4

I'd like to know what is the best way to secure SSL keys and certificates for web applications. I am using the roles/profiles pattern. Here is the scenario:

  • I have a web application. There is a Puppet module that sets up the application. This module also sets up the SSL keys and certs required for it to run. These files are committed in the same repo (which is insecure) under app/files directory and are then places at the right locations using file type.
  • There is a profile manifest that puts the stack together for this application - install and setup apache, install and setup memcached, install php and setup the application using the above module.

Now the SSL keys and certs are checked in the same repo and that's probably not the best way to do it. I am considering using hiera-eyaml module and then put the encrypted version of these certs and keys in a hiera file.

I was just wondering if that's the way most of the people do this? Or are there better ways of handling this?

vaidik
  • 2,191
  • 1
  • 16
  • 22
  • 1
    I believe that the alternative you sketched is indeed common practice. Your encrypted data has to remain *somewhere*, and Puppet will need a means to decrypt it. Hence this is likely the most direct approach. – Felix Frank Apr 07 '15 at 13:18

1 Answers1

2

I currently use hiera-eyaml on projects. We use the PKCS encryption, give everyone the public key so that they can make modifications, and the private key only exists on the puppet master and a secure backup. It has just worked after we got it setup, everyone quickly got used to using the tooling to encrypt values.

Chris Pitman
  • 12,990
  • 3
  • 41
  • 56
  • Yeah that sounds reasonable. My only concern was that when you encrypt SSL certs and keys, what you get is a very large encrypted string. And when you have multiple certs/keys put in one `eyaml` file, the file becomes too large to read. Nothing majorly wrong with that but it just didn't feel like the best way of doing it. Any thoughts on that? – vaidik Apr 09 '15 at 07:38
  • We only have a handful of keys, so it hasn't been much of an issue for us. I'm not sure how well this would work, but it is possible to split values into multiple files based on a hiera hierarchy. – Chris Pitman Apr 09 '15 at 13:05
  • Yes well that's true. Hiera will just keep going down in the hierarchy when look up fails. – vaidik Apr 09 '15 at 17:29