Looking for advice on deploying internal CA infrastructure.
For the past several years I have been looking for the "right" fit for an internal certificate authority. I am a member of the Linux Engineering team and have found myself repeatedly stumped when it comes to the "right" solution. Something better than our internal Microsoft CAs. I might be looking for three systems stacked (thoughts?). One for automation (serve out API and provision to potential CA system), an actual CA system that generates and tracks certificates, and possibly a secret store like HashiCorp Vault to store the keys.
Features wish list:
Automate-able (ideally some web API like REST, command line, and Python libraries would be a plus).
Monitor of expiration time for all deployed certs.
Looking at a couple projects to see how close I can get on my own. Perhaps an internal LetsEncrypt setup (https://letsencrypt.org ) or something with CloudFlare SSL (https://github.com/cloudflare/cfssl or https://cfssl.org).
Reading this is giving me ideas:
I found an enterprise product that can "front" for several different "enterprise" CAs (namely Microsoft CA which we have in house already trusted because of Active Directory) called AppViewX Cert+ (https://www.appviewx.com/products/cert/) that has a lot of the features I would like to see in a more open project.
Part of the driver for this is the introduction of a new microservice architecture that can dynamically spin up services on demand (DC/OS or Kubernetes/OpenShift style) and I want to be able to built the requesting, provisioning, and monitoring of certificates into the stack (instead of handing out a wildcard everywhere).