Rotate Roots Right Round: Using Cert-Manager for Safer Private PKI

The presentation discusses the importance of a safe private PKI and how to mitigate risks associated with it.

• The third risk in PKI is trust, and it is important to mitigate it to ensure the certificate is not useless
• Trust manager is a tool that can help in this situation, but a plan is still needed for trusting certificates
• Issuance and policy are important to prevent unauthorized requests and ensure the safety of the PKI
• Private PKI offers advantages such as cost-effectiveness and total control over certificate issuance
• Certificates are important for encryption in transit and protecting data from attackers

Certificates are like passports for websites. Just like how you need a passport to travel to another country, websites need certificates to ensure secure communication. Without certificates, attackers can easily intercept and modify data, leading to serious consequences. It is important to have a safe private PKI to ensure the security of these certificates.

There are plenty of benefits when you control your own certificate authority (CA), whether for just one Kubernetes cluster or for your whole organization. Putting a service mesh into production might require rolling your own CA, for example, but there are other use cases where a private PKI makes sense to avoid the headaches of rate limits, issuance costs or relying on third party services. Luckily for us, the concepts behind Public Key Infrastructure (PKI) have been around since at least the 70s and there are there's a tonne to learn from existing PKI deployments which we can apply to today's cloud native landscape. Plus, cert-manager is here to help! In this talk we'll discuss how to use cert-manager to safely deploy a private PKI at organizational scale and some the things we need to think about to ensure that we can run it safely - without causing a major outage down the road by failing to plan for rotation! Ash is a public key cryptography nerd with prior experience in administering PKI at large scale. As a cert-manager maintainer he's committed to improving the experience of anyone that runs private PKI in cloud native projects and beyond!