[chef] Re: RFC: ssl-key-management via chef-lwrp


Chronological Thread 
  • From: Zac Stevens < >
  • To:
  • Subject: [chef] Re: RFC: ssl-key-management via chef-lwrp
  • Date: Wed, 31 Jul 2013 10:51:21 +0100

Hi Arnold,

I think it's a great idea!  In fact, we implemented a similar system when I was working at Venda.
The result is the x509 cookbook, available on the community site: http://community.opscode.com/cookbooks/x509

I wrote a blog post to show its use, which you can find here:


It supports GPG encrypting the keys (and storing them in node attributes) if you want to do that for archival purposes, but it's not required.


Zac



On Wed, Jul 31, 2013 at 10:04 AM, Arnold Krille < " target="_blank"> > wrote:
Hi all,

using chef more and more, I am now in need to set up ssl-keys for a number of services like https or openvpn-tunnels. So naturally I looked at what chef-recipes have to offer. Unfortunately all the recipes I looked at that would allow me to manage certs and key all store the key inside chef.
Regardless whether its in an encrypted databag or not, given the past failures of RSA (the company) and others, I am strongly against storing the private key on any other system then the one its intended to secure.

So here is an idea for a cookbook/lwrp I would like to hear your comments on:

A resource "sslcert" that would:
 - Create a private key (if it doesn't exists yet).
 - Create a self-signed cert for that key (if it doesn't exist).
 - Create a signing-request if the existing key is nearing its end of livetime or if there is only the self-signed cert.
 - Attach that csr into the nodes attributes.
 - Once that csr-attribute is matched by a signed cert (and possibly the cachain), that cert is then placed into the system.

I think that approach would be better then fiddling with secure databags as there wouldn't be anything inside chef that needs secure storage. The ssl-key in question wouldn't leave its system at all.

What do you think? Would you use a lwrp that did the above?
Or do you know of a better alternative? How do you handle ssl-keys (apart from "with utmost care":)?

Have fun,

Arnold




Archive powered by MHonArc 2.6.16.

§