GlobalSign Blog

How to Use and Automate PKI in DevOps?

How to Use and Automate PKI in DevOps?

Developers and IT leaders may be reluctant to implement a shift-left security approach to their development cycle as it often encumbers and stifles workflow. However, dealing with modern cyber security threats requires not just a modernization of technology, but an update in culture and philosophy. Software engineers must see security as an integral part of the development process. It needs to be inherent.

Public Key Infrastructure (PKI) is currently one of the most reliable security authentication tools. But how do we streamline and integrate it into the development without disrupting the production process? After all, the purpose of frameworks such as DevOps is to deliver robust software at high velocity. This guide will explore how IT leaders can use and automate PKI in DevOps.

Understanding PKI

PKI is a double-key asymmetric cryptosystem. It provides IT systems with elevated levels of data encryption, information confidentiality, and identity management through digital certificates and signatures.

Encrypted message exchanges are one of the most popular uses of PKI (and the easiest example to use when explaining it). During this process, messages are encrypted using a public key and decrypted using a private key.

While the public key may be available publicly, the private key tends to belong to a single entity. Nevertheless, before the recipient can open or decrypt a message, they need to validate the sender’s identity.

PKI performs this function by using digital certificate authentication to ascertain the public-key holder’s identity. This entire process can help prevent fraud and ensure that messages are private and secure. But how is this process relevant to software development, why and how should you implement it into your DevOps pipeline?

PKI for Software Development

While the concept of PKI may seem straightforward, it is flexible and powerful enough to be used in a litany of software-related use cases. For instance, web developers can use certificate (SSL/TLS) validation for web development. Additionally, they can use PKI to facilitate multi-factor authentication.

This feature can allow them to build sophisticated log-in processes where user credentials are not stored in traditional databases or files. Of course, you can use PKI to secure access to source code where access to repositories and files is limited to specific identities. Additionally, PKI can help developers manage source code encryption and decryption as well as of their software using code-signing.

The biggest challenge for developers is incorporating PKI into the development process as seamlessly as possible. There are two ways we can leverage DevOps for PKI. We can use the DevOps methodology to integrate PKI-based validations into enterprise software and services. Alternatively (or additionally), we can automate PKI deployment and configuration using DevOps. Of course, you will need the right tools to facilitate either.

How to Deploy and Automate PKI with DevOps: Steps and Tools

PKI’s emergence may seem recent because of its current popularity. However, it has been around since the 1990s. On the other hand, DevOps was conceptualized in 2008 to replace old development pipeline methodologies such as agile. Both techniques have been thoroughly tried, tested, and refined over the years.

Today, developers have access to a wide array of tools and instruments to effectively implement PKI with DevOps. This section of the guide will effectively show you how to do this and which tools to use.

Selecting your Certificate Authority

When mapping out your PKI DevOps deployment strategy, you first need to ensure you are using a secure, trustworthy, and reliable certificate authority. GlobalSign is one such CA. It is a single-source cloud-based private and public certificate provider.

Additionally, it supplies offline key storage, time-stamping authority, revocation services, and infrastructure to manage certificates. GlobalSign also features an automated certificate rollout solution. Along with access to GlobalSign’s REST and EST API, this feature makes it highly suitable for DevOps integration.

Developers looking for an open-source alternative should consider using EJBCA (Enterprise Java Beans Certificate Authority). It is a highly scalable PKI management solution. Software developers can leverage it along with automated deployment and container orchestration services such as Kubernetes to deliver seamless certificate issuance for software packages, microservices, and containers.

EJBCA’s source code is available under the terms of the GNU Lesser General Public License (GNU). It was initially released in 2001 and since then, it has garnered a large online community and following. Thus, developers should not have trouble finding any support for it. Nevertheless, your CA is the foundation for your PKI system. Thus, it is important to select the right one. It should align with your development and security needs.

Selecting your Automation Tool

Once you have decided how you are going to generate and manage your PKI system, you need to decide how you will deploy and integrate it. Once again, solutions such as GlobalSign offer auto-enrollment solutions and API integration to make deployment easier.

However, if you are not willing to commit to a service like this, there are alternative solutions available to you. Developers can use open-source tools such as Certbot for automated SSL/TLS generation and management. However, developers should consider using an IT automation solution such as Ansible for more robust automated PKI certificate configuration and distribution.

Ansible is well-suited to large complex environments with numerous servers and/or containers. However, users may consider using a service like Jenkins for smaller projects. Jenkins is popularly used in continuous integration and continuous deployment (CI/CD) frameworks to automate project builds, tests, and deployments.

As such, it can be appropriated and used for DevOps deployments. In this case, you can use it to automatically configure and deliver certificates as well as perform validations. Much like EJBCA, Jenkins is an open-source Java-based project. This facet provides an opportunity for flexible interfacing and customization.

Nevertheless, you do not have to choose between Ansible and Jenkins. You can run them alongside each other. You can use Ansible for orchestration and Jenkins for configuration and optimization. So, you will use Ansible as your PKI for DevOps deployment solution and Jenkins as your DevOps for PKI tool. 

Securing PKI and DevOps deployments

Once IT teams have decided how they are going to implement and automate their PKI system, they need to ensure that the process is secure. As secure as PKI is, it still has a few vulnerabilities. For instance, messages encrypted via PKI can be decrypted and stored as cleartext on a vendor's, sender’s, or recipient's server.

If bad actors find a way to enter a machine where the cleartext is stored, they can circumvent PKI’s security by copying and deciphering it. Thus, it is important to add an extra layer of security for your DevOps and PKI. IT leaders should ensure that all servers are secure. One way this can be done is by implementing an extended detection and response (XDR) solution to help them hunt for threats and breaches.   

Organizations must ensure that they are using a secure vendor or CA. This requires you to ask tough questions. If your vendor decrypts messages and data, does it archive or store the information in a file or database? Does it perform any clean-up after decryption? Is the archive of decrypted data secure? Thus, you should not just assess your potential CA by how compatible they are with your DevOps solution. Security matters too.

Another way to implement an additional layer of security is using a secrets management tool such as HashiCorp Vault (offered through the GlobalSign Atlas platform) and AWS Secrets Manager. Both are cloud-based platforms that help you store and secure encryption keys, certificates, and credentials. This can help developers ensure that keys and certificates are not exposed and saved by APIs during decryption. They can also ensure that certificates are issued and deployed to the right containers, machines, and entities.

PKI for DevOps and Security Automation

Long gone are the days of storing secrets on log files, databases, environmental variables or tucked away inside hardcoded attributes. Approaches such as DevOps increase the amount of application development and rollout. As such, older identity validation and secret management techniques have become obsolete, not just for their ineffectiveness but their inflexibility too. They are simply not suitable for large-scale DevOps deployments.

To ensure the security of both the process and the applications being developed, teams must create a series of automated tests early in the development process. These tests can be set to occur as the application is being developed via automated processes.

Some of these tests can include functional tests that ensure that logins and credential validations work properly. Furthermore, you can also test against vulnerabilities such as misconfigurations, platform exposures, and shaky SSL ciphers that may impact the security of applications. Developers can also run automated penetration tests that constantly assess if the operating system and application are secure against any type of attack.

PKI is a powerful tool. However, it does not supply a solution for all security tests and use cases. Developers must take a comprehensive approach to security. Because these processes can be automated, securing app development and deployment does not need to stifle creation.

Share this Post