Meet Bullion, An ACMEv2 Certificate Authority

I’m a huge fan of Let’s Encrypt and what they’ve done to secure the Internet. They’ve made safe communication free and open. Through their ACME protocol (and subsequent ACMEv2 protocol), they have change PKI and the way we look at automating certificate provisioning for good. All that said, Let’s Encrypt only really helps for public-facing services; for internal domains and services, I want a solution that doesn’t require creating public records. I also don’t want to reinvent all the tooling; I want to be able to use ACMEv2 (through things like cert-manager on Kubernetes or certbot for EC2). Enter Bullion, an unassuming Ruby ACMEv2 Certificate Authority built specifically for internal domains.

I’m still working on it but I’m excited to share a little bit about it. I was inspired to write Bullion by how much I’ve enjoyed using cert-manager at work on our Kubernetes clusters. After I dove into the ACMEv2 protocol there, I decided to write my own, open-source ACMEv2 certificate authority and focus on making it easy to use and painless to maintain. I still need to figure out some of the rspec testing, since, while I’m using the venerable acme-client library, I have to use it out-of-band rather than directly via rack-test like I’d prefer.

I still need to write the formal install/usage examples in the GitHub README. The gist of it is: attach a cert (and key) to the container running jgnagy/bullion:latest and point Bullion at a DB via the DATABASE_URL environment variable. I cover the rest of the configuration options here. Bullion works best with MariaDB/MySQL, or with SQLite3 for testing. Running it in Docker/Kubernetes with security best-practices is also a breeze.

If you have a private network and want automated SSL, check it out and let me know what you think!

Leave a Reply