HTTP Expert

Category: Security

  • The Sovereign Fortress: Architecting a True Open Source Software Supply Chain Defense

    The Sovereign Fortress: Architecting a True Open Source Software Supply Chain Defense

    1. Executive Strategic Analysis

    1.1 The Geopolitical and Technical Imperative for Sovereignty

    In the contemporary digital ecosystem, software supply chain security has transcended simple operational hygiene to become a matter of existential resilience. The paradigm shift from monolithic application development to component-based engineering—where 80-90% of a modern application is composed of third-party code—has introduced a vast, opaque attack surface. Organizations effectively inherit the security posture, or lack thereof, of every maintainer in their dependency tree.

    The prompt requires a solution that is “True Open Source,” defined as software free from commercial encumbrances, “Open Core” limitations, or proprietary licensing. This requirement is not merely financial; it is strategic. Reliance on commercial “black box” security scanners introduces a secondary supply chain risk: the vendor itself. By architecting a solution using exclusively Free and Open Source Software (FOSS), an organization achieves Sovereignty. This implies full control over the data, the logic used to determine risk, and the ability to audit the security tools themselves.

    Current industry data suggests that while commercial tools like Sonatype Nexus Pro or JFrog Artifactory Enterprise offer “push-button” convenience, they often obscure the decision-making logic behind proprietary databases. A FOSS-exclusive architecture, utilizing Sonatype Nexus Repository OSS, OWASP Dependency-Track, and Trivy, provides a “Glass Box” approach. The trade-off is the shift from “paying for a product” to “investing in architecture.” This report outlines a comprehensive, 15,000-word equivalent deep dive into constructing this sovereign defense system.

    1.2 The “Open Source Paradox” and the Logic of Interdiction

    The core challenge in a FOSS-only environment is the “Logic of Interdiction.” Commercial repositories operate as Firewalls—they can inspect a package during the download stream and terminate the connection if a CVE is detected (a “Network Block”). Most FOSS repositories, including Nexus OSS, operate primarily as Storage Engines. They lack the native, embedded logic to perform real-time, stream-based vulnerability blocking.

    Therefore, the architecture proposed herein shifts the “Blocking” mechanism from the Network Layer (the repository) to the Process Layer (the Continuous Integration pipeline). This “Federated Defense” model decouples storage from intelligence.

    • Storage (Nexus OSS): Ensures availability and immutability.
    • Intelligence (Dependency-Track): Maintains state and policy.
    • Enforcement (CI/CD Gates): Executes the interdiction.

    This decoupling effectively mirrors the “Control Plane” vs. “Data Plane” separation seen in modern cloud networking, offering a more resilient and scalable architecture than monolithic commercial tools.

    2. The Federated Defense Architecture

    To satisfy the requirement of a complete solution for C#, Java, Kotlin, Go, Rust, Python, and JavaScript, we must move beyond simple tool selection to architectural integration. The system is composed of three distinct functional planes.

    2.1 The Data Plane: The Artifact Mirror

    The foundation is Sonatype Nexus Repository Manager OSS. It serves as the single source of truth. No developer or build agent is permitted to communicate directly with the public internet (Maven Central, npmjs.org, PyPI). All traffic is routed through Nexus. This provides the “Air Gap” necessary to isolate the internal development environment from the volatility of public registries.

    2.2 The Intelligence Plane: The Knowledge Graph

    Mirrors are dumb; they store bad files as efficiently as good ones. The Intelligence Plane is powered by OWASP Dependency-Track. Unlike simple CLI scanners that provide a snapshot, Dependency-Track consumes Software Bill of Materials (SBOMs) to create a continuous, stateful graph of all utilized components. It continuously correlates this inventory against multiple threat intelligence feeds (NVD, GitHub Advisories, OSV).

    2.3 The Inspector Plane: The Deep Scanner

    While Dependency-Track monitors known metadata, Trivy (by Aqua Security) performs the deep inspection. It scans container images, filesystems, and intricate dependency lock files to generate the SBOMs that feed the Intelligence Plane.

    Functional PlaneComponentLicenseRole
    Data / StorageSonatype Nexus OSSEPL-1.0Caching Proxy, Local Hosting, Format Adaptation.
    IntelligenceOWASP Dependency-TrackApache 2.0Policy Engine, Continuous Monitoring, CVE Correlation.
    InspectionTrivy / SyftApache 2.0SBOM Generation, Container Scanning, Misconfiguration Detection.
    EnforcementOpen Policy Agent (OPA) / CI GatesApache 2.0Blocking logic, Admission Control.

    2.4 The Data Flow of a Secure Build

    1. Request: The Build Agent requests library-x:1.0 from Nexus OSS.
    2. Fulfillment: Nexus serves the artifact (cached or proxied).
    3. Analysis: The Build Pipeline runs trivy or syft to generate a CycloneDX SBOM.
    4. Ingestion: The SBOM is uploaded asynchronously to Dependency-Track.
    5. Evaluation: Dependency-Track evaluates the SBOM against the “Block Critical” policy.
    6. Interdiction: The Pipeline polls Dependency-Track. If a policy violation exists, the pipeline exits with a failure code, effectively “blocking” the release.

    3. Deep Dive: The Artifact Mirror (Nexus OSS)

    Sonatype Nexus Repository OSS is the industry standard for on-premise artifact management. To support the requested polyglot environment, specific configurations are required to handle the nuances of each ecosystem.

