Traditional processes like OpenSSL and frameworks like CFSSL can be cumbersome for developers. Given that DevOps is all about speed, developers don’t want to get bogged down with complex solutions. This explains why HashiCorp Vault has become so popular.
Vault is great for secrets management, encryption as a service, and privileged access management. It is a lightweight, portable solution that doesn’t need a lot of infrastructure.
The Problem That Vault Solves
A typical DevOps pipeline can have over a hundred different tools. In fact, many DevOps tools have their own secrets stores (e.g. Kubernetes secrets, Ansible Vault). But, they all approach SSL/TLS certificates differently. As a result, developers must take the time to learn each tool. Using different approaches also makes code more complex.
Why DevOps Teams Love Vault
DevOps teams love how Vault makes it easy to generate and store SSL/TLS certificates on demand. Vault’s native PKI engine generates self-signed certificates. It can also be configured to issue certificates from a private PKI subordinate certificate authority (e.g. Microsoft CA), but it is not natively integrated with certificate authorities (CAs) that issue certificates trusted by all browsers. Keep reading and we’ll tell you why this is a challenge and how to overcome it.
Machine Identity Security Architecture
Some Certificates Are Still Hard to Get
External-facing (or publicly-trusted) certificates are trusted by every browser. These are particularly important in production environments. A prime challenge to DevOps teams is the procurement of these types of certificates. But why? Let’s discuss each type and how DevOps acquires them.
What are Internal vs. External Certificates?
Certificate chains can be complicated to understand. Most organizations leverage many CAs. For internal-facing applications, InfoSec generally sets up internal issuing CAs. The internal root CA is then added to all employee browsers to prevent browser warnings.
But, for external applications, organizations use certificates from publicly-trusted CAs. These CAs (e.g. DigiCert, Entrust, GlobalSign) can issue certificates that all browsers trust.
Getting External Certificates is Challenging
The process for getting publicly-trusted certificates varies by team and environment. DevOps often don’t have an automated way of getting certificates from publicly-trusted CAs. So, what do they do?
- Submit a ticket and wait for the PKI team (snooze alert!)
- Use a certificate from their cloud provider (e.g. AWS)
- Get a certificate from Let’s Encrypt (is this policy compliant?)
- Code against the CA’s API or use the web console
- Bang head against wall (or avoid certificates altogether)
You Can Do More With Vault
Vault’s ability to simplify, automate, and speed up internal certificates issuance is a huge accomplishment. But Vault’s plug-in architecture (when integrated with Venafi) can make Vault even more of a one-stop shop for certificates. Imagine a world where developers can use Vault to:
- Request publicly-trusted certificates using native Vault commands
- Enroll certificates that follow enterprise security policy
- Provide the security team visibility to all the certificates issued by Vault
Fall In Love With Vault All Over Again
Fortunately the Vault team had the foresight to create a pluggable architecture. As a leader in machine identity management, Venafi, extends the value of Vault by integrating in two ways:
- Venafi’s Secrets Engine for Vault facilitates certificate enrollment from over 40 internal and publicly-trusted CAs and enforces InfoSec policies automatically. With this powerful integration, developers can:
- Use native Vault commands to get any type of certificate within policy
- Avoid custom coding for individual CAs
- Have a consistent approach for certificates
- Simplify their code and accelerate development
- Operate multi- and hybrid cloud environments
And, InfoSec gets visibility into issued certificates and centralized policy controls. This enables security teams to:
- Empower developers to consume certificates using the tools they love
- Enforce enterprise certificate policy, seamlessly from a single place
- Get visibility and reporting to certificates into use
- Respond to audits quickly and easily
- Remediate issues quickly without impacting DevOps (e.g. CA compromise, breach, cloud provider change, etc.)
- Venafi also interacts with Vault in a disconnected manner. The Venafi Monitor Engine oversees certificate issuance activity within Vault. It enforces policy and pushes certificates to Venafi so that InfoSec can view them for audit and compliance purposes. This helps keep DevOps moving fast, while keeping the business secure and compliant.
Venafi and Vault together help DevOps teams go faster in multi-cloud environments and support InfoSec mandates.To try out this amazing integration, sign up for a free Venafi as a Service account and check out this GitHubpage. You may just uncover a tool you can’t live without.
Spoiler alert: it works with container orchestration, automation tool, configuration management, and many other tools including Kubernetes, Ansible, OpenStack, Chef and more.
Zero Trust with cert-manager, Istio and Kubernetes
Related posts