Managing SSL / TLS certificates in the clouds and containers - not human work

    From a Venafi presentation: how manual certificate installation slows down the process of continuous integration and application deployment

    Cloud services and containers have become the de facto standard for deploying web applications. However, the integration of SSL / TLS certificates into the DevOps environment remains too complicated and slow. Many tasks are still performed manually, and this is a very big load on devops. In a virtual environment with containers, the number of machines on the network increases dramatically, and protection of machine-machine connections and communications between them is still needed. If in such an environment the issuance of certificates and management practices is poorly established, the lack of reliable authentication of each machine increases the attack surface.

    If everything is done manually, developers oftengive priority to speed and simplicity, not security . Sometimes, for the sake of speed, they choose simpler options: creating your own certification authority (CA) with self-signed certificates, weak encryption algorithms, importing untrusted root certificates, inadequate protection of secret keys for root and intermediate CAs. And sometimes devs do not use SSL / TLS at all to encrypt communications between machines and containers.

    To solve this problem, several new services appeared on the market that integrate directly into the continuous integration / delivery cycle (CI / CD) and automate the process.

    These services offer improved security and increased development productivity, as well as compliance with security regulatory standards such as PCI-DSS, NIST, and HIPAA. And support requires only a few lines of code. One of these services since April 2017 is provided by Venafi, which specializes in information security solutions.

    Place Venafi Cloud in the pipeline CI / CD

    Service Venafi Cloud for DevOps - integrated cloud service, which is conveniently embeds a cryptographic key infrastructure and digital certificates to popular enterprise DevOps platforms. The company recently announced the integration of Venafi Cloud with the GlobalSign PKI public key infrastructure.

    Venafi Cloud helps manage SSL / TLS certificates. You can test the platform as part of a free beta .

    Key features:

    • Tracking all external certificates.
    • Continuous monitoring and viewing where each internal certificate is installed (a lightweight scanner is used).
    • Identification of potential vulnerabilities.
    • Automatic request and renewal of certificates, integration with a certification authority. Certificates are delivered within seconds. Issuing certificates directly to the CI / CD pipelines and applying appropriate policies for each environment.

    • Automatic installation of certificates through the REST API, integration with DevOps tools and the ACME server (Automated Certificate Management Environment).
    • Report generation.

    Venafi Cloud initially offers integration with DevOps tools, including Hashicorp Terraform, Hashicorp Vault, SaltStack, Ansible, Docker, and Jetstack Cert-Manager. Venafi Cloud and GlobalSign PKI DevOps provide well-documented standard interfaces, including the REST API, the open source VCert SDK (available in Go and Python), and ACME. Businesses of all sizes can now have one machine identification service in their hybrid infrastructure and multiple clouds, which helps increase DevOps speed.

    The main functions of Venafi Cloud are listed in the table.

    • Automate Certificate Lifecycle Management with Kubernetes and Jetstack Cert-Manager
    • Key generation and certificate requests from Docker and the Venafi Key Management container. Certificates are securely provided to other containers on the same Docker host as Venafi containers.
    • Using Terraform with key generation, which can be referenced in plans for the seamless acquisition and deployment of certificates.
    Configuration management
    • Using SaltStack to simplify the process of obtaining and deploying certificates, using Venafi integration to transfer certificates through the Salt pillar system.
    Secrets Management
    • Enforcing policies with the HashiCorp Vault for certificates issued through the HashiCorp Vault API.
    Support Services
    • REST API for requesting certificates, viewing policies for issuing certificates, viewing issued certificates, transferring certificates directly to Microsoft Azure web applications, etc.
    • Key generation to simplify obtaining certificates using VCert, without having to write code that interacts with the Venafi REST API.
    • Application developers can integrate key generation and certificate management tasks into custom applications using the VCert SDK, a cross-platform software development kit written in Go.
    • Automate certificate management for external infrastructure, such as load balancing subsystems, using the Venafi ACME server with GlobalSign certificates .

    SPECIAL CONDITIONS for PKI solutions for enterprises are valid until 11.30.2019 under the promo code AL002HRFR for new customers. For details, contact the managers +7 (499) 678 2210,

    Also popular now: