Key Venafi Integrations
Devs have so much work, and they still require expert knowledge of cryptography and public key infrastructure (PKI). It is not right.
Indeed, each machine must have a valid TLS certificate. They are needed for servers, containers, virtual machines, in service mesh networks. But the number of keys and certificates is growing like a snowball, and management is quickly becoming chaotic, expensive and risky, if you do everything yourself. In the absence of good policy enforcement and monitoring practices, a business may suffer due to weak certificates or unexpected expiration.
GlobalSign and Venafi hosted two webcasts to help devops. The first is an introductory one , and the second with more specific technical tips for connecting a PKI system from GlobalSign via the Venafi cloud using open source tools through the HashiCorp Vault from the Jenkins CI / CD pipeline.
The main problems of existing certificate management processes are caused by a large number of procedures:
- Generation of self-signed certificates in OpenSSL.
- Work with multiple HashiCorp Vault instances to manage a private certification authority or self-signed certificate.
- Registration of applications for trusted certificates.
- Using certificates from public cloud providers.
- Let's Encrypt Certificate Renewal Automation
- Writing your own scripts
- Self-tuning tools for DevOps like Red Hat Ansible, Kubernetes, Pivotal Cloud Foundry
All procedures increase the risk of error and take a lot of time. Venafi is trying to solve these problems and make life easier for devops.
The GlobalSign and Venafi demos are divided into two sections. First, how to configure Venafi Cloud and GlobalSign PKI. Then, how to use it to request certificates according to established policies, using familiar tools.
Key topics:
- Automation of the issuance of certificates within the framework of existing DevOps CI / CD techniques (for example, Jenkins).
- Instant access to PKI and certification services across the entire application stack (issuing certificates in two seconds)
- Standardization of the public key infrastructure with ready-made solutions for integration with container orchestration, secret management and automation platforms (for example, Kubernetes, OpenShift, Terraform, HashiCorp Vault, Ansible, SaltStack and others). The general scheme for issuing certificates is shown in the illustration below.
Certificate issuance scheme through HashiCorp Vault, Venafi Cloud and GlobalSign. In the diagram, CSR means “Certificate Signing Request”
- High throughput and robust PKI infrastructure for dynamic, highly scalable environments
- Use of security groups through policies and visibility of issued certificates
This approach allows you to organize a reliable system without being an expert in cryptography and PKI.
Venafi secrets engine
Venafi even assures that in the end it is a more economical solution because it does not require the involvement of highly paid PKI specialists and support costs.
The solution is fully integrated into the existing CI / CD pipeline and covers all the company's needs for certificates. Thus, developers and devs can work faster and not deal with difficult cryptographic issues.