Virtualization Technology News and Information
VMblog Expert Interview: Smallstep Labs Talks DevSecOps and Automating Certificate Management


The size and complexity of software systems has grown exponentially in recent years, which has led to a commensurate increase in the number of certificates required to secure network communication between system components. Focused on this challenge and addressing the needs of distributed systems, is key to Smallstep Labs' mission. VMblog caught up with founder and CEO Mike Malone to learn more about Smallstep Certificate Manager and the company's approach to DevSecOps, open source and core infrastructure. 

VMblog:  How did you start Smallstep?

Mike Malone:  Smallstep started by building a policy engine for microservice authorization. We started to demo that and the response was: "cool authorization product, but we don't have authentication yet." You can't enforce rules controlling which services are allowed to talk to one another if you have no idea which service is on the remote end of a TCP socket.

That got us onto TLS. TLS is awesome. It's everywhere. People are familiar with TLS from the web. It's in every standard language library. It's supported by databases and other infrastructure. It's the most widely deployed cryptographic protocol in the world.

But, TLS requires certificates, and certificates are hard. Building and operationalizing a public key infrastructure (PKI) for certificate management felt like dark art. But, once I started learning the theory I realized certificates are the right answer for most distributed systems authentication problems. Certificates lets you define a system cryptographically, without reference to IPs and MAC addresses. This makes software more portable. It works everywhere so bits of your system can run anywhere and communicate securely. It's conceptually simple and super flexible. And it's already there, standardized, ready for you to use, with no vendor lock-in. It's pretty great.

VMblog:  What were you looking to solve?

Malone:  So, certificates are really powerful. As an industry, we've been using x509 certificates - the kind used by TLS - since the 1980s. We're familiar with them from the Web PKI, where we can see they work well at scale. There's scattered use of certificates in IT and a few other niche areas but, at smallstep, we thought certificates were more useful than that.

Basically, we think good PKI - with automated certificate management - is something that every non-trivial distributed system deserves. Certificate infrastructure is as fundamental as database infrastructure. Heck, certificates are how you secure connections to most databases! But, when we started, only a few really sophisticated operations had figured out how to use certificates at scale.

The problem was that existing tools weren't designed for modern software systems and operations. They were built for small-scale manual workflows that were run by specialists. We saw a need for a certificate management tool that's accessible, scalable, and easy to integrate and operate. Something compatible with DevOps, Agile, engineer on-call, etc. Something that easily integrates with CI/CD, containers, config management, and immutable infrastructure. That's what we've built.

Smallstep Certificate Manager is a tool for automated certificate management. It's easy and accessible, with sane defaults and guardrails that make it hard to misuse in a way that would compromise security. An engineer can sign up for Certificate Manager on our website and be up and running, issuing certificates, within a few minutes. Once they're familiar with the tool, getting to fully automated certificate management in production is just a small project. It's easy, secure and, if you're like me, even kind of fun... that's our goal here.

VMblog:  What does Smallstep Certificate Manager do?

Malone:  Smallstep Certificate Manager automates certificate management for DevSecOps. It makes it super easy to manage TLS/SSL certificates for internal websites, workloads, containers, ingresses, developers, and whoever/whatever else needs a cryptographic identity.

A big focus has been on reach - the ability to easily and securely issue certificates to everything and everyone that might need one. To that end, we support the ACME protocol, single sign-on, one-time tokens, cloud VM APIs, Kubernetes services accounts, and a bunch of other mechanisms for certificate provisioning.

Once certificate are issued, the next big operational challenge is renewing them before they expire. Our API and CLI make it simple to automate renewals in any environment. For most use cases a few lines in a systemd unit file get the job done. We also have deep integrations with popular projects like Kubernetes, Caddy, and Istio that make issuance and renewal completely turnkey.

Next, we need to know that everything's working, and we need an alert if it's not. Certificate Manager builds a catalogue of everything that's been issued a certificate, and will fire an alert if a certificate is approaching expiry and hasn't been renewed. You can configure email alerts, or send events to your SIEM to integrate with existing processes and workflows.

For larger enterprises, there's a long list of compliance, governance, and access control features. Other advanced features include active revocation (CRL and OCSP) for long-lived certificates, renew-after-expiry workflows for devices with intermittent connectivity, certificate approval queues, and external account binding for enterprise ACME. This is a broadly horizontal technology and, if you have a certificate use case, we've probably got it covered.

Overall, Smallstep Certificate Manager democratizes certificate-based security architectures, allowing more organizations to build bigger, safer software for all of us.

VMblog:  What's next for Smallstep?

Malone:  We're on a mission to solve identity for distributed systems. For now, that means continuing to make the best PKI tools so that Production Identity is a reality for all organizations and individuals.


Published Thursday, June 23, 2022 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2022>