Hacker News new | more | comments | ask | show | jobs | submit login
Netflix introduces Lemur: x.509 certificate orchestration (2015) (medium.com)
75 points by Padrio 7 months ago | hide | past | web | favorite | 9 comments

I had a look at Lemur a couple of months ago for certificate orchestration, but settled on Hashicorp Vault as it has a more solid API and seems more active community-wise. It's fantastic for managing a PKI with an external (offline) Root Certificate Authority.

To be fair, Vault and Lemur cover slightly different use cases. Lemur is nice for controlling the distribution of certs from a variety of issuers, including Vault.

> let's create something that can control the settings for our component that control the setting for other components.

User-operated self-service for certificate issuance isn't exactly a cut and dried proposition for most orgs. Lemur helps in a lot of ways.

I know, but now, what controls credentials and instance bootstraping for that?

it will always be the "not invented here" type of deal. you can always add something else to bootstrap it further. I can't think of a use case where lemur/athenz/other x509 brokers adds real value (or convenience) versus a well defined process and bare bones things like etcd and such.

Thinking you can bypass the well defined process step is just an illusion. what most CTOs do is offload that to the few devops handling their abstraction. when that team grows too much, add another layer on top with a smaller team.

Could we add a (2015) tag here? Lemur’s been around for quite a while.

It’s in the title, fwiw.

It probably wasn't when the OP posted it.

Typo in the title. Should be "Netflix"

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact