Inhaltsverzeichnis

Automation

Priority 1 - Reduces manual work and errors
Target audience: DevOps, Platform Teams

Guides for automating certificate operations in a PQ-enabled PKI.

Overview

flowchart TB subgraph TRIGGER["TRIGGER"] T1[Scheduled] T2[Event-based] T3[API Request] end subgraph PROCESS["AUTOMATION"] P1[ACME Client] P2[CI/CD Pipeline] P3[Cert-Manager] P4[Scheduled Job] end subgraph OUTPUT["RESULT"] O1[Certificate deployed] O2[Secrets rotated] O3[CRL updated] end T1 --> P4 --> O2 T2 --> P3 --> O1 T3 --> P1 --> O1 T3 --> P2 --> O1 style P1 fill:#fff3e0 style P2 fill:#e8f5e9 style P3 fill:#e3f2fd

Scenarios

Scenario Description Complexity Use Case
ACME Integration Let's Encrypt / ACME protocol with PQ Medium Web servers, APIs
CI/CD Code Signing Automatic signing in pipelines High Software releases
Kubernetes Cert-Manager Automate certificates in Kubernetes High Cloud-native apps
Scheduled Renewal Automatic certificate renewal Low All servers

Decision Tree

flowchart TD A[New certificate needed] --> B{Environment?} B -->|Kubernetes| C[Cert-Manager] B -->|Classic servers| D{Internet-facing?} B -->|CI/CD Pipeline| E[Pipeline Signing] D -->|Yes| F[ACME/Let's Encrypt] D -->|No| G[Scheduled Renewal] C --> H[cert-manager.io + Issuer] F --> I[Certbot + Hook] G --> J[Cron + Script] E --> K[Sigstore/HSM] style C fill:#e3f2fd style F fill:#e8f5e9 style G fill:#fff3e0 style E fill:#fce4ec

Prerequisites

Component Version Purpose
———–——————
OpenSSL 3.6+ PQ algorithms
Certbot 2.0+ ACME client
cert-manager 1.12+ Kubernetes
HashiCorp Vault 1.15+ Secrets management

Quick Start

1. Simplest Automation (Cron + Script): 

# /etc/cron.weekly/cert-renew
#!/bin/bash
/usr/local/bin/renew-certificates.sh >> /var/log/cert-renew.log 2>&1

→ Details: Scheduled Renewal

2. ACME for public web servers: 

# Certbot with DNS challenge
certbot certonly --dns-cloudflare -d example.com --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

→ Details: ACME Integration

3. Kubernetes Cert-Manager: 

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-app-tls
spec:
  secretName: my-app-tls
  issuerRef:
    name: pq-issuer
    kind: ClusterIssuer
  dnsNames:
    - app.example.com

→ Details: Cert-Manager

« <- Operator Scenarios | -> ACME Integration »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , ,