[chef] RFC: ssl-key-management via chef-lwrp

[Arnold Krille < >]

Hi all,

using chef more and more, I am now in need to set up ssl-keys for a 
number of services like https or openvpn-tunnels. So naturally I looked 
at what chef-recipes have to offer. Unfortunately all the recipes I 
looked at that would allow me to manage certs and key all store the key 
inside chef.
Regardless whether its in an encrypted databag or not, given the past 
failures of RSA (the company) and others, I am strongly against storing 
the private key on any other system then the one its intended to secure.

So here is an idea for a cookbook/lwrp I would like to hear your 
comments on:

A resource "sslcert" that would:
 - Create a private key (if it doesn't exists yet).
 - Create a self-signed cert for that key (if it doesn't exist).
 - Create a signing-request if the existing key is nearing its end of 
livetime or if there is only the self-signed cert.
 - Attach that csr into the nodes attributes.
 - Once that csr-attribute is matched by a signed cert (and possibly 
the cachain), that cert is then placed into the system.

I think that approach would be better then fiddling with secure 
databags as there wouldn't be anything inside chef that needs secure 
storage. The ssl-key in question wouldn't leave its system at all.

What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys 
(apart from "with utmost care":)?

Have fun,

Arnold