Encrypted databag sadness

Hi all -

We’re contemplating storing the values of some ssl keys and certificates in
an encrypted databag, but I have a couple of questions:

1 - Is there a way to have “local” encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn’t that
work?
2 - What is the standard way to get the key for decrypting databag values
on a machine? We’re trying to do this in an automated fashion and haven’t
found a place that best suits automated bootstrapping - what are people
doing?
3 - Some of the crt and key values are escape characters - is it possible
to escape them without screwing up the actual values?

Thanks a million :-/

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to create an encrypted databag on our chef server, list the encrypted values and copy/pasted them into a local json file. Using the key that will successfully decrypt the values from the databag stored on the server, I cannot decrypt the same values out of the local .json file. Shouldn't that work?
2 - What is the standard way to get the key for decrypting databag values on a machine? We're trying to do this in an automated fashion and haven't found a place that best suits automated bootstrapping - what are people doing?
3 - Some of the crt and key values are escape characters - is it possible to escape them without screwing up the actual values?

Thanks a million :-/
We write the databag secret to disk as part of our custom bootstrap template. It's built into the default bootstraps though (https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42) as long as you have the encrypted secret configured in client.rb on the machine initiating the bootstrap. As far as the certificates themselves go, what format are your certificates in? I would look into storing them in PEM format since they'd be base64 encoded and you wouldn't have to worry about escaping anything.

Dan

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti daniel@condomitti.comwrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and certificates
in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag values
on a machine? We're trying to do this in an automated fashion and haven't
found a place that best suits automated bootstrapping - what are people
doing?
3 - Some of the crt and key values are escape characters - is it possible
to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti daniel@condomitti.com
wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and certificates
in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret". Is
there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.com wrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

If you use your own custom bootstrap, yes. Look at the source for the bootstraps: https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll most likely need to customize the client.rb that gets dropped on the node as well to reflect the new name. Why do you want to use something other than /etc/chef/encrypted_data_bag_secret?

On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret' setting in knife.rb. You will want to add this line to your knife.rb:

encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data bag key is located. When you run knife bootstrap afterwards it automatically adds this line to the client.rb for the node you are bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret". Is there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti <werebus@gmail.com (mailto:werebus@gmail.com)> wrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to /etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User <maven.2.user@gmail.com (mailto:maven.2.user@gmail.com)> wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <daniel@condomitti.com (mailto:daniel@condomitti.com)> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to create an encrypted databag on our chef server, list the encrypted values and copy/pasted them into a local json file. Using the key that will successfully decrypt the values from the databag stored on the server, I cannot decrypt the same values out of the local .json file. Shouldn't that work?
2 - What is the standard way to get the key for decrypting databag values on a machine? We're trying to do this in an automated fashion and haven't found a place that best suits automated bootstrapping - what are people doing?
3 - Some of the crt and key values are escape characters - is it possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap template. It's built into the default bootstraps though (https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42) as long as you have the encrypted secret configured in client.rb on the machine initiating the bootstrap. As far as the certificates themselves go, what format are your certificates in? I would look into storing them in PEM format since they'd be base64 encoded and you wouldn't have to worry about escaping anything.

Dan

We may have several keys from different organizations.

On Mon, Jul 16, 2012 at 4:50 PM, Daniel Condomitti daniel@condomitti.comwrote:

If you use your own custom bootstrap, yes. Look at the source for the
bootstraps:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll
most likely need to customize the client.rb that gets dropped on the node
as well to reflect the new name. Why do you want to use something other
than /etc/chef/encrypted_data_bag_secret?

On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret". Is
there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.comwrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

Hmm - so if we had several of these secret keys, we'd have to have several
of these bootstrap files?

Not sure how much I like that either - especially since they're locked at
the distribution level (they have to match the -d option).

I tried creating a ~/.chef/bootstrap/.erb file - but
it's not being used - in our case we have a :

-d ubuntu12.04-gems

so I created a ubuntu12.04-gems.erb file in ~/.chef/bootstrap.

thoughts?

On Mon, Jul 16, 2012 at 4:50 PM, Daniel Condomitti daniel@condomitti.comwrote:

If you use your own custom bootstrap, yes. Look at the source for the
bootstraps:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll
most likely need to customize the client.rb that gets dropped on the node
as well to reflect the new name. Why do you want to use something other
than /etc/chef/encrypted_data_bag_secret?

