How to Secure Cloud-Native Applications With HashiCorp Vault and Cert Manager

When companies talk about security, they are referring to preventing data loss and securely automating and integrating applications.

That cannot be done without knowing who is doing what to which assets, and that is where identity management, like HashiCorp Vault, comes in. The “who” in the equation becomes very important.

Properly issued certificates enable end-to-end security through a trusted chain of identities.

As with most security objectives, there is usually tension between the requirement to make things secure and trying to get the actual work done. The art here is to balance the two conflicting requirements, one way to reduce the burden on the developer is to automate as much as possible.

In this blog, we will illustrate how OpenShift together with Cert Manager and HashiCorp Vault can be used to achieve an automated and reproducible process to increase the security of applications.

From the developer’s point of view, this automated approach is easy to use and is also instrumented so that we know what is going on and can take appropriate action if it fails.

Certificate Authority

The purpose of a Certificate authority (CA) is to validate and issue certificates. A Certificate Authority may be a third-party entity or organization that runs its own provider to issue digital certificates.

An intermediate certificate authority is a CA signed by a superior CA (for example, a root CA or another Intermediate CA) and signs CAs (for example, another intermediate or subordinate CA).

If an Intermediate CA exists, it is positioned within the middle of a trust chain between the trust anchor, or root, and the subscriber certificate that is issuing subordinate CAs. So not use a root CA directly?

Typically, the root CA does not sign server or client certificates directly. The root CA is used only to create one or more intermediate CAs. Using an intermediate CA is primarily for security purposes and the root CA is hosted elsewhere in a secure place; offline, and used as infrequently as possible.

So, it is better to not expose it within target environments and to instead issue a shorter-lived intermediate CA. Using intermediate CA also aligns with industry best practices.

CA Hierarchy

In large organizations, it may be ideal to delegate responsibility for issuing certificates to different certificate authorities for granular security controls appropriate to each CA.

For example, the number of certificates may be too large for a single CA to effectively track the certificates it has issued; or each departmental unit may have different policies and rules, such as validity periods; or it may be important to differentiate certificates for internal or external communication.

Learn more:

Author avatar