3. Self Signed Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
DOESN’T
MATCH
CA
NO TRUST!
4. Proper SSL Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
MATCHES
ONE OF
THE CAs
TRUSTED!
5. PKI Old School
Root CA
Linux Windows
Root Root
Public Private Public Private
Apache / Nginx IIS
CSR CSR
Public Public
CSR CSR
Manually
Copy
Manually
Copy
Sign Sign
Manually
Copy
Manually
Copy
Manually
Copy
Client Client
Root Root
Root
6. Villains
•Painful signed certs
•Oprah – self signed certs for everyone
•No trust
•Disable validation
•MITM Attacks
•Renewal and Expiration
•Security tickets
7. Call For Help
•Security
• Centrally signed with CA
• Validation enabled
• Strong ciphers
•DevOps
• Auto renewal
• Cross-platform
• Integrated with services
9. PKI with Vault + Puppet (vault_cert)
Root CA
Vault CA
Puppet Server
Root Vault
Sign Intermediate CA
Copy
Copy
Copy
Linux Windows
Root Vault Root Vault
Public Private Public Private
Apache / Nginx IIS
Client
Root Vault
Client
Root Vault
13. Windows problem
• Certs in cert store have a path
• Cert:LocalMachineMy<UNIQUE-THUMBPRINT>
• Cert:LocalMachineMyABC1234
• Thumbprints are unique
• Thumbprints = hash of cert content
• Services bind to cert path
• relies on Thumbprint
14. vault_cert { ‘chocolatey’:
cert_dir => 'Cert:LocalMachineMy’
notify => Service[‘iis’],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatestore => ‘Cert:LocalMachineMy’
certificatehash => WHAT DO I PUT HERE????,
},
}
Windows Manifest
PROBLEM: Puppet can’t output data from a resource
15. Windows solution – Use a function!
• Functions run on the server
• Function calls Vault API
• Embed certificate in Catalog
• Path to certificate is known at compile time
16. $cert_output = vault::cert(...args...)
vault_cert { ‘chocolatey’:
cert => $cert_output['cert’],
priv_key => $cert_output['priv_key’],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatehash => $cert_output['thumbprint'],
},
}
Windows solution Vault CA
Windows
Public Private
IIS
2. CSR
4. Embed in Catalog
7. Write to
Cert Store
Puppet Server
1. Facts
3. Cert & Key
5. Catalog
6. Agent
8. Bind and reload IIS
- Landscape?
- Ohio in middle of the Brown Field
-
- Windows - 2008 - 2012 - 2016
- Linux
- RHEL 6 & 7
- Ubuntu 14.04, 16.04, 18.04
- Parts
- CA Cert
- Server public / private keys
- Signing infrastructure
- Security
- More often (weekly)
- Faster (1 day or less)
- Reports of available patches
-
- DevOps
- HA groups
- Customizable workflows
- Cross-platform
- Windows Update + Chocolatey
- Built on bolt
-
- Open source for community
-
- Eat our own dogfood
-
- Forge
- Parts
- CA Cert
- Server public / private keys
- Signing infrastructure
- Available updates
- Create snapshot
- Pre
- app shutdowns
- Update
- Post
- Reboot
- Delete snapshot
- Inventory YAML on the left
-
- Result on the right
-
- Puts data into a array
-
- Sorted by patching order
-
- If multiple inventory groups with same patching_order, result in one group
-
- Allows inventory to be defined by different dimension, say application
- Show screenshot of cert paths in powershell
- Show screenshot of cert paths in powershell
- Inventory YAML on the left
-
- Result on the right
-
- Puts data into a array
-
- Sorted by patching order
-
- If multiple inventory groups with same patching_order, result in one group
-
- Allows inventory to be defined by different dimension, say application
- Windows
- Choco upagrade all : EASY
- Special snowflake windows update
- Scheduled task
- RHEL
- yum update
- Ubuntu
- apt-get dist-upgrade
- Opinionated workflow
-
- Uses all of the components we just talked about
-
- Customizable / pluggable
- vars
- dynamic dispatch
-
- Super easy way to get started
-
- Fully expect people to make their own workflows
- Opinionated workflow
-
- Uses all of the components we just talked about
-
- Customizable / pluggable
- vars
- dynamic dispatch
-
- Super easy way to get started
-
- Fully expect people to make their own workflows
- Opinionated workflow
-
- Uses all of the components we just talked about
-
- Customizable / pluggable
- vars
- dynamic dispatch
-
- Super easy way to get started
-
- Fully expect people to make their own workflows
- Opinionated workflow
-
- Uses all of the components we just talked about
-
- Customizable / pluggable
- vars
- dynamic dispatch
-
- Super easy way to get started
-
- Fully expect people to make their own workflows
- 500+ Vms
- 6x internal and customer environments
-
- 1 engineer
- < 1 day
-
- Every week
- dev = latest
- prod = dev from week before