Managing SSL / TLS certificates in clouds and containers is not human work.

From the presentation of Venafi: how to install certificates manually slows down the process of continuous integration and deployment of applications



Cloud services and containers have become the de facto standard for deploying web applications. However, the integration of SSL / TLS certificates into the DevOps environment remains too complicated and slow. Many tasks are still performed manually, and this is a very large load on devops. In a virtual environment with containers, the number of machines on the network increases dramatically, and the protection of machine-to-machine connections and communications between them is still necessary. If in such an environment, issuing certificates and management practices is poorly established, the lack of reliable authentication of each machine increases the attack surface.



If everything is done manually, then developers often give priority to speed and simplicity, and not security . Sometimes for the sake of speed, the options are simpler: creating your own certificate authority (CA) with self-signed certificates, weak encryption algorithms, importing unreliable root certificates, inadequate protection of secret keys for root and intermediate CAs. And sometimes devops do not even use SSL / TLS to encrypt communications between machines and containers.



To solve this problem, several new services appeared on the market that integrate directly into the continuous integration / supply cycle (CI / CD) and automate the process.

')

These services offer improved security and increased development productivity, as well as ensuring compliance with safety regulations, such as PCI-DSS, NIST and HIPAA. And for support, you need to add just a few lines of code. One of such services since April 2017 is provided by Venafi, a company that specializes in information security solutions.





Venafi Cloud place in CI / CD pipeline



The Venafi Cloud for DevOps service is an integrated cloud service that conveniently implements the infrastructure of cryptographic keys and digital certificates in popular corporate platforms DevOps. The company recently announced the integration of Venafi Cloud with the GlobalSign PKI public key infrastructure.



Venafi Cloud helps manage SSL / TLS certificates. You can try out the platform as part of a free beta test .

Key features:

• Track all external certificates.
  
  
• Continuous monitoring and viewing where each internal certificate is installed (a lightweight scanner is used).
  
  
• Identify potential vulnerabilities.
  
  
• Automatic request and renewal of certificates, integration with a certificate authority. Certificates are delivered within seconds. Issuing certificates directly to the CI / CD pipelines and applying appropriate policies for each environment.
  
  
  
  
  
  
• Automatic installation of certificates through REST API, integration with DevOps tools and ACME (Automated Certificate Management Environment) server.
  
  
• Generate reports.

Venafi Cloud initially offers integration with DevOps tools, including Hashicorp Terraform, Hashicorp Vault, SaltStack, Ansible, Docker and Jetstack Cert-Manager. The Venafi Cloud and GlobalSign PKI solution for DevOps provides well-documented standard interfaces, including the REST API, the open source SDK VCert (available in Go and Python) and ACME. Enterprises of all sizes can now have one service to identify machines in their hybrid infrastructure and multiple clouds, which helps increase the speed of DevOps.







The main functions of Venafi Cloud are listed in the table.

---