The following covers information on issuing and managing PKI credentials and machine identities for applications in DevOps.
When deploying many services, managing both the machine identities and secrets need to be taken into account. Managing PKI credentials and machine identities for applications should preferably be automated, but still as secure as possible.
Automating TLS Certificate Deployment with ACME
Although using the ACME protocol to issue machine certificates are already used in some of the above use cases, it deserves a mention of its own as it can be used in a variety of scenarios within an organization. For more information on using ACME and the popular CertBot tool, see Using CertBot to Issue Certificates with ACME to an Apache Web Server.
The ACME protocol is extensible, and you can expect more features added to the EJBCA ACME server implementation.
Automatically Provision Certificates to Containers in Kubernetes
Containers often play an important part of microservices. When deploying applications at scale, a large number of containers are created and destroyed at any time. One of the challenges with this approach is the question of how to issue and/or manage the many certificates (machine identities) for these dynamic containers.
There are also benefits such as that since containers can be treated as short-lived resources, you can utilize short-lived certificates. An easy renewal scheme is to not renew the certificate. Instead, when a certificate is about to expire, you allow your orchestration framework to destroy the container and provision a new container with a fresh certificate.
Using K8s Certificate Signing Request Proxy
The EJBCA Certificate Signing Request Proxy for K8s forwards certificate signing requests generated by Kubernetes to EJBCA for signing by a certificate authority. Using the CSR signer, any product using the CertificateSigningRequest API will be able to use EJBCA as the back-end CA. This is a generic solution that integrates well, for example with service mesh products such as Istio and similar. The EJBCA CSR Signer plugin is available on Keyfactor GitHub.
By using Kubernetes to manage containers, you can automate the certificate provisioning to the containers. One option is to use the native Kubernetes certificate management controller cert-manager. This Kubernetes plugin allows Kubernetes containers to retrieve the TLS server certificates automatically using the ACME protocol. For more information and sample deployment YAML files, see Issuing Certificates to Kubernetes Services using cert-manager and Keyfactor GitHub.
Using Enrollment Containers and Podman
To issue certificates to containers, another alternative is to create a special container that can automatically enroll for certificates in the same pod (using Podman), storing them on a volume accessible to other containers in the same Pod.
Importing Certificates and Keys into Key Management Solutions
Running applications can use Key Management Solutions, also known as a Key Vault or a KMS, to store credentials more securely than managing the credentials in the application (usually on disc). When you issue a keystore from EJBCA you may then want to import the credentials into a KMS for usage by a specific application.
For more information and a script to import PKCS12 keystores into Azure Key Vault, refer to Keyfactor GitHub.