Centralized TLS Certificate Management with HashiCorp Vault PKI and Cert Manager

Embracing Zero Trust Security with HTTPS

In the era of zero-trust security, HTTPS has become a non-negotiable requirement for securing web traffic. It ensures that data transferred between users and websites is encrypted and authenticated, protecting against eavesdropping and man-in-the-middle attacks.

2024 03 01

Understanding Public Key Infrastructure (PKI)

PKI is a framework that manages digital certificates and public-key encryption, enabling secure communication over the internet. It involves the creation, distribution, and management of digital certificates, which are used to verify the identity of entities and encrypt data.

Challenges with Traditional PKI Management

Managing PKI manually can be cumbersome and error-prone. The process typically involves:

  1. Generating a key pair and Certificate Signing Request (CSR).

  2. Submitting a support request for certificate issuance, which can take 1-10 days.

  3. Receiving and configuring the service with the returned certificate.

  4. Regularly rotating certificates to maintain security.

This manual approach is not only time-consuming but also increases the risk of misconfigurations and security breaches.

Simplifying PKI with HashiCorp Vault

HashiCorp Vault offers a solution to these challenges by automating the certificate management process. With Vault's PKI Secret Engine, certificates can be automatically requested and updated, streamlining the management of TLS certificates.

Vault PKI Secret Engine Configuration

To set up centralized TLS certificate management using HashiCorp Vault PKI and Cert Manager, follow these steps:

  1. Mount the PKI Secret Engine: Enable the PKI secret engine in Vault to start issuing certificates.

     vault secrets enable pki
    
  2. Configure the Root CA: Set up a root Certificate Authority (CA) or an intermediate CA to sign certificates.

     vault write pki/root/generate/internal \
       common_name="example.com" \
       ttl=87600h
    
  3. Enable Kubernetes Authentication: Configure Vault to authenticate Kubernetes service accounts, allowing Cert Manager to interact with Vault.

     vault auth enable kubernetes
    
  4. Configure Cert Manager: Set up Cert Manager in your Kubernetes cluster to automatically request and renew certificates from Vault.

     apiVersion: cert-manager.io/v1
     kind: Issuer
     metadata:
       name: vault-issuer
     spec:
       vault:
         path: pki/sign/example-dot-com
         server: https://vault.example.com
         auth:
           kubernetes:
             role: cert-manager
             secretRef:
               name: vault-auth
               key: token
    

By integrating HashiCorp Vault PKI with Cert Manager, you can achieve automated and centralized management of TLS certificates, reducing manual effort and enhancing security. This setup ensures that your services are always secured with up-to-date certificates, aligning with zero-trust security principles.