The size and complexity of software systems has
grown exponentially in recent years, which has led to a commensurate increase
in the number of certificates required to secure network communication between
system components. Focused on this challenge and addressing the needs of
distributed systems, is key to
Smallstep Labs' mission. VMblog caught up with
founder and CEO Mike Malone to learn more about
Smallstep Certificate Manager
and the company's approach to DevSecOps, open source and core infrastructure.
VMblog: How
did you start Smallstep?
Mike Malone: Smallstep started by building a policy engine for microservice authorization.
We started to demo that and the response was: "cool authorization product, but
we don't have authentication yet." You can't enforce rules controlling which
services are allowed to talk to one another if you have no idea which service
is on the remote end of a TCP socket.
That got us onto TLS. TLS is awesome. It's
everywhere. People are familiar with TLS from the web. It's in every standard
language library. It's supported by databases and other infrastructure. It's
the most widely deployed cryptographic protocol in the world.
But, TLS requires certificates, and
certificates are hard. Building and operationalizing a public key infrastructure
(PKI) for certificate management felt like dark art. But, once I started
learning the theory I realized certificates are the right answer for most
distributed systems authentication problems. Certificates lets you define a
system cryptographically, without reference to IPs and MAC addresses. This
makes software more portable. It works everywhere so bits of your system can
run anywhere and communicate securely. It's conceptually simple and super
flexible. And it's already there, standardized, ready for you to use, with no
vendor lock-in. It's pretty great.
VMblog: What
were you looking to solve?
Malone: So,
certificates are really powerful. As an industry, we've been using x509
certificates - the kind used by TLS - since the 1980s. We're familiar with them
from the Web PKI, where we can see they work well at scale. There's scattered
use of certificates in IT and a few other niche areas but, at smallstep, we
thought certificates were more useful than that.
Basically, we think good PKI - with automated
certificate management - is something that every non-trivial distributed system
deserves. Certificate infrastructure is as fundamental as database
infrastructure. Heck, certificates are how you secure connections to most
databases! But, when we started, only a few really sophisticated operations had
figured out how to use certificates at scale.
The problem was that existing tools weren't
designed for modern software systems and operations. They were built for
small-scale manual workflows that were run by specialists. We saw a need for a
certificate management tool that's accessible, scalable, and easy to integrate
and operate. Something compatible with DevOps, Agile, engineer on-call, etc.
Something that easily integrates with CI/CD, containers, config management, and
immutable infrastructure. That's what we've built.
Smallstep Certificate Manager is a tool for
automated certificate management. It's easy and accessible, with sane defaults
and guardrails that make it hard to misuse in a way that would compromise
security. An engineer can sign up for Certificate Manager on our website and be
up and running, issuing certificates, within a few minutes. Once they're
familiar with the tool, getting to fully automated certificate management in
production is just a small project. It's easy, secure and, if you're like me,
even kind of fun... that's our goal here.
VMblog: What does Smallstep Certificate Manager do?
Malone: Smallstep
Certificate Manager automates certificate management for DevSecOps. It makes it
super easy to manage TLS/SSL certificates for internal websites, workloads,
containers, ingresses, developers, and whoever/whatever else needs a
cryptographic identity.
A big focus has been on reach - the ability to
easily and securely issue certificates to everything and everyone that might
need one. To that end, we support the ACME protocol, single sign-on, one-time
tokens, cloud VM APIs, Kubernetes services accounts, and a bunch of other
mechanisms for certificate provisioning.
Once certificate are issued, the next big
operational challenge is renewing them before they expire. Our API and CLI make
it simple to automate renewals in any environment. For most use cases a few
lines in a systemd unit file get the job done. We also have deep integrations
with popular projects like Kubernetes, Caddy, and Istio that make issuance and
renewal completely turnkey.
Next, we need to know that everything's working,
and we need an alert if it's not. Certificate Manager builds a catalogue of
everything that's been issued a certificate, and will fire an alert if a
certificate is approaching expiry and hasn't been renewed. You can configure
email alerts, or send events to your SIEM to integrate with existing processes
and workflows.
For larger enterprises, there's a long list of
compliance, governance, and access control features. Other advanced features
include active revocation (CRL and OCSP) for long-lived certificates,
renew-after-expiry workflows for devices with intermittent connectivity,
certificate approval queues, and external account binding for enterprise ACME.
This is a broadly horizontal technology and, if you have a certificate use
case, we've probably got it covered.
Overall, Smallstep Certificate Manager
democratizes certificate-based security architectures, allowing more
organizations to build bigger, safer software for all of us.
VMblog: What's next for Smallstep?
Malone: We're on a mission to solve identity for distributed systems.
For now, that means continuing to make the best PKI tools so that Production
Identity is a reality for all organizations and individuals.
##