Automating Crypto Deployment with DPBuddy

May 24, 2020 | Posted in certificates,DataPower,dpbuddy

DPBuddy 3.5 supports fully automated deployment of X.509 certificates and keys with the following capabilities:

  • Deployment from standalone files in various formats (PEM, DER, PKCS8, etc.), encrypted and unencrypted.
  • Deployment from Java keystores/truststores in various formats (JKS, PKSC12, etc.). You can specify a list of aliases to deploy a subset of certs/keys from a keystore.
  • Deployment directly from TLS endpoints to DataPower.
  • Automatic deployment of issuers/CA certs. DPBuddy can also download the issuer from the certificate's AIA extension if exists (all certs issued by known CAs will have that extension).
  • Auditing of all changes to crypto objects directly on DataPower. You can see who changed what when using DPBuddy's crypto reporting task.
  • Keystores and key passwords can be stored encrypted in DPBuddy's conf file or provided directly on the command line.
  • Deployment is automatically validated to make sure all crypto objects and password aliases are up.

We've also developed a framework for integrating with your Key Management System of choice, such as Hashicorp Vault or AWS Key Management Service.

DPBuddy copies keys/cert files to DataPower (as PEM files) and creates DataPower crypto objects. The names derived either from filenames or from the names (aliases) in the keystore.

DPBuddy automatically determines if the source is a key or a cert and creates the crypto objects of the appropriate type.

All certs are de-duplicated to make sure that each unique cert is only deployed once. This comes handy when, for example, the same CA's cert can be found in multiple keystores or files.

If a cert/key is password-protected, the password alias object is automatically created on DataPower with the same password.

Here are some examples.

Deploy certs and keys from various stand-alone files:

dpbuddy deployCrypto -dir crypto_files -includes "*.pem *.cer *.key *.pkcs8" -excludes "myarch.pem" -passwords "self_signed:changeit"

Deploy certs and keys from the keystore:

dpbuddy deployCrypto -file crypto_files/test_keystore.jks -ksNames "local-app, keypair-1" -passwords "test_keystore:changeit,keypair-1:changeit"

Deploy directly from an endpoint (including the issuer/CA certs)

dpbuddy deployCrypto -endpoint myarch.com

Deploy only the certs (and their issuers) that match certain domain name (e.g., "myarch.com") in CN or in the alternative names extension.

dpbuddy deployCrypto -subjects myarch.com -dir crypto_files -includes "*.pem test_keystore.*" -passwords "-passwords "\${crypto.passwd}" -keys false

"${crypto.passwd}" variable points to the following line in dpbuddy.conf:
crypto.passwd: "test_keystore:ENC{+MmRqtwXqYFpbpk9r3NTfrxMXR9m21xT}, keypair-1:ENC{+MmRqtwXqYFpbpk9r3NTfrxMXR9m21xT}"

More details are available in the documentation.

If you're interested in fully automating your certificate and key management, please let us know.