Page MenuHomePhabricator

Setup a new PKI software as an alternative to the puppet CA for managing services certificates
Open, MediumPublic


We've been relying on the puppet CA more and more for service-level certificates, and it is been showing its limitations.

For example:

  • no ECDSA keys
  • no wildcard SANs allowed
  • no control over certificate validity (pegged at 5 years)
  • no IP-based SANs (needed for mcrouter, which is why I open this as a subtask of setting up mcrouter in production)
  • No way to receive the signed certificate from the API

we had to create our own scripts (that fiddle with puppet internals) for overcoming some of those limitations, and we even created a tool (called cergen) in order to have an easy way to manage certificate generation in a declarative way.

I think this approach, that allowed us to scale up our use of internal certificates fast and is also well integrated with puppet, is showing its limits. We should install a PKI management software for having our internal root CA, and probably have the puppet CA be an intermediate authority for that root CA. This CA should probably sign and manage all application-level certs, or delegate to intermediate CAs the management of specific domains (like kubernetes).

Ideally, this PKI management software should be:

  • widely used and well supported
  • flexible enough to be able to accomodate most of our needs
  • Allow to define both short-term and long-term certificates
  • Have support for CRLs
  • ideally be able to manage our externally-requested certificates as well with a single tool
  • be easy to integrate into puppet configuration management

This list of requirements came up in a quick chat with @Vgutierrez this morning, and it seems to me that cfssl ticks all the boxes we might need. I'm not 100% sure it makes sense to consider this a blocker for deploying mcrouter (we can probably get away with generating certificates with a dedicated CA for now), but I wouldn't exclude it could also make sense to build this once and for all.

Event Timeline

Joe triaged this task as Medium priority.May 7 2018, 11:47 AM
Joe created this task.
BBlack added a subscriber: BBlack.May 19 2018, 3:23 PM

@Joe - So we're looking at doing something just for the LetsEncrypt (ACME) use-case over in T194962. The idea is this will manage puppetized issue/renewal/distribution of public/private keypairs from LetsEncrypt's ACME CA and support all the LE use-cases we have (e.g. same cert on N endpoint hosts, etc). I think it will work well and basically-solve all our issues for public-facing certs well enough. We can/should add revocation support as well (using the saved privkeys to revoke->reissue chosen certs via ACME, under admin command, if we think a privkey was compromised), but that might come later.

This opens up a couple of possible options for what you're looking at here:

  1. You can ignore the public-facing case and focus solely on managing certs issued by an internal CA, since the rest is handled.
  2. You could also choose to instead just implement an ACME-conformant issuing CA for internal use, and then have the above service we've built for LE-use to also use this internal ACME CA for issuing internal certs, thus re-using T194962 for the issue/renewal/distribution side of things.
Vgutierrez moved this task from Triage to TLS on the Traffic board.May 21 2018, 3:22 PM
Vvjjkkii renamed this task from Setup a new PKI software as an alternative to the puppet CA for managing services certificates to khdaaaaaaa.Jul 1 2018, 1:11 AM
Vvjjkkii removed Joe as the assignee of this task.
Vvjjkkii raised the priority of this task from Medium to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
elukey renamed this task from khdaaaaaaa to Setup a new PKI software as an alternative to the puppet CA for managing services certificates.Jul 2 2018, 6:24 AM
elukey assigned this task to Joe.
elukey lowered the priority of this task from High to Medium.
elukey updated the task description. (Show Details)

I wouldn't call cergen a proper PKI management software, and probably is too painful to use for managing external certs, but it does satisfy most of those requirements laid out here (except for the widely used part :p )

CDanis added a subscriber: CDanis.Jul 16 2019, 2:18 PM
Joe reassigned this task from Joe to Volans.Dec 12 2019, 9:30 AM
Volans added a subscriber: jbond.Dec 12 2019, 10:44 AM
jbond claimed this task.Dec 18 2019, 1:11 PM
jbond added a project: User-jbond.