Cert Management

We’re looking for suggestions on cert management through Chef.

Currently, we’re using encrypted data bags and chef-vault to push certs to our servers, but I was curious to see what others are doing/using.

Thanks,

Curtis

We’re using the chef-ssl (https://github.com/VendaTech/chef-cookbook-ssl) cookbook for certificate management. It provides for nodes generating CSR’s as required (when specified in recipes), and a command line utility to be run on the signing host to sign the CSR’s, after which the node will pick up the signed cert on the next chef run and install it. This works very well for single certs like those for VPN servers.

What it doesn’t provide for is shared key/certs such as those used across web server clusters. For that I don’t have a great solution.

cheers
mike

Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Feb 20, 2014, at 10:59 AM, Stewart, Curtis <cstewart@momentumsi.commailto:cstewart@momentumsi.com> wrote:

We’re looking for suggestions on cert management through Chef.

Currently, we’re using encrypted data bags and chef-vault to push certs to our servers, but I was curious to see what others are doing/using.

Thanks,
Curtis

I also am using the chef-ssl tool and with some slight modifications like adding in the ability to have a cert be for a virtual host name (for the clusters) everything has been working great.

Justin

-----Original Message-----
From: “Michael Hart” michael.hart@arcticwolf.com
Sent: Thursday, February 20, 2014 11:29am
To: “chef@lists.opscode.comchef@lists.opscode.com
Subject: [chef] Re: Cert Management

We’re using the chef-ssl ([https://github.com/VendaTech/chef-cookbook-ssl] https://github.com/VendaTech/chef-cookbook-ssl) cookbook for certificate management. It provides for nodes generating CSR’s as required (when specified in recipes), and a command line utility to be run on the signing host to sign the CSR’s, after which the node will pick up the signed cert on the next chef run and install it. This works very well for single certs like those for VPN servers.
What it doesn’t provide for is shared key/certs such as those used across web server clusters. For that I don’t have a great solution.
cheers
mike


Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Feb 20, 2014, at 10:59 AM, Stewart, Curtis <[mailto:cstewart@momentumsi.com] cstewart@momentumsi.com> wrote:

We’re looking for suggestions on cert management through Chef.
Currently, we’re using encrypted data bags and chef-vault to push certs to our servers, but I was curious to see what others are doing/using.

Thanks,

Curtis

Awesome, I’ll definitely be reviewing chef-ssl.

Justin, are your modifications available on a fork? If not, is that anything you would consider publishing, if possible? That sounds like some great modifications that would be well used throughout the community.

Thanks,

Curtis


From: Justin Witrick justin.witrick@rackspace.com
Sent: Thursday, February 20, 2014 11:03 AM
To: chef@lists.opscode.com
Subject: [chef] RE: Re: Cert Management

I also am using the chef-ssl tool and with some slight modifications like adding in the ability to have a cert be for a virtual host name (for the clusters) everything has been working great.

Justin

-----Original Message-----
From: “Michael Hart” michael.hart@arcticwolf.com
Sent: Thursday, February 20, 2014 11:29am
To: “chef@lists.opscode.comchef@lists.opscode.com
Subject: [chef] Re: Cert Management

We’re using the chef-ssl (https://github.com/VendaTech/chef-cookbook-ssl) cookbook for certificate management. It provides for nodes generating CSR’s as required (when specified in recipes), and a command line utility to be run on the signing host to sign the CSR’s, after which the node will pick up the signed cert on the next chef run and install it. This works very well for single certs like those for VPN servers.
What it doesn’t provide for is shared key/certs such as those used across web server clusters. For that I don’t have a great solution.
cheers
mike

Michael Hart
Arctic Wolf Networks
M: 226-388-4773

On Feb 20, 2014, at 10:59 AM, Stewart, Curtis <cstewart@momentumsi.commailto:cstewart@momentumsi.com> wrote:

We’re looking for suggestions on cert management through Chef.
Currently, we’re using encrypted data bags and chef-vault to push certs to our servers, but I was curious to see what others are doing/using.
Thanks,
Curtis