Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support additional Certificate Authorities #44

Open
zosocanuck opened this issue Nov 21, 2019 · 2 comments
Open

Support additional Certificate Authorities #44

zosocanuck opened this issue Nov 21, 2019 · 2 comments
Labels
enhancement New feature or request

Comments

@zosocanuck
Copy link

zosocanuck commented Nov 21, 2019
edited
Loading

BUSINESS PROBLEM
Customer is currently using Digicert for all external certificates, with plans to support public ACM. Amazon Private CA is not being used. Customer needs the ability to have visibility and control across all certificates in AWS.

PROPOSED SOLUTION
Extend the lambda function to support Digicert and ACM, with the flexibility to support additional Certificate Authorities. Support should include enrollment and renewal functionality.

CURRENT ALTERNATIVES
Customer has written their own limited Lambda function to support certificate enrollment from ACM.

VENAFI EXPERIENCE
Customer has been using Venafi for 3 years and are a very active user.
@Saadi6
Copy link

Saadi6 commented Nov 21, 2019
edited
Loading

Support for ACM and IAM is already present in the form of CA template objects. This lambda function is specifically for AWS Private CA.

The figure below may help illustrate ACM and IAM provisioning. Policies defined in Venafi will be enforced for these requests. By the same token, existing certificates in AWS key stores can be 'discovered' as well.

Picture 2

  1. (1) Request for new certificate or a renewal
  2. (5) TPP generates a Private Key, creates a CSR and sends the CSR to Certificate Authority such as DigiCert or another public/private CA. Private Key stored in encrypted database (99)
  3. (6) Signed certificate sent to TPP server and stored in encrypted database (99)
  4. (7) Signed certificate and Private Key provisioned into key store in AWS IAM or ACM by TPP
  5. (8) Certificate unique identifier in AWS (ARN) is sent to TPP
  6. (1) Applicant can optionally read the ‘stage’ provisioning is currently at and/or retrieve values generated by AWS or Azure for this certificate
  7. (4) Certificate details (including ARN) are returned to requesting application when they are available

Venafi's access to key stores in AWS can leverage cross account Asume-Role features in AWS. For e.g. the account doing the provisioning into AWS based key stores temporarily assumes a pre-defined role with minimal required access to perform the provisioning task into the target AWS account.

Picture 1

@tr1ck3r tr1ck3r added the enhancement New feature or request label Jan 29, 2020
@tr1ck3r
Copy link
Member

tr1ck3r commented Jan 29, 2020

The possibility of enhancing the Lambda function to alternatively request certificates through Venafi Cloud or TPP would be in alignment with most of our other DevOps solutions but it is not in our near term plans.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zosocanuck @Saadi6 @tr1ck3r