
Netflix introduces Lemur: x.509 certificate orchestration (2015) - Padrio
https://medium.com/netflix-techblog/introducing-lemur-ceae8830f621
======
madjam002
I had a look at Lemur a couple of months ago for certificate orchestration,
but settled on Hashicorp Vault as it has a more solid API and seems more
active community-wise. It's fantastic for managing a PKI with an external
(offline) Root Certificate Authority.

~~~
packetized
To be fair, Vault and Lemur cover slightly different use cases. Lemur is nice
for controlling the distribution of certs from a variety of issuers, including
Vault.

~~~
gcb0
> let's create something that can control the settings for our component that
> control the setting for other components.

~~~
packetized
User-operated self-service for certificate issuance isn't exactly a cut and
dried proposition for most orgs. Lemur helps in a lot of ways.

~~~
gcb0
I know, but now, what controls credentials and instance bootstraping for that?

it will always be the "not invented here" type of deal. you can always add
something else to bootstrap it further. I can't think of a use case where
lemur/athenz/other x509 brokers adds real value (or convenience) versus a well
defined process and bare bones things like etcd and such.

Thinking you can bypass the well defined process step is just an illusion.
what most CTOs do is offload that to the few devops handling their
abstraction. when that team grows too much, add another layer on top with a
smaller team.

------
packetized
Could we add a (2015) tag here? Lemur’s been around for quite a while.

~~~
PantaloonFlames
It’s in the title, fwiw.

~~~
lccarrasco
It probably wasn't when the OP posted it.

------
crusso
Typo in the title. Should be "Netflix"

