PKI management

Netflix open-sources Lemur, their certificate management framework

Natali Vlatko
Lemur image via Shutterstock

Punters are gradually getting comfortable with the idea that Netflix is behind some exciting open source projects, including their latest for SSL/TLS enabled applications, Lemur. The certificate management framework aims to tackle PKI infrastructure better.

Known for its diverse library of in-house created tools, Netflix have recently open-sourced their certificate management framework known as Lemur. Kevin Glisson, Jason Chan and Ben Hagen made the announcement this week on the Netflix Tech Blog in an attempt to address the challenges of Public Key Infrastructure (PKI).

It’s no secret that PKI management can be tricky and confusing, and the Netflix team aim to address the three most crucial components of the infrastructure:

  1. Public Certificate – A cryptographic document that proves the ownership of a public key, which can be used for signing, proving identity or encrypting data.
  2. Private Key – A cryptographic document that is used to decrypt data encrypted by a public key.
  3. Certificate Authorities (CAs) – Third-party or internal services that validate those they do business with. They provide confirmation that a client is talking to the server it thinks it is. Their public certificates are loaded into major operating systems and provide a basis of trust for others to build on.

Creating the certification needed without experience may impact a system’s availability due to a number of factors: being unaware of certification expiry, loss of private keys leading to confidentiality breaches, and the undermining of the security of PKI via lack of tool usability are just some of the ways that PKI can be a “confusing and painful experience”.

SEE ALSO: In praise of Netflix OSS

With Lemur, Netflix aims to make sure that their developers continue to take full responsibility for their entire application environment. Thanks to their ongoing move to HTTPS-land, Netflix uses Lemur as a broker between certificate authorities and internal deployment and management tools.

The introduction of Lemur for Netflix decreases the possibility of developers being privy to sensitive key material, amps up notifications regarding certificates and provides a one-stop shop for managing all aspects of the certificate lifecycle.

Security engineers can leverage Lemur to act as a broker between deployment systems and certificate authorities. It provides a unified view of, and tracks all certificates in an environment regardless of where they were issued.

Other benefits of the new software and workflow include a common API for internal users and keys being generated with the required strength properties. An added bonus is that developers no longer need to know OpenSSL commands, which could be seen as good and bad.

Architecture and limitations

Whilst Lemur is able to issue a healthy amount of certification, cases to the contrary such as a third parties hosting a marketing site, or a payment provider generating certificates for secure communication with their service, could be helped via Lemur’s source plugins and the ability to import certificates.

As for architecture, Lemur uses Python 2.7, 3.4 with Flask API (including a number of helper packages), the AngularJS UI, Postgres and also allows optional use of AWS Simple Email Service (SES). It’s interesting to note however that the software itself isn’t bound to AWS.

More information about its architecture and configuration can be found in the documentation made available with the release.

Natali Vlatko
An Australian who calls Berlin home, via a two year love affair with Singapore. Natali was an Editorial Assistant for (S&S Media Group).

Inline Feedbacks
View all comments