diff --git a/jobs/vault/spec b/jobs/vault/spec
index 801c472..686c69a 100644
--- a/jobs/vault/spec
+++ b/jobs/vault/spec
@@ -3,9 +3,13 @@ name: vault
 
 templates:
   vault_ctl: bin/vault_ctl
+  vault_init.sh: bin/post-start
   config.hcl.erb: config/config.hcl
+  ca.crt.erb: config/ca.crt
   ssl.key.erb: config/ssl.key
   ssl.crt.erb: config/ssl.crt
+  concourse.crt.erb: config/concourse.crt
+  concourse.key.erb: config/concourse.key
 
 packages:
 - vault
@@ -20,9 +24,10 @@ properties:
       Port for the TCP connection to listen on
     default: 8200
 
-  tls.certificate:
+  tls:
     description: |
-      Content of the PEM-encoded TLS server cert
-  tls.private_key:
+      TLS server certificate
+
+  concourse:
     description: |
-      Content of the PEM-encoded TLS server private key
+      certificate of concourse client
diff --git a/jobs/vault/templates/ca.crt.erb b/jobs/vault/templates/ca.crt.erb
new file mode 100644
index 0000000..b44df94
--- /dev/null
+++ b/jobs/vault/templates/ca.crt.erb
@@ -0,0 +1 @@
+<%= p("tls.ca", "") %>
diff --git a/jobs/vault/templates/concourse.crt.erb b/jobs/vault/templates/concourse.crt.erb
new file mode 100644
index 0000000..e2d1377
--- /dev/null
+++ b/jobs/vault/templates/concourse.crt.erb
@@ -0,0 +1 @@
+<%= p("concourse.certificate", "") %>
diff --git a/jobs/vault/templates/concourse.key.erb b/jobs/vault/templates/concourse.key.erb
new file mode 100644
index 0000000..44f28a1
--- /dev/null
+++ b/jobs/vault/templates/concourse.key.erb
@@ -0,0 +1 @@
+<%= p("concourse.private_key", "") %>
diff --git a/jobs/vault/templates/vault_init.sh b/jobs/vault/templates/vault_init.sh
new file mode 100755
index 0000000..1b10d5e
--- /dev/null
+++ b/jobs/vault/templates/vault_init.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+echo 'export VAULT_CACERT=/var/vcap/jobs/vault/config/ca.crt' >> /home/vcap/.bashrc
+echo 'export PATH=/var/vcap/packages/vault:$PATH' >> /home/vcap/.bashrc
+export VAULT_CACERT=/var/vcap/jobs/vault/config/ca.crt
+export PATH=/var/vcap/packages/vault:$PATH
+
+function unseal_keys {
+  cat /home/vcap/init_results | sed -n 's/.*Unseal Key [0-9]*: \(.*\)$/\1/p' | head -n3
+}
+
+function root_token {
+  cat /home/vcap/init_results | sed -n 's/^Initial Root Token: \(.*\)$/\1/p'
+}
+
+# TODO: write this to lastpass, not VM filesystem
+vault init > /home/vcap/init_results
+for key in $(unseal_keys); do vault unseal $key; done
+vault auth $(root_token)
+vault mount -path=concourse generic
+vault auth-enable cert
+echo 'path "concourse/main/*" { policy = "read" }' | vault policy-write concourse -
+pushd /var/vcap/jobs/vault/config/ && vault write auth/cert/certs/concourse policies=concourse certificate=@concourse.crt && popd
diff --git a/vault.yml b/vault.yml
new file mode 100644
index 0000000..7695db5
--- /dev/null
+++ b/vault.yml
@@ -0,0 +1,55 @@
+---
+name: vault
+
+variables:
+- name: ca
+  type: certificate
+  options:
+    is_ca: true
+    alternative_names:
+    - 127.0.0.1
+- name: tls
+  type: certificate
+  options:
+    ca: ca
+    alternative_names:
+    - 127.0.0.1
+- name: concourse
+  type: certificate
+  options:
+    ca: ca
+    alternative_names:
+    - 127.0.0.1
+    extended_key_usage:
+    - client_auth
+
+
+stemcells:
+- alias: trusty
+  os: ubuntu-trusty
+  version: latest
+
+releases:
+- name: vault
+  version: latest
+
+instance_groups:
+- name: vault
+  instances: 1
+  vm_type: default
+  azs: [z1]
+  stemcell: trusty
+  networks: [{name: default, static_ips: [10.244.0.2]}]
+  jobs:
+  - name: vault
+    release: vault
+    properties:
+      tls: ((tls))
+      concourse: ((concourse))
+
+update:
+  canaries: 0
+  max_in_flight: 5
+  serial: false
+  canary_watch_time: 1000-60000
+  update_watch_time: 1000-60000