Inhaltsverzeichnis
Automation
Priority 1 - Reduces manual work and errors
Target audience: DevOps, Platform Teams
Guides for automating certificate operations in a PQ-enabled PKI.
Overview
flowchart TB
subgraph TRIGGER["TRIGGER"]
T1[Scheduled]
T2[Event-based]
T3[API Request]
end
subgraph PROCESS["AUTOMATION"]
P1[ACME Client]
P2[CI/CD Pipeline]
P3[Cert-Manager]
P4[Scheduled Job]
end
subgraph OUTPUT["RESULT"]
O1[Certificate deployed]
O2[Secrets rotated]
O3[CRL updated]
end
T1 --> P4 --> O2
T2 --> P3 --> O1
T3 --> P1 --> O1
T3 --> P2 --> O1
style P1 fill:#fff3e0
style P2 fill:#e8f5e9
style P3 fill:#e3f2fd
Scenarios
| Scenario | Description | Complexity | Use Case |
|---|---|---|---|
| ACME Integration | Let's Encrypt / ACME protocol with PQ | Medium | Web servers, APIs |
| CI/CD Code Signing | Automatic signing in pipelines | High | Software releases |
| Kubernetes Cert-Manager | Automate certificates in Kubernetes | High | Cloud-native apps |
| Scheduled Renewal | Automatic certificate renewal | Low | All servers |
Decision Tree
flowchart TD
A[New certificate needed] --> B{Environment?}
B -->|Kubernetes| C[Cert-Manager]
B -->|Classic servers| D{Internet-facing?}
B -->|CI/CD Pipeline| E[Pipeline Signing]
D -->|Yes| F[ACME/Let's Encrypt]
D -->|No| G[Scheduled Renewal]
C --> H[cert-manager.io + Issuer]
F --> I[Certbot + Hook]
G --> J[Cron + Script]
E --> K[Sigstore/HSM]
style C fill:#e3f2fd
style F fill:#e8f5e9
style G fill:#fff3e0
style E fill:#fce4ec
Prerequisites
| Component | Version | Purpose |
| ———– | ——— | ——— |
| OpenSSL | 3.6+ | PQ algorithms |
| Certbot | 2.0+ | ACME client |
| cert-manager | 1.12+ | Kubernetes |
| HashiCorp Vault | 1.15+ | Secrets management |
Quick Start
1. Simplest Automation (Cron + Script):
# /etc/cron.weekly/cert-renew #!/bin/bash /usr/local/bin/renew-certificates.sh >> /var/log/cert-renew.log 2>&1
→ Details: Scheduled Renewal
2. ACME for public web servers:
# Certbot with DNS challenge certbot certonly --dns-cloudflare -d example.com --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
→ Details: ACME Integration
3. Kubernetes Cert-Manager:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-app-tls spec: secretName: my-app-tls issuerRef: name: pq-issuer kind: ClusterIssuer dnsNames: - app.example.com
→ Details: Cert-Manager
Related Documentation
- Daily Operations - Manual operations
- Monitoring - Automation monitoring
- Integration - API integration
« <- Operator Scenarios | -> ACME Integration »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 01:19 AM
