Web Operations/Reference Specification/Discussion Pages/ssl certs

From MozillaWiki
Jump to: navigation, search

Overview

Issuing and renewing SSL certs is currently a very manual process. It involves watching email for expiration notices and working through a third party web portal to issue / reissue. Additionally there is a script that is used to generate certificate signing requests.

We have a need to automate this process for both a reduction in time spent and to increase accuracy and uptime (ie, missing a renewal notice). This discussion is around how we can automate this process.

Automation Framework

This is already on the radar as an Open Stack project, however it looks to be quite a ways off.

It is possible to create custom resource types in HEAT. We can then simple call out to a shell script that would interact with the SSL vendors API. We can create another resource type and script to work with the load balancers API to install certs if they are needed there. Of course they could be directly installed on the server through HEAT if they were not needed in a load balancer. Additionally we could create another resource for generating self-signed certs for internal use.