I'm looking for advice on automating TLS certificate renewals for PeopleSoft Campus Solutions and related applications. We handle the operating systems and manage the TLS setup, while our customers run the applications themselves using Java/Oracle keystores/wallets. With TLS certificate lifetimes getting shorter, we're aiming to find efficient ways to manage renewals.
We've already automated some of our own systems using certbot and can leverage ACME or vendor APIs for that part. However, we're unsure about tools available for the keystore/wallet automation from our customers' side. The TLS part can be a bit complex since some components like our load balancer and certain web servers currently handle it directly, but there's a need for good security practices across the board. Furthermore, we also have network equipment that lacks automation, leading to a pickup/dropoff service for certificates. I'm reaching out for ideas that could help our customers automate their side without diving too deeply into their application layers. Thanks!
4 Answers
Just in case you have any additional obstacles with the TLS setup, consider using a service that automates the keystore updates specifically. Some solutions exist that allow for automated cert renewals and import directly to Java keystores, minimizing manual work and helping keep everything secure.
If your customers are open to it, employing a central proxy like NGINX not only helps manage TLS more easily but can also consolidate SSL cert management. It can make the whole process simpler, ensuring that all your services get updated SSL certificates from one location.
If you're working with Windows at the OS level, you might want to check out Certify The Web for command line tools that can help automate the import and replacement of certificates. Just keep in mind this only applies if you're dealing with Windows environments.
That approach won't be effective for Java keystores, though.
I should clarify that we’re currently on AIX and plan to migrate to RHEL, both of which utilize Java keystores.
Based on your mention of Java keystores, I have experience with a similar setup. To simplify things, we disabled HTTPS for our Java apps and switched to HTTP, then implemented an NGINX proxy to manage SSL. This setup routes HTTP traffic through the proxy which can handle cert updates using tools like certbot or win-acme. We also set up a DNS CNAME that points to the proxy, allowing us to update certificates easily without changing IPs. It's a centralized approach to managing all SSL certs and makes updates much smoother!
Totally! This can also enhance the flexibility of updating proxy users just by tweaking the DNS record, which is smart.