TE
TechEcho
Home24h TopNewestBestAskShowJobs
GitHubTwitter
Home

TechEcho

A tech news platform built with Next.js, providing global tech news and discussions.

GitHubTwitter

Home

HomeNewestBestAskShowJobs

Resources

HackerNews APIOriginal HackerNewsNext.js

© 2025 TechEcho. All rights reserved.

Ask HN: How are you doing PKI in a cloud environment?

1 pointsby viralpoetryabout 8 years ago
Our organization is using infrastructure as a code approach where we are doing provisioning and deployment of dev&#x2F;stage&#x2F;prod environment using Gitlab runners. Currently, we are using easy-rsa as a root offline CA signing intermediate CA keys manually. Those keys are then used for the Client&#x2F;server certificate issuing in an semi-automated fashion (CSRs are generated on a VMs, stored into the Vault, and signed by the script). I am aware of the HashiCorp Vault PKI backend, but we are not using it as it does not solve the actual authorization part of the automated issuing. I was thinking about using ACME based CA like Boulder internally.<p>My question is, what is the best approach to do PKI, when there are lots of new short-lived VMs&#x2F;containers wanting their own SSL keys.

2 comments

QuinnyPigalmost 8 years ago
You may consider provisioning the key to the VMs; very often there&#x27;s insufficient entropy to generate them on their own, for one.<p>You then provision the secrets to the containers via some form of service discovery mechanism; vault&#x2F;console work, as do providing it as user-data in some configurations. It&#x27;s going to come down to your use case and constraints; things that I do for Twitter For Pets may not work well for your bank, as an example.
brudgersabout 8 years ago
I&#x27;m a bit ignorant. What is PKI?
评论 #14443461 未加载