March 16, 2021

Blog postCode signingDevOpsEJBCA EnterpriseSignServer Enterprise

PKI as DevOps or PKI for DevOps

PKI in DevOps

DevOps has quickly emerged as the preferred set of practices to deploy and run applications. Albeit the word itself means different things for different people, in this blog post we will describe two different things it means for our customers, and show a small subset of tools and useful integrations. Being both a very large field, and a field in rapid development, a full set of tools and integrations is not possible to describe in limited space. When it comes to deploying and using PKI we divide it into at least two distinct topics.

  • PKI as DevOps, or running your PKI with the DevOps practices in your organization instead of as a separate isolated environment
  • PKI for DevOps, or using the DevOps practices in your organization to efficiently deploy PKI based credentials to your business applications and services

For these two different use cases, you more or less use the same tools and techniques, but in different ways with different goals.

PKI as DevOps

With PKI as DevOps the goal is to install and configure the PKI solution using DevOps practices. What is gained with this approach is that you can get a complete PKI up and running:

  • automated deployment
  • reproducible configuration

A wow-factor we get when showing demos of this is how to automatically deploy a full, multi-node PKI solution with distributed components (CA, VA, RA, TSA, etc), completely configured with hardware security modules, certification authorities, certificate profile configurations for all desired certificate types, and secure peer connections between components. A key feature of our products used for this is called ConfigDump, which enables you to export and import complete configuration using human readable yaml files. For example, exporting profiles from the well tested acceptance test system, and using those to deploy your production systems with a reproducible outcome. The other external tool we use is Ansible, a software provisioning, configuration management, and application-deployment tool enabling infrastructure as code. Using our Ansible playbooks (which are available on the PrimeKeyDevs GitHub page), you can deploy hundreds of PKI systems, identical and reproducible, if needed.

PKI for DevOps

With PKI for DevOps, the goal is to install business applications using DevOps practices and in this process provision them with PKI credentials, in a secure way without hard coded secrets and credentials. In effect enabling zero trust deployments securing the software supply chain from cradle to grave. What is gained here is that you can deploy your business applications:

  • automated deployment
  • reproducible configuration
  • secure deployment of individual machine identities
  • using centrally managed compliant PKI (which is managed itself using DevOps practices)

The wow-factor response we get when demonstrating this is how easily you can use a compliant, secure, PKI with your varied deployment and management tools such as:

  • Vault
  • Kubernetes
  • Service Mesh
  • Ansible playbooks

For example, using an Ansible module enables you to issue PKI credentials securely inside your playbooks, enabling infrastructure as code, to any orchestration framework, without putting any secrets in your code, something that is otherwise a source of many CVEs and high-profile breaches, and one of the top common weakness types. If you are interested in more details and demonstrations on how

  • PrimeKey enables you to deploy your PKI or signing solution, leveraging popular DevOps tools, with full automation or
  • You can integrate the process of issuing and managing certificates for your business applications in your standard automated DevOps environment and continue to be compliant and secure.

Sign up for our "PKI and Signing in DevOps" webinar to learn more. PKI and Signing in DevOps - Including live demos

Find all documentation and tools on PrimeKey Documentation or GitHub



Tomas Gustavsson

Tomas is the co-founder and CTO of PrimeKey. He has been implementing PKI systems since 1994. As founder and developer of the open source enterprise PKI project, EJBCA, contributor to numerous open source projects, and member of the board of Open Source Sweden, Tomas is passionate about helping users worldwide to find the best possible PKI and digital signing solutions.