For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
CZERTAINLY is a platform for effective and efficient trust lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
It is designed and developed by a team of PKI and information security enthusiasts with practical point of view on the trust management in hybrid environments. PKI is the backbone of security in our daily communication and its security and easy management should be available to everyone.
Trust lifecycle management includes and is not limited to:
- digital certificates
- cryptographic keys
- digital signatures
The platform seamlessly integrates with various certification authority technologies. Let’s take a look how to quickly deploy CZERTAINLY. This is the first step to prepare solution for automation of certificate management with complete visibility and monitoring.
The following is assumed to be already available before installing CZERTAINLY:
- Kubernetes 1.19+
- Helm 3.8.0+
- PostgreSQL 11+
In case you want to enable Ingress you need to have installed Ingress Controller.
If you are using internal CA for Ingress and Administrator certificate, you also need to have installed cert-manager.
Depending on your setup, you should initialize the database. In this guide, we are going to create database with name czertainly and the user with name czertainlyuser that has access to the database with read/write privilege:
postgres=# CREATE USER czertainlyuser WITH PASSWORD 'your-strong-password'; postgres=# CREATE DATABASE czertainly ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE=template0; postgres=# GRANT ALL PRIVILEGES ON DATABASE czertainly to czertainlyuser;
We’ll need to define a Kubernetes namespace czertainly where the resources created by the Helm chart will be deployed:
kubectl create namespace czertainly
There are couple of options how to configure deployment of CZERTAINLY based on you TLS setup and administrator certificate handling. We will use basic configuration for the purpose of this guide.
The platform will be deployed using default values, with the connection to our database, and Ingress resource with self-signed certificate that will authenticate our pre-generated administrator.
We can start installation with the Helm command, where:
- ingress.enabled – enables Ingress resource with mTLS
- hostName – hostname configured for the Ingress resource
- global.database.name – database name, propagated to all sub-charts that require the database
- global.database.port – database port, propagated to all sub-charts that require the database
- czertainly-tlm – name of the application
- oci://harbor.3key.company/czertainly-helm/czertainly – repository from which to pull
helm install --namespace czertainly \ --set ingress.enabled=true \ --set hostName=czertainly.local \ --set global.database.port=30107 \ --set global.database.name=czertainly \ czertainly-tlm \ oci://harbor.3key.company/czertainly-helm/czertainly
Now, wait few minutes for the Kubernetes to download all required containers (if not present in the local repository) and create all resources that are required for the CZERTAINLY deployment. When the CZERTAINLY is deployed, you should see that all pods are ready and running using kubectl get all -n czertainly command.
During the initial deployment, the database is bootstrapped, first administrator is registered as superadmin, and all enabled connectors are pre-registered to be available in the platform. Access to administrator web is provided through Ingress resource that has enabled trust for the administrator issued by the CZERTAINLY Dummy Root CA.
Import the first administrator certificate into your browser. Now you can access the administrator web. You will be asked to be authenticated with the certificate:
And that’s it! CZERTAINLY platform is successfully deployed, and you can start building your certificate inventory, visibility, and automation.
Custom and advanced setup
CZERTAINLY Helm chart is available as an open source GitHub repository. All configurable values are described, and you can learn how to deploy platform with your own trusted certificate chain, how to deploy only connectors you require, how to scale the platform for high availability and failover, and many more.
Helm charts are also available for other components and services that are part of the deployment. You have therefore flexibility in building your custom deployments that fits your infrastructure.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!