Before installing, confirm the target system meets the following requirements:

Download .NET and ASP.NET Core runtimes from Microsoft:

https://dotnet.microsoft.com/en-us/download/dotnet/10.0

Vault executables must be digitally signed so Windows SmartScreen and endpoint security tools recognize them as trusted.

Current State

A production certificate from a trusted Certificate Authority is in progress. Until it is issued, a self-signed certificate is active. Users must manually install the CA certificate — see the Install Self-Signed Certificate section below. 

Once Production Certificate is Issued

When the production certificate is deployed, the Install Self-Signed Certificate steps can be retired. Vault will be automatically trusted by Windows with no manual certificate steps required.

Required until the production Authenticode certificate is issued. Skipping this step will cause Windows SmartScreen to block or warn against the Vault installer.

Follow these steps to add the Vault CA certificate to the Windows Trusted Root Certification Authorities store: 

1.  Obtain the CA Certificate File 

Get the .cer or .crt file from your system administrator or the Vault distribution package. 

2.  Open Certificate Manager 

Press Win + R, type certmgr.msc, and press Enter. 

3.  Navigate to Trusted Root Certification Authorities 

In the left panel, expand "Trusted Root Certification Authorities" and click "Certificates". 

4.  Import the Certificate 

Right-click "Certificates" → All Tasks → Import... to launch the Certificate Import Wizard. 

5.  Complete the Wizard 

Click Next, browse to the .cer / .crt file, confirm the destination store is "Trusted Root Certification Authorities", and click Finish. 

6.  Confirm the Security Warning 

Click Yes when Windows displays a security warning. The certificate will appear in the trusted store. 

7.  Verify 

Confirm the Vault CA certificate is listed under Trusted Root Certification Authorities → Certificates. 

Video walkthrough available at: https://www.youtube.com/watch?v=7oB1my_SAps 

Both options use the same installer. The difference is how the Chrome Native Messaging Host is configured. Choose the option that matches your environment.

Option A — Chrome Extension from Chrome Web Store

Use this option when the Vault Chrome extension is installed directly from the Chrome Web Store. This is the standard installation flow.

• Download Vault-win-Setup.zip and extract it on the target machine.

• Double-click Vault-win-Setup.exe to launch the installer.

• Follow the on-screen prompts to complete the installation.

WARNING: Do NOT run the installer as Administrator. Always launch by double-clicking. Vault will request elevation only for specific steps that require it. Running the full installer as Administrator will cause configuration errors.

Chrome Native Messaging is configured automatically in Option A. No additional configuration is required.

Option B — Chrome Extension from Local Folder 

Use this option when the Vault Chrome extension is loaded from a local folder (unpacked extension mode). This requires a manual configuration step after installation. 

• Download Vault-win-Setup.zip and extract it on the target machine. 

• Double-click Vault-win-Setup.exe to launch the installer (do not run as Administrator). 

• Follow the on-screen prompts to complete the installation. 

• Open PowerShell and run the command below, replacing the placeholders with your values. 

Start-Process -FilePath \   C:\Users\[YOUR_USERNAME]\AppData\Local\Vault\Data\Cli\Vault.Cli.exe `   -ArgumentList @(     "create",     "chrome-native-messaging-host",     "--overwrite",     "--name", "local.integration.compass",     "--type", "stdio",     "--description", "`"App that makes possible to discover Vault API in the browser.`"",     "--path",     "`"C:\Users\[YOUR_USERNAME]\AppData\Local\Vault\current\Compass\Compass.exe`"",     "--allowedOrigins",     "`"chrome-extension://[EXTENSION_ID]/`""   ) `   -Verb RunAs

[YOUR_USERNAME] — Your Windows username (e.g., jsmith) [EXTENSION_ID] — Found in Chrome at chrome://extensions while in Developer Mode 

• Never run the Vault installer as Administrator. Always double-click to launch. Vault requests elevation only for specific operations that require it. 

• The self-signed CA certificate must be installed before running Vault in test or pre-production environments. 

• Chrome Native Messaging is configured automatically in Option A. Manual configuration (Option B) is only needed when loading the extension from a local folder. 

• Always use the latest build from the internal sign-installer job in the repository to ensure you have the most recent signed artifact. 

• Once the production certificate is issued, the Install Self-Signed Certificate steps can be retired and users will experience a frictionless installation with no security warnings. 

Install .NET Runtimes

Install .NET Runtime 10.0.2 and ASP.NET Core Runtime 10.0.2

Install CA Certificate

Add self-signed CA cert to Trusted Root Certification Authorities (see Install Self-Signed Certificate section) — skip once production cert is issued 

Download Installer

Get Vault-win-Setup.zip from your system administrator or repository

Run Installer

Double-click Vault-win-Setup.exe — do not run as Administrator

Configure Messaging Host (Option B only)

Run PowerShell command with correct username and extension ID

Verify Installation

Launch Vault and confirm connection with target 3rd-party application