This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.