using chef more and more, I am now in need to set up ssl-keys for a
number of services like https or openvpn-tunnels. So naturally I looked
at what chef-recipes have to offer. Unfortunately all the recipes I
looked at that would allow me to manage certs and key all store the key
Regardless whether its in an encrypted databag or not, given the past
failures of RSA (the company) and others, I am strongly against storing
the private key on any other system then the one its intended to secure.
So here is an idea for a cookbook/lwrp I would like to hear your
A resource “sslcert” that would:
- Create a private key (if it doesn’t exists yet).
- Create a self-signed cert for that key (if it doesn’t exist).
- Create a signing-request if the existing key is nearing its end of
livetime or if there is only the self-signed cert.
- Attach that csr into the nodes attributes.
- Once that csr-attribute is matched by a signed cert (and possibly
the cachain), that cert is then placed into the system.
I think that approach would be better then fiddling with secure
databags as there wouldn’t be anything inside chef that needs secure
storage. The ssl-key in question wouldn’t leave its system at all.
What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys
(apart from “with utmost care”:)?