[nimbius]

Does anyone know if ephemeral/automated cert issuing and renewal exists as an open source project yet? Most of this is Netflix internal but I feel like letsencrypt has made short lived certs an inevitibility

[SoMuchToGrok]

Somewhat related: Vault has a PKI backend that can help facilitate this. You'll need to create some tooling around it, but we've had great success rolling it out at my company.

https://vaultproject.io

[predakanga]

LetsEncrypt provide two reference implementations of an ACME server, in Pebble[0] (not production ready) and Boulder[1]

[0]: https://github.com/letsencrypt/pebble

[1]: https://github.com/letsencrypt/boulder

[jacques_chester]

It's part of the Credhub vision to do so[0] (supporting "The 3 Rs", being rotate, repair, repave[1]). Pivotal has been sponsoring development.

I was on the Credhub team for a while. When you begin to assume that you have (1) an always-on credentials service and (2) that it can serve multiple sides of credentialling (eg, service broker adds a credential, application fetches it), you get to do more aggressive cred management.

I was on the Credhub team for about 6 months, while it was being worked on both US coasts. It's now based in NYC.

[0] https://github.com/cloudfoundry-incubator/credhub/tree/maste...

[1] https://builttoadapt.io/the-three-r-s-of-enterprise-security...

[ajessup]

Yes. Take a look at https://github.com/spiffe/spiffe