
Introducing Lemur - vquemener
http://techblog.netflix.com/2015/09/introducing-lemur.html
======
whisk3rs
I'm excited to see more work being done to empower small engineering teams to
take advantage of certificates. Lemur looks great, though many smaller
organizations may find tools like "xca" to be adequate. xca is a simple GUI
for certificate management:
[http://xca.sourceforge.net/](http://xca.sourceforge.net/)

~~~
wdewind
> empower small engineering teams to take advantage of certificates

Dumb question: I'm an engineer who doesn't understand certificates outside of
the basics of SSL. What are some cool things a small engineering team could do
with Lemur (or certs in general)?

~~~
Sanddancer
For one example, deploy servers and have them already verified, so a new box
that you know you personally set up will not give a warning [1]. One of the
most underutilized parts of SSL certificates is that you can verify who /you/
are, so any kind of server, including webservers, don't need passwords,
because they already have the invite list [2]. This part is admittedly a lot
crunchier than the first example because people haven't spent nearly enough
time getting it working nicely. Basically, good use of certs can replace a lot
of systems where you know what it is and they know what you are.

[1] [https://www.digitalocean.com/community/tutorials/how-to-
crea...](https://www.digitalocean.com/community/tutorials/how-to-create-an-
ssh-ca-to-validate-hosts-and-clients-with-ubuntu)

[2] [http://nategood.com/client-side-certificate-
authentication-i...](http://nategood.com/client-side-certificate-
authentication-in-ngi)

------
patrickaljord
Shameless plug, if you have composehub installed, you can just do "ch run
lemur" and it will download and run lemur for you on your machine. You just
need docker installed on your machine
[https://composehub.com/package/lemur](https://composehub.com/package/lemur)

~~~
flaie
Thanks for your shameless plug! I didn't knew about this, and that is awesome.

------
pliu
Somewhat strangely, the description reminds me a lot of Active Directory
Certificate Services.

[https://technet.microsoft.com/en-
us/library/cc731564.aspx](https://technet.microsoft.com/en-
us/library/cc731564.aspx)

~~~
zobzu
I dont think its strange. the windows world has solved a lot of these issues -
its other issues it hasn't solved that generally make people go to other
platforms.

AD setups are actually pretty complete if you ask me. Heck, OpenLDAP is a lot
to setup vs AD. Same for cert management. User management. Machine management.
Kerberos that works (since most don't even understand it: its a ticketing
authentication system - the thing we keep recreating and calling it something
else).

It goes a long way - and I'm glad more tools are coming to narrow these gaps!

------
falcolas
While I have no doubt that the channels Lemur is using are fairly secure, why
is the key ever leaving the box from which is is going to be used?

If you have the OpenSSL utility, you can generate the certificates right on
the box where you're going to use the cert, and only have to move around the
public portions of the key. It seems like it would be fairly trivial for Lemur
to do with just a SSH shell, or an agent.

Someone care to edumacate me?

~~~
kevgliss
With a lot of IaaS environments you don't have direct access to the box doing
TLS termination. In our case since we heavily use AWS ELBs, generating
certificates directly on the box isn't an option. Moreover when you need to
deploy onto many servers you generally run into the same issues with moving
keys around that Lemur attempts to make easier/safer.

------
rudids
There is a surge of tooling aimed at production secret management, this has
pros but there is a real danger that the standards around cert management are
thrown deeper into flux as a result? Just me?

~~~
grhmc
Just you. There may be standards around cert management, but for small teams
it is so impossible to do PKI remotely correctly, it is nearly a joke. *

*: There are small teams with expert in x509. Most don't have such a luxury. For them to get certs right is near impossible.

------
fidget
Would be great to be able to just send a CSR (my workflows would be less
manual). Also, the plugin model doesn't seem to provide any way to implement a
certificate issuing policy (this person can issue certs under this
intermediate with this CN etc etc). Would that be something that might be
possible in the future (PRs accepted is a valid answer here :))

------
rubiquity
In a similar vein there is also CloudFlare's cfssl[0]. I'm curious to hear
what people think about the differences.

0 - [https://github.com/cloudflare/cfssl](https://github.com/cloudflare/cfssl)

------
fl0wenol
I admire that at announcement time they already have a neat name and mascot
that distinguishes this project and makes it more memorable. But I fear it
might be a little close to an existing open source project also using a little
lemur dude graphic...
[http://www.lemurproject.org/](http://www.lemurproject.org/)

------
falsedan
Wow, they really buried the lede! 'Netflix is pleased to announce […] Lemur!',
then 893 words with a workflow diagram for things that aren't Lemur, then
finally 'Lemur is a …'.

------
kolev
How about TinyCert [0]?

[0] [https://www.tinycert.org/](https://www.tinycert.org/)

