Managing internal PKI system at scale with Anchor

Presented by Stan Pitucha
Friday 11:35 a.m.–12:20 p.m.
Target audience: Business


Managing Public Key Infrastructure for internal systems is hard. Manual approvals, revocation lists, renewals are all more complicated than they should be.

I'd like to show the Anchor project created by HPE security to simplify the process for issuing certificates to services and systems. It's very different from the usual enterprise solutions and close to what Let's Encrypt has started recently. The main reasons behind creating Anchor were:

  • revocation as it exists on the internet today doesn't really work
  • certificate expiry / renewal is hard to manage and often forgotten
  • existing PKI systems are huge and complicated
  • OpenStack deployments needed TLS on every service without depending on big PKI system
  • it provides configurable validation/authentication of requests without involving users

I'll explain how Anchor solves those and other issues.

Anchor is currently used in HP's Helion OpenStack project and is one of the official OpenStack security projects. It supports standard X509 and simple CMC requests. It also integrates easily with common authentication backends (local, keystone, ldap) and can sign certificates either locally or via PKCS11 interface (this includes keyrings, hardware security modules, etc.)

Presented by

Stan Pitucha

Stan is a security engineer at HPE working on the OpenStack related projects. He's got past experience at many positions and projects, from microcontrollers to internet telephony to web development and service administration.

At HPE, he's working on security tools needed to deploy and manage hypervisor environments.

©2016 Linux Australia and 2017. Linux is a registered trademark of Linus Torvalds. Site design by Takeflight. Image credits can be found on our Colophon.