Guide to modern PKI: Deploy CZERTAINLY in few minutes

Modern and future-proof solution for PKI and trust management This is a part of a series of articles about building a modern and future-proof solution for PKI and trust management using CZERTAINLY platform and various technologies.
For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.

CZERTAINLY is a platform for effective and efficient trust lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

It is designed and developed by a team of PKI and information security enthusiasts with practical point of view on the trust management in hybrid environments. PKI is the backbone of security in our daily communication and its security and easy management should be available to everyone.

Trust lifecycle management includes and is not limited to:

digital certificates
cryptographic keys
digital signatures

The platform seamlessly integrates with various certification authority technologies. Let’s take a look how to quickly deploy CZERTAINLY. This is the first step to prepare solution for automation of certificate management with complete visibility and monitoring.

Prerequisites

The following is assumed to be already available before installing CZERTAINLY:

Kubernetes 1.19+
Helm 3.8.0+
PostgreSQL 11+

In case you want to enable Ingress you need to have installed Ingress Controller.

If you are using internal CA for Ingress and Administrator certificate, you also need to have installed cert-manager.

Create database

Depending on your setup, you should initialize the database. In this guide, we are going to create database with name czertainly and the user with name czertainlyuser that has access to the database with read/write privilege:

postgres=# CREATE USER czertainlyuser WITH PASSWORD 'your-strong-password';
postgres=# CREATE DATABASE czertainly ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE=template0;
postgres=# GRANT ALL PRIVILEGES ON DATABASE czertainly to czertainlyuser;

Create namespace

We’ll need to define a Kubernetes namespace czertainly where the resources created by the Helm chart will be deployed:

kubectl create namespace czertainly

Deploy CZERTAINLY

There are couple of options how to configure deployment of CZERTAINLY based on you TLS setup and administrator certificate handling. We will use basic configuration for the purpose of this guide.

The platform will be deployed using default values, with the connection to our database, and Ingress resource with self-signed certificate that will authenticate our pre-generated administrator.

Helm chart configurable values You can get all values that are configurable using the helm show command. See the CZERTAINLY Helm Chart Configurable values. The CZERTAINLY Dummy Root CA is pre-generated certification authority for testing purposes.

We can start installation with the Helm command, where:

ingress.enabled – enables Ingress resource with mTLS
hostName – hostname configured for the Ingress resource
global.database.name – database name, propagated to all sub-charts that require the database
global.database.port – database port, propagated to all sub-charts that require the database
czertainly-tlm – name of the application
oci://harbor.3key.company/czertainly-helm/czertainly – repository from which to pull

helm install --namespace czertainly \
  --set ingress.enabled=true \
  --set hostName=czertainly.local \
  --set global.database.port=30107 \
  --set global.database.name=czertainly \
  czertainly-tlm \
  oci://harbor.3key.company/czertainly-helm/czertainly

Now, wait few minutes for the Kubernetes to download all required containers (if not present in the local repository) and create all resources that are required for the CZERTAINLY deployment. When the CZERTAINLY is deployed, you should see that all pods are ready and running using kubectl get all -n czertainly command.

Access CZERTAINLY

During the initial deployment, the database is bootstrapped, first administrator is registered as superadmin, and all enabled connectors are pre-registered to be available in the platform. Access to administrator web is provided through Ingress resource that has enabled trust for the administrator issued by the CZERTAINLY Dummy Root CA.

Self-signed certificates Self-signed certificates were issued from the helm deployment. You might see browser alerts accessing the administrator web. Accept the security risk for now. You can change the certificates and upgrade CZERTAINLY via helm anytime.

Import the first administrator certificate into your browser. Now you can access the administrator web. You will be asked to be authenticated with the certificate:

https://czertainly.local/administrator/

And that’s it! CZERTAINLY platform is successfully deployed, and you can start building your certificate inventory, visibility, and automation.

Custom and advanced setup

CZERTAINLY Helm chart is available as an open source GitHub repository. All configurable values are described, and you can learn how to deploy platform with your own trusted certificate chain, how to deploy only connectors you require, how to scale the platform for high availability and failover, and many more.

Helm charts are also available for other components and services that are part of the deployment. You have therefore flexibility in building your custom deployments that fits your infrastructure.

Get more information about the CZERTAINLY

Need Help

Do not hesitate to get in touch with us!