[chef] RFC: ssl-key-management via chef-lwrp


Chronological Thread 
  • From: Arnold Krille < >
  • To: < >
  • Subject: [chef] RFC: ssl-key-management via chef-lwrp
  • Date: Wed, 31 Jul 2013 11:04:10 +0200

Hi all,

using chef more and more, I am now in need to set up ssl-keys for a number of services like https or openvpn-tunnels. So naturally I looked at what chef-recipes have to offer. Unfortunately all the recipes I looked at that would allow me to manage certs and key all store the key inside chef.
Regardless whether its in an encrypted databag or not, given the past failures of RSA (the company) and others, I am strongly against storing the private key on any other system then the one its intended to secure.

So here is an idea for a cookbook/lwrp I would like to hear your comments on:

A resource "sslcert" that would:
 - Create a private key (if it doesn't exists yet).
 - Create a self-signed cert for that key (if it doesn't exist).
- Create a signing-request if the existing key is nearing its end of livetime or if there is only the self-signed cert.
 - Attach that csr into the nodes attributes.
- Once that csr-attribute is matched by a signed cert (and possibly the cachain), that cert is then placed into the system.

I think that approach would be better then fiddling with secure databags as there wouldn't be anything inside chef that needs secure storage. The ssl-key in question wouldn't leave its system at all.

What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys (apart from "with utmost care":)?

Have fun,

Arnold



Archive powered by MHonArc 2.6.16.

§