For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
Database, persistent storage, tools for management of your infrastructure and deployment automation are important parts of modern PKI. It helps to achieve operational continuity and to have proper control of all changes.
There are plenty of tools available and usually you need to build an inventory that will help you to achieve easy, secure management and maintenance of your PKI. We will call this inventory a “tooling” and we’ll introduce a few of the tools used in this guide.
Persistence of data
We need to store the data and protect it from unauthorized changes. The persistence of the data is one separate layer of the solution since data is typically persistent in the database. When deciding on database technology, it is important to take into consideration:
- transparent encryption options – which can protect the data stored in the database without having the encryption implementation in the application
- high availability and failover – to achieve higher reliability of the data access and eventually availability of your PKI
- backup and recovery procedures – how you recover from a disaster, how to back up the data and restore it, usually in a shortest time
For this guide, we will use PostgreSQL database to demonstrate the persistence of the data related to our infrastructure. Therefore, we recommend installing PostgreSQL locally or on a remote server for testing purposes. We will use the following simple setup:
- database cluster with 3 nodes, one primary to read/write, and 2 slave with the streaming replication enabled
- Pgpool-II as a middleware for load balancing and failover for the database cluster
Tooling to prepare
We want to utilize containerized environment for our PKI and use Kubernetes-like deployment to have infrastructure as a code and automate change management, vulnerability management, compliance, and other aspects.
The tooling may, and probably will, change over time as technology evolves. For the purpose of this guide, we will use the following basic tooling to prepare infrastructure:
- Docker – for building containers and distribution to repositories where they can be available for deployment
- RKE2 – Kubernetes distribution that focuses on security and compliance
- Helm – the package manager for the Kubernetes, templating manifests that simplifies deployment of applications
- GitHub – version control and change management for the deployment with Actions as CI/CD pipelines
Automation and control
The basic tooling is a good starting point to deploy and manage infrastructure, however, for the production-based PKI, to control security, compliance and automate procedures, you will need more of them.
The following is a sample list of tools that are worth considering as part of your tooling:
- Terraform and Ansible – automated provisioning and maintenance of the on-premises or cloud-based environment
- Harbor and Docker Hub – repository and management for containers and charts that are available and trusted to deploy
- Snyk and Trivy – vulnerability management
- Cosign – signing and verification of trusted containers
- ArgoCD – continuous delivery, automation of environment changes through GitOps
- Rancher – centralized and simplified management of Kubernetes clusters
- CIS Benchmarks – guidelines and pre-configured rules that can check compliance of the environment against current security threats
Ready to start
Once you are at this point, you should understand the basics of how to prepare the design and architecture of modern and future-proof PKI. It is important to have a systematic approach and think about various options before you get your hands-on experience.
The PKI is not a one-time deployment that can run for many years without any change. It needs to be properly managed to maintain the required trust provided by the identities it issues.
With all the preparation and right tooling, the lifecycle of trust services can be simplified, although its complexity.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!