满足Ottr。一个无服务器的公钥基础设施框架

Ottr is a serverless Public Key Infrastructure framework that handles end-to-end certificate rotations without the use of an agent. The purpose of the blog is to provide an overview on Ottr with sample reference architecture, logical and network flows, and highlight the benefits of the solution. For installation instructions, skip to the Open Source section of the article.

Ottr是一个无服务器的公钥基础设施框架,无需使用代理就能处理端到端的证书轮换。这篇博客的目的是提供一个关于Ottr的概述,包括样本参考架构、逻辑和网络流程,并强调该解决方案的好处。关于安装说明,请跳到文章的开放源代码部分。

Kenneth Yang

杨经文

Introduction

简介

Managing certificates for Public Key Infrastructure (PKI) is a difficult problem to solve at scale for any organization. While there are a number of agent-based solutions to automate certificate rotations for Linux and Windows distributions, the process to broker certificates for network infrastructure commonly involves either manual intervention from engineering teams or use of enrollment protocols such as Certificate Management Protocol (CMP), Simple Certificate Enrollment Protocol (SCEP), or Enrollment over Secure Transport (EST), which all have their security issues.

对于任何组织来说,管理公钥基础设施(PKI)的证书是一个难以解决的问题。虽然有一些基于代理的解决方案可以为Linux和Windows发行版自动进行证书轮换,但为网络基础设施代理证书的过程通常涉及工程团队的人工干预或使用注册协议,如证书管理协议(CMP)、简单证书注册协议(SCEP)或安全传输注册(EST),这些都有其安全性问题。

We built Ottr at Airbnb to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols. Ottr can be extended to handle end-to-end certificate rotations for any hosts (e.g., network infrastructure, Linux, Windows) capable of managing their own X.509 certificates from a remote session (e.g., API, SSH, SSM Agent).

我们在Airbnb建立的Ottr是一个在AWS上可扩展和可配置的无服务器框架,几乎没有操作开销或对注册协议的依赖。Ottr可以被扩展到处理任何能够从远程会话(如API、SSH、SSM代理)管理自己的X.509证书的主机(如网络基础设施、Linux、Windows)的端到端证书轮换。

Background

背景介绍

PKI governs the issuance of digital certificates to protect sensitive data, provide unique digital identities, and ensure secure end-to-end communication. Certificate Authorities (CA) are responsible for brokering these X.509 certificates and ow...

开通本站会员,查看完整译文。

首页 - Wiki
Copyright © 2011-2024 iteam. Current version is 2.137.1. UTC+08:00, 2024-11-22 10:00
浙ICP备14020137号-1 $访客地图$