Menu
How would you securely commit you TLS/SSL keys for your HTTP into source control so they could be consumed by Puppet? What tools and practices do you use to encrypt/decrypt these files? Particularly, which tools make this easy to automate as much as possible.
226
You can store your certificates in any SCM, including Git, without concerns. Storing private key in SCM is not best practice; you'll need to find a way to restrict access to only those who need access to private keys (and that should be a small number of folks). You have two basic options:
It's is not considered best practice, but you can store private keys encrypted in a PKCS-12 archive (protected with a strong password known only to those who need access to private keys) before placing them in storage, like SCM or FS, etc. When a new service is built, the final step in the build process is for a system administrator to manually decrypt the key store.
It is better practice to regenerate keys for new service instances but that requires submitting your CSR for the new service to your CA after the build is complete.
Both scenarios requires manual work to finish the setup process. In an attempt to automate this process, some encode the PKCS-12 password in the setup script - this is not considered best-practice.
Here's Puppet plugin that can help with the process:
https://github.com/puppetlabs/puppetlabs-java_ks
122
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