On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret". Is
there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.comwrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

Hmm - not jazzed about this - I think what I'm going to do is create a
_base cookbook that is just the keys and the recipe to set
them in the proper location. This will be the parent cookbook for all of
our custom ones.

Otherwise, people will be stomping all over eachothers keys...

On Mon, Jul 16, 2012 at 4:50 PM, Daniel Condomitti daniel@condomitti.comwrote:

If you use your own custom bootstrap, yes. Look at the source for the
bootstraps:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll
most likely need to customize the client.rb that gets dropped on the node
as well to reflect the new name. Why do you want to use something other
than /etc/chef/encrypted_data_bag_secret?

On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret". Is
there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.comwrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan

A bit tangential, but I was recently talking to some folks from Gazzang
about their new zTrustee product. It could easily be used to manage
multiple keys for different encrypted data bags and they've had a couple of
Chef-related posts on their blog lately. I'll ping them about writing up
something for this problem sometime soon.
http://www.gazzang.com/products/ztrustee
http://www.gazzang.com/blog

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray

On Mon, Jul 16, 2012 at 4:41 PM, Maven User maven.2.user@gmail.com wrote:

Hmm - not jazzed about this - I think what I'm going to do is create a
_base cookbook that is just the keys and the recipe to set
them in the proper location. This will be the parent cookbook for all of
our custom ones.

Otherwise, people will be stomping all over eachothers keys...

On Mon, Jul 16, 2012 at 4:50 PM, Daniel Condomitti daniel@condomitti.comwrote:

If you use your own custom bootstrap, yes. Look at the source for the
bootstraps:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/chef-full.erb#L37-45 You'll
most likely need to customize the client.rb that gets dropped on the node
as well to reflect the new name. Why do you want to use something other
than /etc/chef/encrypted_data_bag_secret?

On Monday, July 16, 2012 at 1:47 PM, Maven User wrote:

I see this:

As of 0.10.6, knife bootstrap supports the 'encrypted_data_bag_secret'
setting in knife.rb. You will want to add this line to your knife.rb:
encrypted_data_bag_secret '/path/to/your/data_bag_key'

And change '/path/to/your/data_bag_key' to the location of where the data
bag key is located. When you run knife bootstrap afterwards it
automatically adds this line to the client.rb for the node you are
bootstrapping and copies the key over.

But, the issue is it transfers the key as "encrypted_data_bag_secret".
Is there anyway to control the NAME of the key on the target system?

On Mon, Jul 16, 2012 at 3:32 PM, Matthew Moretti werebus@gmail.comwrote:

Yeah, if you have a line in your workstation's knife.rb to the effect of

encrypted_data_bag_secret '/path/to/your/data_bag_key'

then the bootstrap process will upload the secret to
/etc/chef/encrypted_data_bag_secret which is the default location.

http://wiki.opscode.com/display/chef/Knife+Bootstrap#KnifeBootstrap-Usingencrypteddatabags

-Matt Moretti

On Mon, Jul 16, 2012 at 3:05 PM, Maven User maven.2.user@gmail.com
wrote:

Are there any other details about this technique somewhere?

And is this file only living on the place where you're launching knife
from?

On Fri, Jul 13, 2012 at 2:00 PM, Daniel Condomitti <
daniel@condomitti.com> wrote:

On Friday, July 13, 2012 at 10:48 AM, Maven User wrote:

Hi all -

We're contemplating storing the values of some ssl keys and
certificates in an encrypted databag, but I have a couple of questions:

1 - Is there a way to have "local" encrypted databags? I was able to
create an encrypted databag on our chef server, list the encrypted values
and copy/pasted them into a local json file. Using the key that will
successfully decrypt the values from the databag stored on the server, I
cannot decrypt the same values out of the local .json file. Shouldn't that
work?
2 - What is the standard way to get the key for decrypting databag
values on a machine? We're trying to do this in an automated fashion and
haven't found a place that best suits automated bootstrapping - what are
people doing?
3 - Some of the crt and key values are escape characters - is it
possible to escape them without screwing up the actual values?

Thanks a million :-/

We write the databag secret to disk as part of our custom bootstrap
template. It's built into the default bootstraps though (
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap/centos5-gems.erb#L34-42)
as long as you have the encrypted secret configured in client.rb on the
machine initiating the bootstrap. As far as the certificates themselves go,
what format are your certificates in? I would look into storing them in PEM
format since they'd be base64 encoded and you wouldn't have to worry about
escaping anything.

Dan