DevOps methodology implies faster development, increased reliability, and sometimes security. Many new tools have emerged to fulfill the DevOps needs. Many of them rely on the PKI or even manage the PKI somehow.
While researching, I came across the smallstep - the popular tool that makes PKI management convenient and easy.
I found it interesting to have a certificate renewal solution that allows you to use the certificate that is going to expire to issue a new one.
Such a thing is very handy for an attacker.
Let’s assume the following situation.
The certificate and key have been compromised, and the attacker has managed to reissue a certificate using the old one, which is easy:
step ca renew compromised.crt compromised.key --out=new.crt
.
The security folks identify the compromised key and revoke the certificate: step ca revoke --cert compromised.crt --key compromised.key
.
Nonetheless, the new certificate is valid, but they don’t know about it because there is no interface and no audit logs. So, to counteract that, they have to put the CA offline and dig into the database.
The attacker can issue as many more certificates as they need.
That’s how well automation have invented for an attacker.
Short-lived certificates is a good idea, but the keys also must be rotated along with certificates the there must be an audit trail to make a Certiface Authority authoritative.