PKI and Signature Services for Microservices and DevOps
Microservices as an architectural approach to software development are based on building an application as a collection of small services, typically orchestrated by an automated system. Adoption of microservices is related to the use of DevOps, continuous integration and continuous delivery (CI/CD), and containers.
There are many aspects and meanings to Microservices, and the term can have different meanings for different people. One aspect that typically comes to mind is deploying and managing large numbers of services, usually in the form of lightweight servers. Which in turn creates the need to automate the configuration of servers and applications, including the security keys and credentials needed.
Related to PKI, PrimeKey recognizes the significance of our products being DevOps-friendly as an important aspect, including:
- Configuring and running the PKI products in a DevOps environment.
- Managing (non-PKI) applications in a DevOps environment securely, providing applications with certificates, digital signatures, and credentials as services are created and destroyed.
The following sections cover topics often related to the Microservices and DevOps universes.
Running PKI and Signature Services in DevOps Environments
When deploying a PKI, whether it is a single centralized PKI, multiple distributed PKIs, or perhaps short-lived PKIs for specific purposes, it is suitable to do so using the same tools and processes used for the rest of your environment. Two common tools used are Ansible and Kubernetes and EJBCA plays well with both. For more information on deploying your PKI as VMs or containers and using Ansible to automate PKI deployment and configuration, see Running PKI and Signature Services in DevOps Environments.
Managing PKI Credentials and Machine Identities for Applications in DevOps
When deploying many services, managing both the machine identities and secrets need to be taken into account. Managing PKI credentials and machine identities for applications should preferably be automated, but still as secure as possible. For more information on issuing and managing PKI credentials and machine identities for applications in DevOps and how to automatically provision certificates to containers in Kubernetes, see Managing PKI Credentials and Machine Identities for Applications.
Using EJBCA Enterprise to Issue and Manage Certificates through (Hashicorp) Vault
HashiCorp Vault is a popular product to manage secrets and when using microservices at scale, there are many services and secrets to manage. HashiCorp Vault includes a built-in Certification Authority (CA), however using that standalone CA will create a separate PKI not connected to the corporate PKI. A separate PKI is often not desired in organizations as it will not meet regulatory or other security requirements. For more information on ways to incorporate Vault PKI into a controlled corporately managed PKI, see Using EJBCA to Issue and Manage Certificates through (Hashicorp) Vault.
Code Signing
No DevOps environment is complete without secure code signing solutions, enabling DevOps teams to:
- Sign application code being developed
- Sign containers being deployed
- Enabling verification of digital signatures preventing unauthorized software from being installed.
Using SignServer Enterprise it is easy to integrate secure code signing into the CI/CD pipeline, for example integrated with Jenkins. For more information, refer to the SignServer How-to guide on How To Integrate Jenkins with SignServer for Automated Code Signing.