Traditional processes like OpenSSL and frameworks like CFSSL can be cumbersome for developers. Given that DevOps is all about speed, developers don’t want to get bogged down with complex solutions. This explains why HashiCorp Vault has become so popular.
Vault is great for secrets management, encryption as a service, and privileged access management. It is a lightweight, portable solution that doesn’t need a lot of infrastructure.
The Problem That Vault Solves
A typical DevOps pipeline can have over a hundred different tools. In fact, many DevOps tools have their own secrets stores (e.g. Kubernetes secrets, Ansible Vault). But, they all approach SSL/TLS certificates differently. As a result, developers must take the time to learn each tool. Using different approaches also makes code more complex.
Check out this overview video from Armon Dadgar, HashiCorp’s co-founder and CTO if you need a primer.
Why DevOps Teams Loves Vault
DevOps teams love how Vault makes it easy to generate and store SSL/TLS certificates on demand. Vault’s native PKI engine generates self-signed certificates. It can also be configured to issue certificates from a private PKI subordinate certificate authority (e.g. Microsoft CA), but it is not natively integrated with certificate authorities (CAs) that issue certificates trusted by all browsers. Keep reading and we’ll tell you why this is a challenge and how to overcome it. Also, check out this cloud operating model white paper from HashiCorp that explains this in more detail.
Some Certificates Are Still Hard to Get
External-facing (or publicly-trusted) certificates are trusted by every browser. These are particularly important in production environments. A prime challenge to DevOps teams is the procurement of these types of certificates. But why? Let’s discuss each type and how DevOps acquires them.
What are Internal vs. External Certificates?
Certificate chains can be complicated to understand. Most organizations leverage many CAs. For internal-facing applications, InfoSec generally sets up internal issuing CAs. The internal root CA is then added to all employee browsers to prevent browser warnings.
But, for external applications, organizations use certificates from publicly-trusted CAs. These CAs (e.g. DigiCert, Entrust, GlobalSign) can issue certificates that all browsers trust.
Getting External Certificates is Challenging
The process for getting publicly-trusted certificates varies by team and environment. DevOps often don’t have an automated way of getting certificates from publicly-trusted CAs. So, what do they do?
You Can Do More With Vault
Vault’s ability to simplify, automate, and speed up internal certificates issuance is a huge accomplishment. But Vault’s plug-in architecture (when integrated with Venafi) can make Vault even more of a one-stop shop for certificates. Imagine a world where developers can use Vault to:
Fall In Love With Vault All Over Again
Fortunately the Vault team had the foresight to create a pluggable architecture. As a leader in machine identity protection, Venafi, extends the value of Vault by integrating in two ways:
And, InfoSec gets visibility into issued certificates and centralized policy controls. This enables security teams to:
Venafi and Vault together help DevOps teams go faster in multi-cloud environments and support InfoSec mandates. To try out this amazing integration, sign up for a free Venafi Cloud for DevOps account and check out this GitHub page. You may just uncover a tool you can’t live without.
Spoiler alert: it works with container orchestration, automation tool, configuration management, and many other tools including Kubernetes, Ansible, OpenStack, Chef and more.