Last year, Venda released a project to create and manage a simple x509
PKI using Chef and Chris Andrews introduced it with his blog post,
“Deploying a PKI With Chef”.
A few people tried out it out after the initial release
(and submitted patches or bug reports – thankyou!), and it has since
been renamed to become the x509 cookbook, which you can find
on the community site
or on github.
I’ve found it useful of late, so let’s take another look.
What’s The Problem?
You’ve decided to SSL-enable one of your internal services, and that
means you need an x509 certificate. The cheapest and easiest option
is to
generate a self-signed certificate,
but this option is not without drawbacks.
When you connect to a service using a self-signed certificate, you can
be confident that your communication is encrypted, but you can’t be
sure who you’re communicating with. You are protected from attackers
“sniffing” data from an insecure network, but not from attackers
creating a fake service in front of the one you expect to connect to (a
man-in-the-middle attack).
It’s also annoying to users, as most software will (rightly!) warn you
that self-signed certificates are not to be trusted.
A better option is to run an internal Certificate Authority, and use
that to sign the certificates for your SSL-enabled services. You can
import your CA’s certificate into your browser (or OS), which will
then trust services using certificates that it has signed.
It’s not hard to make your own CA, but getting a signed certificate
for your service necessarily involves a number of steps:
- On the host, generate a secret key and a certificate signing request (CSR)
- Get the CSR to the internal CA
- Create a signed certificate using the CSR and the internal CA
- Get the signed certificate to the host
- Install the signed certificate
Venda wanted to automate this process and the result is the x509
cookbook, and the chef-ssl-client
gem.