Certificates¶

We institute Practical Zero Trust where all network traffic is encrypted at transport across our private network(s). Rather than doing this at level of VPN which is hard to manage; all services implement TLS.

We use the step-ca suite to auto-magically create and renew X509 certificates. These are then pulled into the certificate store environment of our load balancer infrastructure to automatically and dynamically provide TLS end-points across our services.

All of our Certificate/PKI management is organised around Chef resources/providers and DSL within recipes for servers and clients.

Creation¶

We use step-cli to generate certificates on server(s) as part of our Chef deployment. We support DH, RSA, DSA, ECDSA in a range of key sizes.

This certificate are then signed by the CA and configured for the service implementing it. Separate certificates for each service.

We have bundled our step-cli with systemd/timers to allow you to automatically renew certificates by setting up systemd/services as per https://smallstep.com/docs/step-ca/renewal/#automated-renewal.

CA¶

We use step-ca for signing, management, revocation services. Our step-ca is highly scalable with a PostgreSQL backend.

step-ca supports the ACME protocol. If you prefer to manage renewals outside orchestration, something like certbot could be used to perform this task.

Fabio¶

Our load balancer infrastructure dynamically makes API calls to step-ca to place certificates into it’s certificate store so it can support TLS endpoints and pass through to underlying services.