⬆️ ⬇️

Managing SSL / TLS certificates in clouds and containers is not human work.



From the presentation of Venafi: how to install certificates manually slows down the process of continuous integration and deployment of applications



Cloud services and containers have become the de facto standard for deploying web applications. However, the integration of SSL / TLS certificates into the DevOps environment remains too complicated and slow. Many tasks are still performed manually, and this is a very large load on devops. In a virtual environment with containers, the number of machines on the network increases dramatically, and the protection of machine-to-machine connections and communications between them is still necessary. If in such an environment, issuing certificates and management practices is poorly established, the lack of reliable authentication of each machine increases the attack surface.



If everything is done manually, then developers often give priority to speed and simplicity, and not security . Sometimes for the sake of speed, the options are simpler: creating your own certificate authority (CA) with self-signed certificates, weak encryption algorithms, importing unreliable root certificates, inadequate protection of secret keys for root and intermediate CAs. And sometimes devops do not even use SSL / TLS to encrypt communications between machines and containers.



To solve this problem, several new services appeared on the market that integrate directly into the continuous integration / supply cycle (CI / CD) and automate the process.

')

These services offer improved security and increased development productivity, as well as ensuring compliance with safety regulations, such as PCI-DSS, NIST and HIPAA. And for support, you need to add just a few lines of code. One of such services since April 2017 is provided by Venafi, a company that specializes in information security solutions.





Venafi Cloud place in CI / CD pipeline



The Venafi Cloud for DevOps service is an integrated cloud service that conveniently implements the infrastructure of cryptographic keys and digital certificates in popular corporate platforms DevOps. The company recently announced the integration of Venafi Cloud with the GlobalSign PKI public key infrastructure.



Venafi Cloud helps manage SSL / TLS certificates. You can try out the platform as part of a free beta test .



Key features:





Venafi Cloud initially offers integration with DevOps tools, including Hashicorp Terraform, Hashicorp Vault, SaltStack, Ansible, Docker and Jetstack Cert-Manager. The Venafi Cloud and GlobalSign PKI solution for DevOps provides well-documented standard interfaces, including the REST API, the open source SDK VCert (available in Go and Python) and ACME. Enterprises of all sizes can now have one service to identify machines in their hybrid infrastructure and multiple clouds, which helps increase the speed of DevOps.







The main functions of Venafi Cloud are listed in the table.



FunctionDescription
Containerization
  • Automating certificate lifecycle management with Kubernetes and Jetstack Cert-Manager
  • Key generation and certificate requests from Docker and the Venafi Key Management container. Certificates are securely provided to other containers on the same Docker host as Venafi containers.
Orchestration
  • Use Terraform to generate keys that can be referenced in seamless acquisition and deployment plans for certificates.
Configuration management
  • Using SaltStack to simplify the process of obtaining and deploying certificates using Venafi integration to transfer certificates through the Salt pillar system.
Secret management
  • Apply policies with the HashiCorp Vault for certificates issued through the HashiCorp Vault API.
Auxiliary services
  • REST API for requesting certificates, viewing issuance policies, viewing issued certificates, transferring certificates directly to Microsoft Azure web applications, etc.
  • Key generation to simplify obtaining certificates using VCert, without having to write code that interacts with the Venafi REST API.
  • Application developers can integrate key generation and certificate management tasks into custom applications using the VCert SDK, a cross-platform software development kit written in Go.
  • Automate certificate management for external infrastructure, such as load balancers, using the Venafi ACME server with GlobalSign certificates.







Source: https://habr.com/ru/post/455535/



All Articles