You Like It Or Not; You Need It! - PKI And Certificate Management

PKI and Certificate management are critical security measures for communicating over networks within or outside an infrastructure. The presentation covers the basics of certificate infrastructure, a case study, and 5 must-knows about certificate management.

• PKI and certificate management are essential for secure communication over networks
• Certificates for Kubernetes clusters are simple, but microservices and service mesh require more complex design and implementation
• Certificate infrastructure involves trust establishment, certificate authority, registration authority, and verification authority
• Design considerations include network proxy layer, TLS version mismatches, certificate revocation methods, certificate automation and monitoring
• Tools like Spiffe/Spire and Grafana can be used for automation, monitoring, and analysis

The speaker initially disliked the topic of PKI and certificate management, but after messing it up, she learned it the hard way. She emphasizes that it can be understood with patience.

PKI (Primary Key Infrastructure) and Certificate management are must to have feature in production as they provide critical security measure while communicating over network within or outside your Infrastructure (VMs or Clusters). Production environments are increasingly dynamic and heterogeneous with micro-services, service mesh, container orchestrators, and cloud computing. When you use Certificates for Kubernetes clusters it’s still a simple problem. However, when you design and implement it for microservices and service mesh that's where the real fun begins. I disliked this topic so much, avoided it for long and then after messing it up, learnt it the hard way. All this to discover it can be understood with little patience. In this session I will be presenting basics about certificates infrastructure, demo, followed by 5 must know about certificate management for every software application creator/owner/maintainer and how to handle it wisely with open-source tool like Spiffe/Spire without getting intimidated with the complexity it brings.