This could be basic question as i’m new to this area. I have apache web server where it load balance to set of servers to provide a web site. Apache server has SSL enabled and we terminate TLS on load balancer level. The TLS certificates lives inside apache servers local storage. Now our target is to use some key management solution to store the TLS certificates and private keys. We choose HashiCorp vault since it’s being open sourced. Following is our mechanism to achieve this. I wanted to know following mentioned methods has any security concerns or issues that I need to aware and research more.
- Use Vault PKI engine to store certificate and configure CA so the vault can get new certificate ( automate getting TLS certificate from CA )
- Define TTL for certificates
- Use vault client to get a certificate to apache web server machine local storage
- User retrieved certificate on apache web server
I could not found any other solution beside this. When regarding cost for new certificate I do not hope TTL for certificate would not change with current values ( may be 1 or 2 year not know the exact time). With vault introduction we only get automating certificate request process and easiness of revoking validity of certificate. This seems not a enough benefit to move to vault given we need to run at least 5 vault servers to achieve HA. Am I not using vault correctly here ?