RFC: ssl-key-management via chef-lwrp


#1

Hi all,

using chef more and more, I am now in need to set up ssl-keys for a
number of services like https or openvpn-tunnels. So naturally I looked
at what chef-recipes have to offer. Unfortunately all the recipes I
looked at that would allow me to manage certs and key all store the key
inside chef.
Regardless whether its in an encrypted databag or not, given the past
failures of RSA (the company) and others, I am strongly against storing
the private key on any other system then the one its intended to secure.

So here is an idea for a cookbook/lwrp I would like to hear your
comments on:

A resource “sslcert” that would:

  • Create a private key (if it doesn’t exists yet).
  • Create a self-signed cert for that key (if it doesn’t exist).
  • Create a signing-request if the existing key is nearing its end of
    livetime or if there is only the self-signed cert.
  • Attach that csr into the nodes attributes.
  • Once that csr-attribute is matched by a signed cert (and possibly
    the cachain), that cert is then placed into the system.

I think that approach would be better then fiddling with secure
databags as there wouldn’t be anything inside chef that needs secure
storage. The ssl-key in question wouldn’t leave its system at all.

What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys
(apart from “with utmost care”:)?

Have fun,

Arnold


#2

Hi Arnold,

I think it’s a great idea! In fact, we implemented a similar system when I
was working at Venda.
The result is the x509 cookbook, available on the community site:
http://community.opscode.com/cookbooks/x509

I wrote a blog post to show its use, which you can find here:

http://cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef/

It supports GPG encrypting the keys (and storing them in node attributes)
if you want to do that for archival purposes, but it’s not required.

Zac

On Wed, Jul 31, 2013 at 10:04 AM, Arnold Krille arnold@arnoldarts.dewrote:

Hi all,

using chef more and more, I am now in need to set up ssl-keys for a number
of services like https or openvpn-tunnels. So naturally I looked at what
chef-recipes have to offer. Unfortunately all the recipes I looked at that
would allow me to manage certs and key all store the key inside chef.
Regardless whether its in an encrypted databag or not, given the past
failures of RSA (the company) and others, I am strongly against storing the
private key on any other system then the one its intended to secure.

So here is an idea for a cookbook/lwrp I would like to hear your comments
on:

A resource “sslcert” that would:

  • Create a private key (if it doesn’t exists yet).
  • Create a self-signed cert for that key (if it doesn’t exist).
  • Create a signing-request if the existing key is nearing its end of
    livetime or if there is only the self-signed cert.
  • Attach that csr into the nodes attributes.
  • Once that csr-attribute is matched by a signed cert (and possibly the
    cachain), that cert is then placed into the system.

I think that approach would be better then fiddling with secure databags
as there wouldn’t be anything inside chef that needs secure storage. The
ssl-key in question wouldn’t leave its system at all.

What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys (apart
from “with utmost care”:)?

Have fun,

Arnold


#3

Hi Zac,

Am 2013-07-31 11:51, schrieb Zac Stevens:

I think it’s a great idea! In fact, we implemented a similar system
when I
was working at Venda.
The result is the x509 cookbook, available on the community site:
http://community.opscode.com/cookbooks/x509

Wow, great!

From first tests this seems to do almost everything I want.

Adding mechanisms to detect certificates nearing the end of validation
would be nice…
Maybe its a first start to add the validation end to the data bag item.

I wrote a blog post to show its use, which you can find here:
http://cryptocracy.com/blog/2013/04/20/very-simple-x509-pki-with-chef/

The url only worked after I added www. in front.
But thanks for the post and the cookbook!

Have fun,

Arnold