Airbnb announce to open source Ottr, a serverless public key infrastructure (PKI) framework developed in-house. Ottr handles end-to-end certificate rotations without the use of an agent. Its primary design aims to be a scalable and configurable serverless framework on AWS with little operational overhead or reliance on enrollment protocols.
Ottr can be extended to handle end-to-end certificate rotations for any hosts (e.g., network infrastructure, Linux, Windows) capable of managing their own X.509 certificates from a remote session (e.g., API, SSH, SSM Agent).
“We’ve seen returns on investment due to time saved and reduced operational overhead for engineering teams. Since the introduction of Ottr at the beginning of the year, thousands of certificate rotations have been performed without any human intervention. This has alleviated a pain point for multiple teams including Operations, which was responsible for monitoring and triaging tickets for expired certificates, Engineering which was responsible for the manual certificate rotation process, and Security which was involved in request approvals,” writes Kenneth Yang, security engineer at Airbnb in a blog post.
PKI governs the issuance of digital certificates to protect sensitive data, provide unique digital identities, and ensure secure end-to-end communication. Certificate Authorities (CA) are responsible for brokering these X.509 certificates and own the policies, practices, and procedures for vetting recipients and the issuing process.
The following image depicts the standard process for issuing certificate.
While there are a number of agent-based solutions to automate certificate rotations for Linux and Windows distributions, the process to broker certificates for network infrastructure commonly involves either manual intervention from engineering teams or use of enrollment protocols such as Certificate Management Protocol (CMP), Simple Certificate Enrollment Protocol (SCEP), or Enrollment over Secure Transport (EST), which all have their security issues.
Ottr was built to abstract a number of challenges associated with certificate provisioning while also providing additional benefits around operations and security. By open-sourcing Ottr, we hope to create a community to share, collaborate, and expand the framework to help fit the needs of other organisations, says Yang.
Ottr is available on GitHub under the Apache 2.0 license.