PKI and Signature Services for Microservices and DevOps Environments

Microservices as an architectural approach to software development are based on building an application as a collection of small services, typically orchestrated by an automated system. Adoption of microservices is related to the use of DevOps, continuous integration and continuous delivery (CI/CD), and containers.

There are many aspects and meanings to Microservices, and the term can have different meanings for different people. One aspect that typically comes to mind is deploying and managing large numbers of services, usually in the form of lightweight servers. Which in turn creates the need to automate the configuration of servers and applications, including the security keys and credentials needed.

Related to PKI, PrimeKey recognizes the significance of our products being DevOps-friendly as an important aspect, including:

  • Configuring and running the PKI products in a DevOps environment, see Deploying PKI and Signature Services in DevOps Environments.

  • Managing (non-PKI) applications in a DevOps environment securely, providing applications with certificates, digital signatures, and credentials as services are created and destroyed.

The following sections cover topics related to the second case, managing (non-PKI) applications in a DevOps environment securely.

Managing PKI Credentials and Machine Identities for Applications in DevOps

When deploying many services, managing both the machine identities and secrets need to be taken into account. Managing PKI credentials and machine identities for applications should preferably be automated, but still as secure as possible. For more information on issuing and managing PKI credentials and machine identities for applications in DevOps and how to automatically provision certificates to containers in Kubernetes, see Managing PKI Credentials and Machine Identities for Applications.

Using EJBCA Enterprise to Issue and Manage Certificates through (Hashicorp) Vault

HashiCorp Vault is a popular product to manage secrets and when using microservices at scale, there are many services and secrets to manage. HashiCorp Vault includes a built-in Certification Authority (CA), however using that standalone CA will create a separate PKI not connected to the corporate PKI. A separate PKI is often not desired in organizations as it will not meet regulatory or other security requirements. For more information on ways to incorporate Vault PKI into a controlled corporately managed PKI, see Using EJBCA Enterprise to Issue and Manage Certificates through (Hashicorp) Vault.

Code Signing

No DevOps environment is complete without secure code signing solutions, enabling DevOps teams to:

  • Sign application code being developed

  • Sign containers being deployed

  • Enabling verification of digital signatures preventing unauthorized software from being installed.

Using SignServer Enterprise it is easy to integrate secure code signing into the CI/CD pipeline, for example integrated with Jenkins. For more information, refer to the SignServer How-to guide on How To Integrate Jenkins with SignServer for Automated Code Signing.