How to Love HashiCorp Vault Even More

You can now request both public and private certificates.

Traditional processes like OpenSSL and frameworks like CFSSL can be cumbersome for developers. Given that DevOps is all about speed, developers don’t want to get bogged down with complex solutions. This explains why HashiCorp Vault has become so popular.

Vault is great for secrets management, encryption as a service, and privileged access management. It is a lightweight, portable solution that doesn’t need a lot of infrastructure.

The Problem That Vault Solves

A typical DevOps pipeline can have over a hundred different tools. In fact, many DevOps tools have their own secrets stores (e.g. Kubernetes secrets, Ansible Vault). But, they all approach SSL/TLS certificates differently. As a result, developers must take the time to learn each tool. Using different approaches also makes code more complex.

Vault simplifies SSL/TLS certificate issuance. It abstracts the secret store from applications to reduce and manage “secret sprawl.”

Check out this overview video from Armon Dadgar, HashiCorp’s co-founder and CTO if you need a primer.

Why Developers Love Vault

Developers love how Vault makes it easy to generate and store SSL/TLS certificates on demand. Vault’s native PKI engine generates self-signed certificates. It can also be configured to issue certificates from a private PKI subordinate certificate authority (e.g. Microsoft CA), but it is not natively integrated with certificate authorities (CAs) that issue certificates trusted by all browsers. Keep reading and we’ll tell you why this is a challenge and how to overcome it. Also, check out this cloud operating model white paper from HashiCorp that explains this in more detail.

Some Certificates Are Still Hard to Get

External-facing (or publicly-trusted) certificates are trusted by every browser. These are particularly important in production environments. A prime challenge to application development teams is the procurement of these types of certificates. But why? Let’s discuss each type and how DevOps acquires them.

What are Internal vs. External Certificates?

Certificate chains can be complicated to understand. Most organizations leverage many CAs. For internal-facing applications, InfoSec generally sets up internal issuing CAs. The internal root CA is then added to all employee browsers to prevent browser warnings.

But, for external applications, organizations use certificates from publicly-trusted CAs. These CAs (e.g. DigiCert, Entrust, GlobalSign) can issue certificates that all browsers trust.

Getting External Certificates is Challenging

The process for getting publicly-trusted certificates varies by team and environment. DevOps often don’t have an automated way of getting certificates from publicly-trusted CAs. So, what do they do?

• Submit a ticket and wait for the PKI team (snooze alert!)
• Use a certificate from their cloud provider (e.g. AWS)
• Get a certificate from Let’s Encrypt (is this policy compliant?)
• Code against the CA’s API or use the web console
• Bang head against wall (or avoid certificates altogether)

You Can Do More With Vault

Vault’s ability to simplify, automate, and speed up internal certificates issuance is a huge accomplishment. But Vault’s plug-in architecture (when integrated with Venafi) can make Vault even more of a one-stop-shop for certificates. Imagine a world where developers can use Vault to:

Request publicly-trusted certificates using native Vault commands

Enroll certificates that follow enterprise security policy

Provide the security team visibility to all the certificates issued by Vault

Fall In Love With Vault All Over Again

Fortunately, the Vault team had the foresight to create a pluggable architecture. As a leader in machine identity protection, Venafi, extends the value of Vault by integrating in two ways:

1. Venafi’s Secrets Engine for Vault facilitates certificate enrollment from over 40 internal and publicly-trusted CAs and enforces InfoSec policies automatically. With this powerful integration, developers can:

• Use native Vault commands to get any type of certificate within policy
• Avoid custom coding for individual CAs
• Have a consistent approach for certificates
• Simplify their code and accelerate development
• Operate multi- and hybrid cloud environments

And, InfoSec gets visibility into issued certificates and centralized policy controls. This enables security teams to:

• Empower developers to consume certificates using the tools they love
• Enforce enterprise certificate policy, seamlessly from a single place
• Get visibility and reporting to certificates in use
• Respond to audits quickly and easily
• Remediate issues quickly without impacting DevOps (e.g. CA compromise, breach, cloud provider change, etc.)

2. Venafi also interacts with Vault in a disconnected manner. The Venafi Monitor Engine oversees certificate issuance activity within Vault. It enforces policy and pushes certificates to Venafi so that InfoSec can view them for audit and compliance purposes. This helps keep DevOps moving fast while keeping the business secure and compliant. For technical details, check out this blog post from HashiCorp Solutions Engineering.

Venafi and Vault together help developers go faster and support InfoSec requirements. To try out this amazing integration, sign up for a free Venafi Cloud DevOpsACCELERATE account and check out this GitHub page. You may just uncover a tool you can’t live without. For an overview of the problems that Venafi Cloud solves, check out the webinar Accelerate DevOps by Simplifying your PKI with Venafi and GlobalSign or the webinar Scale PKI for DevOps where this is put into action via a live demo.

Spoiler alert: it works with container orchestration, automation tool, configuration management, and many other tools including Kubernetes, Ansible, OpenStack, Chef and more.

If you do try it out, let people know about it in the comments below or reach out anytime on LinkedIn or head on over to my profile.