Secure identifying digital entities with X.509 certificates
X.509 is a public key infrastructure (PKI) standard for securely identifying digital entities. At its core, X.509 lets you create and manage digital identities with cryptographic keys, certificates, and signature schemes.
The most common use case for X.509 is Transport Layer Security (TLS); HTTPS protocol uses TLS to establish secure connections between web servers and browsers. You can also use X.509 for a range of security oriented use cases, from encrypting email to identifying devices and workloads.
This guide provides details and resources you can use to secure digital entities in your use cases with X.509 certificates, along with explanation of the benefits you gain from doing so. Learn about enabling certificate authorities, securing communications end-to-end, and handling certificate based authentication for your use cases.
Build a certificate authority (CA)
Certificate authorities (CAs) play a crucial role in X.509 by issuing trusted certificates and maintaining a repository of certificates. CAs help you verify and authenticate identities across networks.
One of a security operator's responsibilities is managing those digital certificates. HashiCorp Vault provides features to ease the burden of certificate lifecycle management through automation. Vault offers a central place to secure and control access to tokens, passwords, certificates, and encryption keys. Dynamic secrets provide credentials to third party services which match your password policies for complexity and lifecycle. Vault can also manage the revocation and rotation of secrets for you.
Vault dynamic secrets extend to X.509 public key infrastructure (PKI) certificates, where Vault acts as a root or intermediate CA to manage the lifecycle of short-lived certificates. The Vault PKI secrets engine enables your applications to generate managed certificates on-demand. Vault also supports a rich set of functionality around TLS certificates, including Online Certificate Status Protocol (OCSP), Automatic Certificate Management Environment (ACME), and Certificate Issuance External Policy Services (CIEPS).
HashiCorp resources:
PKI secrets engine (API) and PKI secrets engine documentation
Revolutionizing certificate management with ACME and Vault (video)
PKI certificate issuance flexibility with Vault CIEPS blog post and documentation
Configure Vault as a certificate manager in Kubernetes with Helm
External resources:
Authenticate application workloads with TLS certificates
You should authenticate and identify your application workloads to ensure their integrity, security, and reliability. Without proper authentication or identification, your application workloads are less secure, more difficult to monitor and troubleshoot, and can also be at risk of noncompliance with regulations and standards, like GDPR, HIPAA, and PCI-DSS.
Authenticating and identifying your application workloads has the following key benefits:
- Optimize resources: manage resource allocation more efficiently by authenticating application workloads For example by authenticating workloads with TLS, network systems can shape traffic around authenticated and unauthenticated workloads for more efficient use of network resources. Load balancing and auto scaling solutions can also be configured to prioritize TLS enabled applications.
- Improve observability: gain deeper insights into applications and their behavior, performance, and resource usage by accurately identifying application workloads with each application's TLS certificate information.
- Adhere to regulations or standards: authentication and identification provides a clear access audit trail to help ensure compliance.
- Securely operate: prevent unauthorized access to data or resources.
Authenticate application workloads with Vault
Your application workloads can authenticate with Vault, and use it as an identity provider with Vault Agent, the TLS certificate auth method, and response wrapping.
Vault's TLS certificate auth method allows authentication using SSL/TLS client certificates which are either signed by a CA or self-signed.
Vault Agent is a client-side daemon that makes requests to Vault on behalf of a client application. This includes the authentication to Vault with TLS certificates through the Vault Auto-Auth cert method.
You can also use Vault Agent to template secrets with the Consul Template syntax, and render the secrets to files where the client application can use them. Vault Agent also has a process supervision feature to send commands or signals to services to reload or restart them after templated credential rotation.
HashiCorp resources:
Authenticate application workloads with Consul
You can implement a zero trust security model by authenticating and authorizing all service to service communications with Consul to mitigate unauthorized access and lateral movement within your network environments. Consul also enables fine grained access control through ACL policies, which you can use to limit access to specific API endpoints and service mesh features.
When you authenticate application workloads with Consul, you eliminate hard coded credentials and addresses. You also improve compliance through audit trails, monitoring, and centralized policy management. You can also define your policies as code, version control them, and quickly update policies as requirements change.
You can authenticate your application workloads on Consul with the following methods:
ACL tokens: Consul uses ACL tokens as its primary method of authentication. ACL tokens can take the form of static tokens or dynamic tokens backed by an auth method. TLS certificates: Consul supports TLS certificates to enhance security of application workloads with service to service authentication. JWT (with Vault): Consul can integrate with Vault to leverage JWT authentication for dynamic workload identities.
Keep in mind the following best practices when you authenticate your application workload with Consul:
- Principle of least privilege: assign the minimal required capabilities and permissions to ACL tokens and TLS certificates.
- Regular rotation: implement processes to regularly rotate ACL tokens.
- Secure storage: keep your certificates and tokens secure, ideally in a secrets management solution, like Vault.
- Monitoring: enable logging and metrics to to track authentication and authorization activities
HashiCorp resources:
External resources:
Manage TLS with infrastructure as code
If your use case requires TLS certificates, but does not require signing by established certificate authorities, you can provision self-signed certificates. A self-signed certificate is a certificate that is issued by the same entity that requests it, and does not have the same chain of trust as a certificate signed by an authority. These certificates are typically used in non-production cases, like development and testing.
One way to provision these kinds of certificates is through infrastructure as code. This allows consistent and repeatable certificate provisioning without the overhead of involving established CAs like Vault for signing and verifying.
Provision TLS certificates and keys
Terraform providers can be thought of as clients or plugins for an API, and they serve as the actor that transforms configuration resources into infrastructure. You can use infrastructure as code to create and manage the lifecycle of self-signed certificates with Terraform and the TLS provider.
The TLS provider has utilities for working with Transport Layer Security keys and certificates. It also provides resources for creating private keys, certificates, and certificate requests as part of a Terraform deployment.
Some benefits from using the Terraform TLS provider to manage your self-signed certificates include:
The TLS provider enables you to manage your certificates and keys with infrastructure as code.
You can use the TLS provider to automate your certificate and key issuance and lifecycle management.
Your TLS configuration is reproducible across different environments, and you can avoid configuration drift and related issues.
By managing your TLS configuration with Terraform, you gain an audit trail of all changes to your configuration.
HashiCorp resources:
Use Automated Certificate Management Environment (ACME)
ACME simplifies certificate lifecycle management by providing a standardized protocol for the automation of common operations, such as certificate requests and renewals. If you use an external CA like Let's Encrypt, you can use the ACME provider. ACME is an evolving standard for automating a domain-validated certificate authority.
Clients register on an authority using a private key and contact information and answer challenges for claimed domains by supplying data issued by the authority through HTTP or DNS.
Through this process, clients prove that they own the domains in question and can request certificates via the CA. No part of this process requires user interaction, which is a conventional blocker in obtaining a domain-validated certificate.
HashiCorp resources:
Next steps
In this guide you learned how to use HashiCorp tools to secure digital entities with X.509 certificates, along with the benefits you gain when you do so. Specifically, you learned how to use Vault as a certificate authority and to secure application workloads with TLS authentication. You also learned how to use Consul to secure application workloads, and how Terraform can assist you with provisioning self-signed certificates and using ACME.
You can continue to learn more about best practices to protect sensitive data in our Well-Architected Framework content.