Ask HN: How are you doing PKI in a cloud environment?

1 points by viralpoetry ↗ HN
Our organization is using infrastructure as a code approach where we are doing provisioning and deployment of dev/stage/prod environment using Gitlab runners. Currently, we are using easy-rsa as a root offline CA signing intermediate CA keys manually. Those keys are then used for the Client/server certificate issuing in an semi-automated fashion (CSRs are generated on a VMs, stored into the Vault, and signed by the script). I am aware of the HashiCorp Vault PKI backend, but we are not using it as it does not solve the actual authorization part of the automated issuing. I was thinking about using ACME based CA like Boulder internally.

My question is, what is the best approach to do PKI, when there are lots of new short-lived VMs/containers wanting their own SSL keys.

3 comments

[ 4.6 ms ] story [ 20.8 ms ] thread
I'm a bit ignorant. What is PKI?
You may consider provisioning the key to the VMs; very often there's insufficient entropy to generate them on their own, for one.

You then provision the secrets to the containers via some form of service discovery mechanism; vault/console work, as do providing it as user-data in some configurations. It's going to come down to your use case and constraints; things that I do for Twitter For Pets may not work well for your bank, as an example.