Linux Automated x509 Certificate Signing
Posted by superwinni2@reddit | sysadmin | View on Reddit | 7 comments
Hello
How do you all managing internal Certificates on Linux Systems?
For Windows I got my Windows-PKI.
I thought about creating a Sub-CA from my Windows-PKI and using it with a tool (like stepca) to automate the process of getting certificates for my linux web servers.
How are you handle it?
RepulsiveDuck331@reddit
Your sub-CA from ADCS + step-ca idea is solid, that's basically what we run for a few clients. ADCS root, offline-ish, with a step-ca subordinate handling ACME for all the Linux boxes. Just make sure the chain (root + intermediate) is pushed to the Linux trust stores via config mgmt, otherwise renewals look fine but clients break.
Watch out for key handling on step-ca itself, HSM or at least sealed in vault if you can. Short lifetimes (90 days or less) with ACME auto-renew via certbot or step's own client beats trying to do revocation properly.
CRLs on internal PKI are usually where people get burned. Monitor expiry independently of the CA.
xXxLinuxUserxXx@reddit
You didn't specify the use case(s) so i just throw https://openbao.org/docs/secrets/pki/setup/ into the ring.
We still use hashicorp vault but plan to switch to openbao because of some nice new features which vault does not offer.
Despite hosting the PKI (and other secret stores) it also comes with an agent to update local files/certificates etc.
maetthew@reddit
Mind elaborating on the extra features?
ccheath@reddit
setup step-ca two weeks ago... works great
now i have one cert to renew yearly and the rest renew via certbot every 20 days (30 day cert)
Kimera84@reddit
for this kind of setup, SwissSign can fit if you want a trust service provider for certificates and signing, but for internal linux web servers i'd still keep the workflow pretty simple, root or issuing ca, automated renewal, and clean trust distribution on the hosts. the main question is less about the certificate itself and more about how you want to run issuance and renewal day to day.
if you need legally valid signatures or identity verification around the same environment, SwissSign covers that side too. for pure internal x509 automation, though, a sub-ca plus acme-style automation is usually the part people build around.
AndyceeIT@reddit
As a redhat-heavy shop, IPA is well suited for internal TLS certificates.
srekkas@reddit
I use FreeIPA CA, joined Linux can use getcert cli. Or other use acme.sh, certbot or any other acme compatible tool.