mesh icon indicating copy to clipboard operation
mesh copied to clipboard

Published 20 hours ago verified publisher icon traefik

Secret management for mTLS

Open dtomcej opened this issue 4 years ago • 1 comments

Proposal

To properly implement mTLS, we need to have a secret store/certificate system to:

  • Store root mTLS signing certificates
  • provide API access to distribute certificates to new nodes
  • handle re-issuing/rotating certificates as they expire

Background

Implementing mTLS requires having trusted and signed certificates as part of the communication between nodes. We need to be able to generate and use signed certificates that are trusted.

We also require these certificates to be generated dynamically so that they can be re-issued and reused by new nodes and rotated before expiry.

It would also be ideal if a signed intermediate was exposed so that users could have the option to add the root to their app so that they could tap into the mTLS trust chain, and leverage the pre-existing chain to the end app.

Options

  • Hashicorp Vault

Although Vault seems to have a bunch of this functionality, it has fairly steep system requirements, which might be more than we are wanting to handle.

  • Custom/Roll our own

This might be good at the start, since we have a fairly small set of requirements

dtomcej avatar Mar 16 '20 20:03 dtomcej

We could also look at boulder/pebble if we are only wanting to manage TLS certs.

dtomcej avatar Mar 23 '20 12:03 dtomcej