This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.

1. How the Dynamic Duo of
Vault and Puppet Tame SSL Certificates

2. Nick Maludy
@NickMaludy
github.com/nmaludy
Engineer, Husband, Dad

3. Self Signed Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
DOESN’T
MATCH
CA
NO TRUST!

4. Proper SSL Verification Flow
Server
Client
App/Browser
CA
public
Web Server
priv
pub
2. Pub Key
1. Hello
3. Verify PUB KEY
MATCHES
ONE OF
THE CAs
TRUSTED!

5. PKI Old School
Root CA
Linux Windows
Root Root
Public Private Public Private
Apache / Nginx IIS
CSR CSR
Public Public
CSR CSR
Manually
Copy
Manually
Copy
Sign Sign
Manually
Copy
Manually
Copy
Manually
Copy
Client Client
Root Root
Root

6. Villains
•Painful signed certs
•Oprah – self signed certs for everyone
•No trust
•Disable validation
•MITM Attacks
•Renewal and Expiration
•Security tickets

7. Call For Help
•Security
• Centrally signed with CA
• Validation enabled
• Strong ciphers
•DevOps
• Auto renewal
• Cross-platform
• Integrated with services

8. •Configuration Management
•Distribution
•encore/vault module
•vault_cert {}
•github.com/EncoreTechnologies/puppet-vault
Justice
HashiCorp Vault Puppet
•PKI Secrets Engine
•REST API

9. PKI with Vault + Puppet (vault_cert)
Root CA
Vault CA
Puppet Server
Root Vault
Sign Intermediate CA
Copy
Copy
Copy
Linux Windows
Root Vault Root Vault
Public Private Public Private
Apache / Nginx IIS
Client
Root Vault
Client
Root Vault

10. Check
Expiration
Check
Revocation
Revoke old Create New
Write to
filesystem
Bounce
service
vault_cert run

11. vault_cert { ‘synapse’:
cert_dir => '/etc/pki/tls/certs’
priv_key_dir => '/etc/pki/tls/private’
notify => Service[‘nginx’],
}
nginx::resource::server { ‘synapse’:
ssl_port => 443,
ssl => true,
ssl_cert => '/etc/pki/tls/certs/synapse.crt',
ssl_key => '/etc/pki/tls/private/ synapse.key’,
}
Linux
Linux
Public Private
Nginx
Vault CA
CSR
Cert & Key
Write to
Filesystem
Reload
Service

12. Puppet 101

13. Windows problem
• Certs in cert store have a path
• Cert:LocalMachineMy<UNIQUE-THUMBPRINT>
• Cert:LocalMachineMyABC1234
• Thumbprints are unique
• Thumbprints = hash of cert content
• Services bind to cert path
• relies on Thumbprint

14. vault_cert { ‘chocolatey’:
cert_dir => 'Cert:LocalMachineMy’
notify => Service[‘iis’],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatestore => ‘Cert:LocalMachineMy’
certificatehash => WHAT DO I PUT HERE????,
},
}
Windows Manifest
PROBLEM: Puppet can’t output data from a resource

15. Windows solution – Use a function!
• Functions run on the server
• Function calls Vault API
• Embed certificate in Catalog
• Path to certificate is known at compile time

16. $cert_output = vault::cert(...args...)
vault_cert { ‘chocolatey’:
cert => $cert_output['cert’],
priv_key => $cert_output['priv_key’],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatehash => $cert_output['thumbprint'],
},
}
Windows solution Vault CA
Windows
Public Private
IIS
2. CSR
4. Embed in Catalog
7. Write to
Cert Store
Puppet Server
1. Facts
3. Cert & Key
5. Catalog
6. Agent
8. Bind and reload IIS

17. Windows “machine cert”
profile
class profile::machine_cert {
$data = vault::cert(args)
vault_cert { $trusted['certname’]:
cert => $data['cert’],
priv_key => $data['priv_key’],
}
}
#########################
class { ‘winrm’:
certificate_hash => $profile::machine_cert::data['thumbprint'],
}
iis_binding { ‘chocolatey’:
binding_info => {
certificatehash => $profile::machine_cert::data['thumbprint’],
}
}

18. CA Cert Manifest Linux
class profile::ca (Hash $certs) {
class { 'trusted_ca': }
create_resources('trusted_ca::ca’, $certs)
}
profile::ca::certs:
vault.domain.tld:
content: |
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
Hiera (YAML Config Data)
Puppet Server
Root Vault
Linux
Root Vault
puppet/trusted_ca
1. Facts
2. Compile
3. Hiera
4. Catalog
5. Apply
6. Write to Filesystem

19. CA Certs on Windows
file { 'C:/ProgramData/Puppetlabs/ca_certs':
ensure => directory,
}
# root certs go into Cert:/LocalMachine/Root
$certs.each |$name, $data| {
file { "C:/ProgramData/Puppetlabs/ca_certs/${name}.crt":
ensure => file,
content => $data['content'],
}
$cert_details = vault::cert_details($data['content'])
sslcertificate { "${name}.crt":
location => 'C:ProgramDataPuppetlabsca_certs',
thumbprint => $cert_details['thumbprint'],
store_dir => 'Root',
interstore => true,
}
Puppet Master
Root Vault
Windows
Root Vault
puppet/sslcertificate
3. Catalog
1. Facts
2. Compile
5. Write to Cert Store
4. Agent

20. Vault + Puppet = Dynamic Duo
•Every server has a cert (500+)
•CA distributed Cross Platform
•Services bound to certs
•Certs auto-renew (30d)
•Services auto-refreshed
•Validation enabled

21. Future
•DevOps for HPC
•GPU Algorithms
•C++
•Heavily Optimized Software

22. Thanks!
@NickMaludy
github.com/nmaludy
github.com/EncoreTechnologies/puppet-vault