I would like to know what is the best way to protect SSL keys and certificates for web applications. I am using a roles / profiles template. Here is the scenario:
- I have a web application. There is a Puppet module that installs the application. This module also installs the SSL keys and certificates required to run it. These files are transferred in the same repository (which is unsafe) in the application / file directory, and then placed in the right places using the type
file. - There is a profile manifest that integrates the stack for this application - installing and configuring apache, installing and configuring memcached, installing php and configuring the application using the above module.
Now SSL keys and certificates are verified in the same repo and this is probably not the best way to do this. I am considering using the hiera-eyaml module and then an encrypted version of these certificates and keys in the hiera file.
I'm just wondering if most people do this. Or are there better ways to handle this?
source
share