deploymentpuppetsystem-administrationconfiguration-managementpuppetlabs-apache

Securing SSL Keys (for production web application) with Puppet and Hiera


I'd like to know what is the best way to secure SSL keys and certificates for web applications. I am using the roles/profiles pattern. Here is the scenario:

Now the SSL keys and certs are checked in the same repo and that's probably not the best way to do it. I am considering using hiera-eyaml module and then put the encrypted version of these certs and keys in a hiera file.

I was just wondering if that's the way most of the people do this? Or are there better ways of handling this?


Solution

  • I currently use hiera-eyaml on projects. We use the PKCS encryption, give everyone the public key so that they can make modifications, and the private key only exists on the puppet master and a secure backup. It has just worked after we got it setup, everyone quickly got used to using the tooling to encrypt values.