2025-01-15
In this episode, Sven Rajala, International PKI Man of Mystery, and Tomas Gustavsson, Chief PKI Officer at Keyfactor, discuss poor PKI practices observed in service mesh implementations for the last year. Users sometimes take a shortcut by relying on (faulty) default settings for the PKI setup and certificate usage, leading to insecure configurations.
Key Usage Violations: Organizations are migrating from RSA to ECC keys, which is positive. However, Tomas highlights a violation where key encipherment is present as key usage in ECC certificates, which is against standards (X.509, RFC 5280, and ISO/IEC 9594-8).
Hard-Coded Distinguished Name (DN): Certificates often include hard-coded country or organization fields, such as “C=US” or “O=Acme Inc”, even when operating in other regions, creating audit and compliance issues.
Sub-CA Mismanagement: Poor practices include issuing sub-CAs at the cluster level without proper separation of security domains. Sub-CAs with name constraints could add security, but we have not seen that being used in practice. Tomas also emphasizes the importance of protecting CA keys using Hardware Security Modules (HSMs) to ensure compliance and prevent key misuse.
Short-Lived Sub-CAs: Some organizations adopt a three-day rotation for sub-CAs, aiming to enhance security. However, Tomas questions the value of such a strategy if the keys remain in software, recommending better alternatives like skipping the SubCAs in the cluster and instead integrating directly with external issuers with/via cert-manager.
This session highlights the need for organizations to go beyond quick fixes and adopt proper PKI practices when implementing certificates for their service mesh. Critical steps include moving away from faulty default settings, ensuring compliance with RFCs, and utilizing HSMs for CA and sub-CA security. Integrating an enterprise PKI via tools like cert-manager can streamline policy enforcement and ensure trust and compliance. Following best practices enhances security and simplifies audits, making it harder for attackers to exploit vulnerabilities.