DevOps methodology implies faster development and deployment cycle, increased reliability, and sometimes security. Many tools are appearing to occupy the security niche in DevOps.
Often there is a certificate management issue in the infrastructure administration that asks for automation.
There are many tools available to solve the problems in this field, making the clumsy CA, convenient and easy.
While researching, I came across a growing popular tool smallstep.
I found it interesting to have a certificate renewal solution that allows you to use a key and a certificate that will expire to issue a new one.
Such an update is good advice for an attacker.
Let’s assume the following situation.
The certificate and key have compromised, and the attacker has managed to reissue a certificate using the old one, which is easy:
step ca renew compromised.crt compromised.key --out=new.crt.
The security officers found the keys compromised and revoked the certificate:
step ca revoke --cert compromised.crt --key compromised.key.
In the meantime, the new certificate is valid, but we don’t know about it because there is no interface. So, to counteract this, you need to put the CA offline and dig through the database.
An attacker can issue as many more certificates as he needs.
That’s how well automation have invented for an attacker.
I don’t think it should be like this. And short-lived certificates are good, but the keys must also be rotated when certificates have reissued.