Best way to distribute a certificate into a VM (to another computer)?

I wonder what’s the best way to distribute a certificate to other VMs / computers. Are there some howtos for good solutions?

Currently I generate them on the host and move them in the filesystem of containers. Now I use more full VMs and need a way to transfer them securely.

I could create accounts, which can be used to copy (scp, sftp, rsync) the files there, but the same account could be used to extract the certificate (and key!) again and the private ssh key needs to lie on the server requesting the certificate.
Another option would be not to rotate the key and just distribute the updated certificate, which is not confidential, i.e. by downloading it on the receiving VM via http. But key rotation is a good thing.

Are there any howtos or best practices for distributing updated certificates to remote machines?

That is not a question about certificates as such. It’s also not quite clear what exactly you mean by “but the same account could be used to extract the certificate (and key!) again”, at least assuming that permissions are set up correctly and you are not just handing access out to everyone. In any case, if you are looking for something more advanced that scp/rsync (and don’t want to try something like git-crypt, shared mount points, etc), you might consider configuration management systems (Puppet/Ansible/Salt/whatever). Though to just use them for certificate files distribution feels like an overkill.

I am currently setting up ansible, but I want to run something from a post-hook of letsencrypt, which distributes the needed files. Ansible seems not that suitable for this.

The other part is, that automatic key distribution needs some kind of automatic access, so password/ssh-key/whatever needs to be stored on the machine running certbot. This means, that this machine has a lot more access than I would like it to have.

The best method would be some one-way push, which allows certbot to push certificate and key, but nothing else. And explicitely no read-access to something on the remote machine.

I do not think I am the first to deploy with such a distributed setup, so probably there are already some best-practices and I do not need to reinvent everything ;-).

search this forum for ansible puppet etc

There are no best practices around this as the environments are quite different and it’s not really a Let’s Encrypt problem space.

Distributing things (keys, configuration files) in a Virtual Environment is a general linux problem

A) Certbot does have --post-hooks for running scripts etc
B) https://serverfault.com/questions/117072/a-system-for-distributing-ssh-public-keys
C) Use a password management solution - https://thycotic.com/
D) Put certificates in to a database and then have servers connect to the database to pick them up

As I said this is more of a google and find something problem.

The way most clients work is that they obtain the certificates and dump to local filesystem

I am not aware of any clients that have agent/ssh/ansible plugins

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.