Our organization is using infrastructure as a code approach where we are doing provisioning and deployment of dev/stage/prod environment using Gitlab runners.
Currently, we are using easy-rsa as a root offline CA signing intermediate CA keys manually. Those keys are then used for the Client/server certificate issuing in an semi-automated fashion (CSRs are generated on a VMs, stored into the Vault, and signed by the script).
I am aware of the HashiCorp Vault PKI backend, but we are not using it as it does not solve the actual authorization part of the automated issuing. I was thinking about using ACME based CA like Boulder internally.<p>My question is, what is the best approach to do PKI, when there are lots of new short-lived VMs/containers wanting their own SSL keys.
You may consider provisioning the key to the VMs; very often there's insufficient entropy to generate them on their own, for one.<p>You then provision the secrets to the containers via some form of service discovery mechanism; vault/console work, as do providing it as user-data in some configurations. It's going to come down to your use case and constraints; things that I do for Twitter For Pets may not work well for your bank, as an example.