Vault-Token", string(buf))
+		return nil
+	}); err != nil {
+		return fmt.Errorf("vault token use: %w", err)
+	}
 
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
@@ -344,7 +364,12 @@ func (c *Connector) GetCACertPEM(ctx context.Context) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to create CA cert request: %w", err)
 	}
-	req.Header.Set("X-Vault-Token", c.config.Token)
+	if err := c.config.Token.Use(func(buf []byte) error {
+		req.Header.Set("X-Vault-Token", string(buf))
+		return nil
+	}); err != nil {
+		return "", fmt.Errorf("vault token use: %w", err)
+	}
 
 	resp, err := c.httpClient.Do(req)
 	if err != nil {

internal/connector/issuer/vault/vault_failure_test.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/vault"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 // Bundle N.A/B-extended: failure-mode round-out for Vault PKI connector.
@@ -139,7 +140,7 @@ func TestVault_GetCACertPEM_Non200_ReturnsError(t *testing.T) {
 func buildVaultConnector(t *testing.T, url string) *vault.Connector {
 	t.Helper()
 	c := vault.New(nil, slog.Default())
-	cfg := vault.Config{Addr: url, Token: "tok", Mount: "pki", Role: "web", TTL: "1h"}
+	cfg := vault.Config{Addr: url, Token: secret.NewRefFromString("tok"), Mount: "pki", Role: "web", TTL: "1h"}
 	raw, _ := json.Marshal(cfg)
 	if err := c.ValidateConfig(context.Background(), raw); err != nil {
 		t.Fatalf("ValidateConfig: %v", err)

internal/connector/issuer/vault/vault_redact_test.go

@@ -0,0 +1,39 @@
+package vault_test
+
+// Phase 3 of the secret.Ref migration (audit fix #6 → 2026-05-03 Top-10
+// fix #2). Pins the operator-visible contract: GET /api/v1/issuers
+// responses for type=vault marshal Token as "[redacted]" rather than
+// the plaintext value. Regression guard for any future refactor that
+// changes the field type back to string.
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/connector/issuer/vault"
+	"github.com/shankar0123/certctl/internal/secret"
+)
+
+func TestVault_Config_TokenMarshalsAsRedacted(t *testing.T) {
+	cfg := vault.Config{
+		Addr:  "https://vault.example.com:8200",
+		Token: secret.NewRefFromString("hvs.real-token-bytes-must-not-leak"),
+		Mount: "pki",
+		Role:  "web",
+		TTL:   "8760h",
+	}
+
+	out, err := json.Marshal(cfg)
+	if err != nil {
+		t.Fatalf("marshal: %v", err)
+	}
+	got := string(out)
+
+	if !strings.Contains(got, `"token":"[redacted]"`) {
+		t.Errorf("expected token redacted, got: %s", got)
+	}
+	if strings.Contains(got, "hvs.real-token-bytes-must-not-leak") {
+		t.Fatalf("plaintext token leaked into marshaled JSON: %s", got)
+	}
+}

internal/connector/issuer/vault/vault_test.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/connector/issuer"
 	"github.com/shankar0123/certctl/internal/connector/issuer/vault"
+	"github.com/shankar0123/certctl/internal/secret"
 )
 
 func TestVaultConnector(t *testing.T) {
@@ -38,7 +39,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token-12345",
+			Token: secret.NewRefFromString("s.test-token-12345"),
 			Mount: "pki",
 			Role:  "web-certs",
 			TTL:   "8760h",
@@ -54,7 +55,7 @@ func TestVaultConnector(t *testing.T) {
 
 	t.Run("ValidateConfig_MissingAddr", func(t *testing.T) {
 		config := vault.Config{
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Role:  "web-certs",
 		}
 
@@ -89,7 +90,7 @@ func TestVaultConnector(t *testing.T) {
 	t.Run("ValidateConfig_MissingRole", func(t *testing.T) {
 		config := vault.Config{
 			Addr:  "https://vault.example.com:8200",
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 		}
 
 		connector := vault.New(nil, logger)
@@ -106,7 +107,7 @@ func TestVaultConnector(t *testing.T) {
 	t.Run("ValidateConfig_UnreachableVault", func(t *testing.T) {
 		config := vault.Config{
 			Addr:  "http://localhost:19999",
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Role:  "web-certs",
 		}
 
@@ -153,7 +154,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 			TTL:   "8760h",
@@ -208,7 +209,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -245,7 +246,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.bad-token",
+			Token: secret.NewRefFromString("s.bad-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -293,7 +294,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -336,7 +337,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -370,7 +371,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -402,7 +403,7 @@ func TestVaultConnector(t *testing.T) {
 
 		config := &vault.Config{
 			Addr:  srv.URL,
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -421,7 +422,7 @@ func TestVaultConnector(t *testing.T) {
 	t.Run("GetOrderStatus_Synchronous", func(t *testing.T) {
 		config := &vault.Config{
 			Addr:  "https://vault.example.com:8200",
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}
@@ -443,7 +444,7 @@ func TestVaultConnector(t *testing.T) {
 	t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) {
 		config := &vault.Config{
 			Addr:  "https://vault.example.com:8200",
-			Token: "s.test-token",
+			Token: secret.NewRefFromString("s.test-token"),
 			Mount: "pki",
 			Role:  "web-certs",
 		}