Question: how do you guys manage ssl certs? @hericles.me looking for a simple but secure way to manage ssl certs. I'm running mostly everything on aws (ec2, s3, etc)

Asked By
diazswag209
Asked At
2018-05-07 23:17:37

Found 15 possible answers.

User Answered At Possible Answer
coderanger 2018-05-07 23:18:33 ACM
nick.lemouton 2018-05-07 23:18:36 if it's on AWS, then try ACM
diazswag209 2018-05-07 23:19:09 i can't register certs through ACM, but would ACM allow me to upload certs to it?
nick.lemouton 2018-05-07 23:19:13 if it's a mix then you can use config management (Puppet, Chef etc)
diazswag209 2018-05-07 23:19:36 how to do it through chef securely? right now i have chef downloading from an s3 bucket
nick.lemouton 2018-05-07 23:19:46 no idea, in Puppet we use eyaml for certs
coderanger 2018-05-07 23:19:51 You don't upload to ACM, it creates them for you
nick.lemouton 2018-05-07 23:19:53 so the keys are encrypted
diazswag209 2018-05-07 23:20:04 @coderanger we have a third party cert creator, so its not through ACM
coderanger 2018-05-07 23:20:06 @nick.lemouton That is really not a good idea >_, Or at least you better _seriously_ trust your puppetmaster
diazswag209 2018-05-07 23:20:37 @nick.lemouton i think a next level up would be to secure your EC2 instances using an IAM role, and giving that IAM role just enough access to download s3 certs
nick.lemouton 2018-05-07 23:20:44 we do, it would be a bit hard if you didn't trust your puppetmaster
coderanger 2018-05-07 23:21:06 @diazswag209 Better is to use SSM ParamStore rather than S3 It was built for this
diazswag209 2018-05-07 23:21:28 @coderanger interesting, i'll have to read up on it... because with s3, IAM roles is fine, but once someone gets into the server, they can download the ssl cert from s3
coderanger 2018-05-07 23:21:51 @nick.lemouton eyaml is a cute hack but not a very good isolation mechanism :slightly_smiling_face:

Related Questions