Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • DevOps
  • How DevOps Teams Can Automate PKI Deployment On Demand With Keyfactor Ansible and EJBCA

How DevOps Teams Can Automate PKI Deployment On Demand With Keyfactor Ansible and EJBCA

DevOps

Few things change faster than technology, and DevOps, in particular, lives on the bleeding edge of innovation and automation.

DevOps refers to tools and best practices that allow for more efficient software delivery. Growing out of the popular Agile methodology, DevOps focuses on using automation, standardization, and rapid iteration to streamline the software lifecycle. 

A crucial part of DevOps is public key infrastructure (PKI). To remain in compliance, keep sensitive information locked down, and maintain security, working environments need to be built on top of a robust PKI

PKI tools, however, haven’t kept up with the pace of evolution in the DevOps space, and this presents both a challenge and an opportunity.  

Today’s application and operations teams must move fast, run on any platform, and automate everything. But developers can’t move fast or be agile when they’re constantly being held up by the archaic, manual security processes involved in using traditional PKI tools.

This problem can’t be overstated. If developers are routinely working with PKI tools that make it impossible to meet tight deadlines, they will find faster, non-compliant ways of obtaining certificates. Put another way: automation isn’t optional when deploying and using PKI in DevOps. 

The Keyfactor team addressed this topic in a recent webinar and discussed the tools and best practices DevOps teams can use to simplify and scale PKI. 

How PKI is used in CI/CD environments

When using PKI in continuous integration/continuous deployment (CI/CD) contexts, everything comes down to trust. If you’re building and deploying applications, you need to know that the infrastructure you’re running, and the software you deliver is trusted.

This is much easier to achieve with PKI on demand. Like any other on-demand service, PKI on demand means that you can dynamically scale the issuance, revocation, and management of certificates. When you’re operating in advanced, rapidly-changing environments that characterize modern DevOps, this flexibility and adaptiveness couldn’t be more critical. 

To fully see how important PKI on demand is, it helps to concretize the specific use cases where it might be required. Here are a few such use cases:

  • Issuing device certifications for 802.1x authentication on a network
  • WiFi certs for devices, such as in a factory or Internet of Things (IoT) application.
  • Code signing or time stamping of code

Digital certificates are the backbone of PKI, so this kind of certificate management is absolutely vital. Having a way of quickly and efficiently handling device certification is a core part of operating securely, but you must also be able to show how devices are validated and certified to prove that your security meets the requisite standards. This is especially true if you want to work with government contracts or with classified data.

The importance of automation in DevOps

We stated at the outset that automation isn’t optional when managing PKI for DevOps. DevOps and automation go hand in hand because, when paired together, they create two things teams need: speed and consistency. 

Fundamentally, DevOps is a move away from static configuration. Whereas in the past, processes like code integration might be handled manually and only revisited if there were a significant problem, in modern DevOps, they are defined in scripts. When a process is defined in a script, it becomes automated and repeatable, and this, in turn, makes it reliable (because the script will always execute in the same way) and scalable (because it’s always possible to scale up compute resources, whereas scaling up human time is much more difficult). When done correctly, scripts are modular and reusable, making your codebase easier to test, modify, and maintain. 

But to secure the environment in which these scripts are written and run, DevOps must rely on PKI. This becomes a substantial bottleneck in the DevOps workflow because the existing suite of PKI tools is manual, slow, and configuration-heavy.

Microsoft Certificate Authority (CA) is a great example. A CA is responsible for assigning digital certificates to devices, websites, people, and other entities. 

Microsoft CA has substantial drawbacks, which make it a poor fit for modern DevOps environments–it’s heavily reliant on Microsoft infrastructure, teams have to provision a new server every time they need a new CA, and table-stakes tasks like CA provisioning are not easily automated. Like most of the other PKI solutions on offer, it can’t enable the things that DevOps needs to stay innovative.

Companies today need a PKI infrastructure that can integrate smoothly with their current tooling while including basic functionality like automation. They often find that they’ve outgrown their PKI when they need a rich REST API, they want to use the Enrollment over Secure Transport (EST) or Certificate Management Protocol (CMP) for x.509 certification, or when they want to use a communications protocol like the Automated Certificate Management Environment (ACME). 

And this isn’t even touching on the difficulties of trying to rapidly spin up group-specific PKI for testing or rebuilding old PKIs from specifications, both of which are pretty basic and routine from a DevOps perspective. 

With all this said, we can now ask: What should these teams look for in a PKI solution?

Automating PKI

PKI for DevOps needs to be able to provision PKI on demand in a way that’s repeatable and scalable while not compromising the critical underlying processes that make PKI the bedrock for trust in software. 

To support DevOps in its current form, a PKI platform should be designed to deploy anywhere, in any form you require–whether that’s as a cloud-based service, as a Docker or Kubernetes container, or as a turnkey hardware/software application. In other words, it should fit the mold of whatever you’re trying to accomplish.

What’s more, it should be able to scale dynamically. In concrete terms, this means being able to deploy multiple CAs on a single node, segment them across different nodes, and cluster for high availability. All of this is impossible with Microsoft CA.  

And a PKI Platform should plug into existing infrastructure and tools. It needs to support the EST, CMP, and ACME protocols already mentioned. As anyone who has worked in PKI can attest, there is a wide variety of formats and use cases that need to be addressed. It also needs to support different methods for interfacing with the algorithms and Hardware Security Modules (HSMs) that sit behind PKI. 

If it has these properties, your PKI can be deployed as and how you want in a way that’s automated, flexible, scalable, repeatable, and fits with the current DevOps stack you’re already using. This allows you to move quickly but without compromising on trust.  

For many teams, the combination of EJBCA and Ansible is the solution that best meets their needs. By treating PKI as a set of microservices in CI/CD and DevOps, PKI deployment is fast, the configuration is consistent, and the infrastructure is scalable. 

To learn more about using DevOps tools and best practices to simplify and scale PKI and watch a demo of EJBCA and Ansible in action, check out our webinar “PKI On-Demand for DevOps with Ansible and EJBCA.”