The Remote Key Server is a solution to manage TLS private keys and certificates in a distributed system.
Distribution of sensitive material, especially private keys, requires to take care of the access, the storage, and the duration of the storage of this secrets on server nodes.
In the context of a Content Delivery Network, HTTPS traffic requires to handle multiple content providers certificates and private_keys and distribute them across all the CDN nodes. This leads to difficult challenges over the secret managements and particularly security concerns with nodes storing every secret locally for an indefinite amount of time.
The RKS proposes a simple model to:
- secure secret distribution by limiting secret access to registered nodes only,
- limit secret storage duration on a node to a configurable time to live,
- ease secret management by providing a single configuration endpoint via API,
- add crisis management solution to cut access to the RKS to specific nodes or an entire CDN in case of emergency.
The RKS is based on the Hashicorp Vault Open Source Software and provides an API on top of Vault’s.
For more information go to Remote Kay Server on GitHub (published under Mozilla Public License 2.0).