How to Automate Certificates Across your Avi Vantage (VMware) Deployment

If you’re a network engineer, downtime is enemy number one. Keeping up with change requests, troubleshooting issues, and implementing new hardware is hard work, but all of that gets derailed when a service outage strikes.

There are many possible culprits behind network and application outages, but one of the most painful (and avoidable) is expired or misconfigured TLS certificates used across your web servers and load balancers, such as Avi Vantage.

In a recent webinar, we covered how Keyfactor integrates with Avi Vantage (now VMware NSX ALB) to prevent outages and simplify day-to-day operations for network engineers. Here we’ll discuss highlights from the webinar and why this integration is important to our customers.

But before we dive into the integration, it’s important to first understand the problems network and application teams face when it comes to SSL/TLS certificates in their Avi deployment, and how they can benefit from the integration with Keyfactor.

If you’ve deployed Avi Controllers or any other network device, you know the importance of enforcing HTTPS encryption to secure applications and backend connections. It goes without saying that availability and security are top priorities for application delivery. However, manual and error-prone SSL/TLS certificate processes can quickly slow down teams and introduce several risks.

While Avi Vantage provides some level of visibility into certificates, the process to install, configure, and renew them is still very manual and often misunderstood. The reality is that many application and operations teams still struggle with the question, “where do I even get a certificate?” Not to mention how to properly deploy and renew them before they expire.

When you consider all the time it takes to submit a CSR, wait for approval, retrieve that certificate, and then another 10 to 15 minutes just to install and configure each certificate on Avi Controllers, it adds up quickly. Teams can spend hours doing something that should really take just a few minutes to do.

So, what happens? They hit the easy button…

Traditionally, organizations use certificates signed by either a publicly-trusted or internal private Certificate Authority (CA). On the other hand, self-signed certificates won’t work for every use case, but they are trivially easy to generate, which makes them a fan-favorite for network and application teams. However, they also introduce several risks and challenges.

Compared to certificates signed by CAs, the chain of trust for a self-signed certificate starts and ends with the user that generated it. It’s all too easy for users to generate a certificate key pair with poor entropy, to fail to protect the private key appropriately, or to issue certificates with a lifespan well beyond acceptable validity periods (we’ve seen anywhere from 10-99 year certificates).

The biggest problem is the task of tracking self-signed certificates becomes a royal pain for the PKI or security team. When you have dozens of users generating their own certificates using different servers and network devices (including Avi Controllers), each with a different interface, it becomes a lot harder to maintain visibility and governance.

Another shortcut that users often take to avoid more manual work is to use wildcard certificates. They avoid the hassle of managing multiple certificates across multiple servers in their environment by leveraging just a single wildcard certificate across multiple subdomains. Easy, right?

Without proper visibility into all the locations where the certificate is installed, and without strict protection of the associated private key, wildcard certificates create a single point of failure that can be extremely difficult to fix if something goes wrong.

For example, Epic Games recently experienced a widespread outage due to an expired wildcard certificate that took more than five hours to remediate. In a post-mortem review of the incident, they said that “the service-to-service wildcard certificate was installed across hundreds of different production services, and because of this, the impact was very broad.”

Bottom line: the use of self-signed and wildcard certificates should be limited. In most cases, they’re a shortcut, not a solution to the problem. So, what’s the answer? One word – automation.

Automating the provisioning and renewal of certificates across your network is needed to prevent application owners from hitting that easy button, to mitigate the risk of error or misconfiguration, and reduce time spent on redundant tasks.

As a result, network engineers can trade shortcuts for automated workflows that allow them to easily obtain and deploy trusted certificates, rather than opting for risky alternatives.

Keyfactor Command enables the discovery and automation of certificates on your Avi Controllers in addition to web servers and network devices such as F5, NGINX, IIS, Tomcat, and the list goes on. The platform acts as a trusted proxy between your network and cloud infrastructure and your public and private certificate authorities (CAs) to deliver:

• Certificate visibility: Maintain a centralized and real-time inventory of all application and controller certificates. Identify and remediate weak, rogue or near-expired certificates.
• Self-service: Enable application owners to easily request certificates from any connected public or private CA via a simple self-service interface or REST APIs.
• Automation: In addition to providing alerts on expiration, the solution provides the ability to automatically renew, push and install certificates on Avi Controllers.

• Scalability: Scale the use of HTTPS across your Avi Controllers and other network and server infrastructure without increasing the workload on your teams.
• Crypto-Agility: Support seamless re-issuance of certificates from a new CA, migration to shorter-lived certificates, or migration from one ADC provider to another.

Let’s break down how the joint solution works. In this quick demo snippet, we’ll show just how easy it is to generate problematic self-signed certificates in Avi, and how the Keyfactor provides a much safer and easier alternative (scroll down to find the full demo).

Want to learn more about this integration? Watch the full 30-minute overview and live demo here. You can also check out other popular integrations such as F5, IIS, HashiCorp Vault, and others in the Keyfactor integration hub.