Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

How the Dynamic Duo of
Vault and Puppet Tame SSL Certificates

Nick Maludy
@NickMaludy
github.com/nmaludy
Engineer, Husband, Dad

Self Signed Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
DOESN’T
MATCH
CA
NO TRUST!

Proper SSL Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
MATCHES
ONE OF
THE CAs
TRUSTED!

PKI Old School
Root CA
Linux Windows
Root Root
Public Private Public Private
Apache / Nginx IIS
CSR CSR
Public Public
CSR CSR
Manually
Copy
Manually
Copy
Sign Sign
Manually
Copy
Manually
Copy
Manually
Copy
Client Client
Root Root
Root

Villains
•Painful signed certs
•Oprah – self signed certs for everyone
•No trust
•Disable validation
•MITM Attacks
•Renewal and Expiration
•Security tickets

Call For Help
•Security
• Centrally signed with CA
• Validation enabled
• Strong ciphers
•DevOps
• Auto renewal
• Cross-platform
• Integrated with services

•Configuration Management
•Distribution
•encore/vault module
•vault_cert {}
•github.com/EncoreTechnologies/puppet-vault
Justice
HashiCorp Vault Puppet
•PKI Secrets Engine
•REST API

PKI with Vault + Puppet (vault_cert)
Root CA
Vault CA
Puppet Server
Root Vault
Sign Intermediate CA
Copy
Copy
Copy
Linux Windows
Root Vault Root Vault
Public Private Public Private
Apache / Nginx IIS
Client
Root Vault
Client
Root Vault

Check
Expiration
Check
Revocation
Revoke old Create New
Write to
filesystem
Bounce
service
vault_cert run

vault_cert { ‘synapse’:
cert_dir => '/etc/pki/tls/certs’
priv_key_dir => '/etc/pki/tls/private’
notify => Service[‘nginx’],
}
nginx::resource::server { ‘synapse’:
ssl_port => 443,
ssl => true,
ssl_cert => '/etc/pki/tls/certs/synapse.crt',
ssl_key => '/etc/pki/tls/private/ synapse.key’,
}
Linux
Linux
Public Private
Nginx
Vault CA
CSR
Cert & Key
Write to
Filesystem
Reload
Service

Windows problem
• Certs in cert store have a path
• Cert:LocalMachineMy<UNIQUE-THUMBPRINT>
• Cert:LocalMachineMyABC1234
• Thumbprints are unique
• Thumbprints = hash of cert content
• Services bind to cert path
• relies on Thumbprint

vault_cert { ‘chocolatey’:
cert_dir => 'Cert:LocalMachineMy’
notify => Service[‘iis’],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatestore => ‘Cert:LocalMachineMy’
certificatehash => WHAT DO I PUT HERE????,
},
}
Windows Manifest
PROBLEM: Puppet can’t output data from a resource

Windows solution – Use a function!
• Functions run on the server
• Function calls Vault API
• Embed certificate in Catalog
• Path to certificate is known at compile time

$cert_output = vault::cert(...args...)
vault_cert { ‘chocolatey’:
cert => $cert_output['cert’],
priv_key => $cert_output['priv_key’],
}
binding_info => {
certificatehash => $cert_output['thumbprint'],
},
}
Windows solution Vault CA
Windows
Public Private
IIS
2. CSR
4. Embed in Catalog
7. Write to
Cert Store
Puppet Server
1. Facts
3. Cert & Key
5. Catalog
6. Agent
8. Bind and reload IIS

Windows “machine cert”
profile
class profile::machine_cert {
$data = vault::cert(args)
vault_cert { $trusted['certname’]:
cert => $data['cert’],
priv_key => $data['priv_key’],
}
}
#########################
class { ‘winrm’:
certificate_hash => $profile::machine_cert::data['thumbprint'],
}
binding_info => {
certificatehash => $profile::machine_cert::data['thumbprint’],
}
}

CA Cert Manifest Linux
class profile::ca (Hash $certs) {
class { 'trusted_ca': }
create_resources('trusted_ca::ca’, $certs)
}
profile::ca::certs:
vault.domain.tld:
content: |
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
Hiera (YAML Config Data)
Puppet Server
Root Vault
Linux
Root Vault
puppet/trusted_ca
1. Facts
2. Compile
3. Hiera
4. Catalog
5. Apply
6. Write to Filesystem

CA Certs on Windows
file { 'C:/ProgramData/Puppetlabs/ca_certs':
ensure => directory,
}
# root certs go into Cert:/LocalMachine/Root
$certs.each |$name, $data| {
file { "C:/ProgramData/Puppetlabs/ca_certs/${name}.crt":
ensure => file,
content => $data['content'],
}
$cert_details = vault::cert_details($data['content'])
sslcertificate { "${name}.crt":
location => 'C:ProgramDataPuppetlabsca_certs',
thumbprint => $cert_details['thumbprint'],
store_dir => 'Root',
interstore => true,
}
Puppet Master
Root Vault
Windows
Root Vault
puppet/sslcertificate
3. Catalog
1. Facts
2. Compile
5. Write to Cert Store
4. Agent

Vault + Puppet = Dynamic Duo
•Every server has a cert (500+)
•CA distributed Cross Platform
•Services bound to certs
•Certs auto-renew (30d)
•Services auto-refreshed
•Validation enabled

Future
•DevOps for HPC
•GPU Algorithms
•C++
•Heavily Optimized Software

Thanks!
@NickMaludy
github.com/nmaludy
github.com/EncoreTechnologies/puppet-vault

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Similar a Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates (20)

Último

Último (20)

Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates

Notas del editor