Episode 055: 10‐10‐2024 X.509 Certificate Rotation: Why TLS is still a pain point - GluuFederation/identerati-office-hours GitHub Wiki

Title: X.509 Certificate Rotation: Why TLS is still a pain point

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Ben Burkert, Co-Founder / CTO of Anchor

YouTube Video

Description

Anchor is a developer-friendly platform that provides private CAs for internal TLS encryption. Anchor strives to make HTTPS certificates easy to get on your servers and offers a seamless ACME flow, which allows developers to focus on building rather than managing security. In this livestream we'll discuss:

• How Anchor is changing the game for developers with its innovative approach to internal CA provisioning.
• The evolution of certificate management and why internal TLS is still a pain point.
• Insights from his days at GitHub, Cloudflare, and Heroku — from certificate rotations to back-end encryption.
• How to integrate strong encryption and certificate management into your development workflow.

Homework

• Jamstack Ep. #147, Secure Local Dev Environments with Chris Stolt and Ben Burkert of Anchor, 20 min podcast

• The Evolution of Certificate Management with Anchor Security's Ben Burkert, 40 min video

Takeaways

⬢ The Automatic Certificate Management or "ACME" protocol helps organizations automate the issuance and management of certificates. It was developed initially with LetsEncrypt in mind, i.e. to automate issuing free certificate automatically at scale.

⬢ For enterprises who operate a private internal CA, distributing the latest trust store to developers is a big challenge--developers need to have the required root and intermediate certificates, in the right keystore format, in the right path. The tools for the Anchor CA enable developers to import the latest certificates through the developer package chain, currently: Go, Python, Ruby and JavaScript.

⬢ External Account Binding (EAB) is an optional feature in the ACME protocol that allows a client to include a signed token with their ACME account request. At a high level it means you can bridge OAuth and X.509 trust models, e.g. authorize an OAuth client to issue certificates.

⬢ Potentially you could achieve some authorization using X.509 configuration. For example, you could implement a rule that says dev certificates can't be used in production. But should you?

⬢ Check out LCL a free developer CA to help you use valid TLS certificates for testing your app on localhost: https://anchor.dev/docs/lcl-host/why-lcl

Livestream Audio Archive

here