There’s the Keep certificate lifetimes short to align with Vault’s philosophy of short-lived secrets.
To this end, can I get some clarification on best approach for distributing certificates. As the article falls a bit short on approaches for this.
I.e, in the given example we generate a 24h certificate.
Let’s take nginx as a sample, the server will source it’s certificates from /etc/ssl.
What is the mechanism that should be distributing these certificates? I.e:
- Is there some part within the base OS or the nginx daemon that be requesting these certificates.
- Should another process on the target machine be requesting the certificates? I.e by using a token that has enough privileges to request from the vault.
- Is this something that’s usually handled with Teraform?
- Should an orchestrater such as Chef automation, or a build runner on TeamCity be doing the job of updating the certificates each day?
I assume in the last scenario, we’d use AppRole to deploy?