
Ask HN: How are you doing PKI in a cloud environment? - viralpoetry
Our organization is using infrastructure as a code approach where we are doing provisioning and deployment of dev&#x2F;stage&#x2F;prod environment using Gitlab runners.
Currently, we are using easy-rsa as a root offline CA signing intermediate CA keys manually. Those keys are then used for the Client&#x2F;server certificate issuing in an semi-automated fashion (CSRs are generated on a VMs, stored into the Vault, and signed by the script).
I am aware of the HashiCorp Vault PKI backend, but we are not using it as it does not solve the actual authorization part of the automated issuing. I was thinking about using ACME based CA like Boulder internally.<p>My question is, what is the best approach to do PKI, when there are lots of new short-lived VMs&#x2F;containers wanting their own SSL keys.
======
QuinnyPig
You may consider provisioning the key to the VMs; very often there's
insufficient entropy to generate them on their own, for one.

You then provision the secrets to the containers via some form of service
discovery mechanism; vault/console work, as do providing it as user-data in
some configurations. It's going to come down to your use case and constraints;
things that I do for Twitter For Pets may not work well for your bank, as an
example.

------
brudgers
I'm a bit ignorant. What is PKI?

~~~
viralpoetry
Sorry, it's Public Key Infrastructure