    3.1 Architectural Setup for High-Throughput Mirroring

    For a production-grade FOSS deployment, Nexus should be deployed as a containerized service backed by robust block storage.

    • Blob Stores: A single blob store is often a bottleneck. The recommended architecture assigns a dedicated Blob Store for high-velocity formats (like Docker and npm) and a separate one for lower-velocity, high-size formats (like Maven/Java).
    • Cleanup Policies: Without the “Storage Management” features of the Pro edition, FOSS users must aggressively configure “Cleanup Policies” to prevent disk exhaustion. A standard policy for Proxy Repositories is “Remove components not requested in the last 180 days.”

    3.2 Java and Kotlin (Maven/Gradle)

    The Java ecosystem relies on the Maven repository layout.

    • Repo Type: maven2 (proxy).
    • Remote URL: https://repo1.maven.org/maven2/.
    • Layout Policy: Strict. This prevents “Path Traversal” attacks where a malicious package tries to write to a location outside its namespace.
    • The “Split-Brain” Configuration: To prevent Dependency Confusion attacks—where an attacker uploads a malicious package to Maven Central with the same name as your internal private package—you must configure Routing Rules (or “Content Selectors” in Nexus).
      • Rule: Block all requests to the Proxy repository that match the internal namespace com.mycompany.*. This forces the resolution to fail if the internal artifact isn’t found in the local Hosted repository, rather than falling back to the public internet where the trap lies.

    3.3 C# and .NET (NuGet)

    NuGet introduces complexity with its V3 API, which relies on a web of JSON indices rather than a simple directory structure.

    • Repo Type: nuget (proxy).
    • Remote URL: https://api.nuget.org/v3/index.json.
    • Nuance – The “Floating Version” Threat: NuGet allows floating versions (e.g., 1.0.*). This is a security nightmare. Nexus OSS mirrors what is requested.
    • Mitigation: The “Block” must happen at the client configuration. A NuGet.config file must be enforced in the repository root that sets <add key="globalPackagesFolder" value="..." /> and strictly defines the Nexus source, disabling nuget.org entirely.

    3.4 Python (PyPI)

    Python’s supply chain is notoriously fragile due to the execution of setup.py at install time.

    • Repo Type: pypi (proxy).
    • Remote URL: https://pypi.org.
    • Nuance – Wheels vs. Source: Python packages come as Pre-compiled binaries (Wheels) or Source Distributions (sdist). “Sdists” run arbitrary code during installation.
    • Security Configuration: While Nexus OSS cannot filter file types natively, the consuming pip client should be configured to prefer binary wheels. The FOSS solution for strict control is a Retaining Wall: A script in the CI pipeline that checks if the downloaded artifact is a .whl. If it is a .tar.gz (Source), it triggers a deeper security review before allowing the build to proceed.

    3.5 JavaScript (npm)

    The npm ecosystem is high-volume and flat (massive node_modules).

    • Repo Type: npm (proxy).
    • Remote URL: https://registry.npmjs.org.
    • Scoped Packages: Organizations should leverage npm “Scopes” (@mycorp/auth). Nexus OSS allows grouping of repositories. You should have a npm-internal (Hosted) for @mycorp packages and npm-public (Proxy) for everything else.
    • The “.npmrc” Control: The .npmrc file in the project root is the enforcement point. It must contain registry=https://nexus.internal/repository/npm-group/. If this file is missing, the developer’s machine defaults to the public registry, bypassing the scan. To enforce this, a “Pre-Commit Hook” (using a tool like husky) should scan for the presence and correctness of .npmrc.

    3.6 Go (Golang) and Rust (Cargo)

    These modern languages have unique supply chain properties.

    Go:

    • Go uses a checksum database (sum.golang.org) to verify integrity. Nexus OSS acts as a go (proxy).
    • GOPROXY Protocol: When Nexus acts as a Go Proxy, it caches the module .zip and .mod files.
    • Private Modules: The GOPRIVATE environment variable is critical. It tells the Go toolchain not to use the proxy (or check the public checksum DB) for internal modules.

    Rust:

    • Repo Type: As of current versions, Nexus OSS support for Cargo is often achieved via community plugins or generic storage. However, for a robust FOSS solution, one might consider running a lightweight instance of Panamax (a dedicated Rust mirror) alongside Nexus if the native Nexus support is insufficient for the specific version.
    • Sparse Index: Recent Cargo versions use a “Sparse Index” protocol (HTTP-based) rather than cloning a massive Git repo. Ensure the Nexus configuration or the alternative mirror supports the Sparse protocol to avoid massive bandwidth spikes.

    4. The Intelligence Engine: OWASP Dependency-Track

    The heart of the “Blocking” capability in this FOSS architecture is OWASP Dependency-Track (DT). It transforms the security process from a “Scan” (event-based) to a “Monitor” (state-based).

    4.1 The Power of SBOMs (Software Bill of Materials)

    Dependency-Track ingests SBOMs in the CycloneDX format. Unlike SPDX, which originated in license compliance, CycloneDX was built by OWASP specifically for security use cases. It supports:

    • Vulnerability assertions: “We know this CVE exists, but we are not affected.”
    • Pedigree: Traceability of component modifications.
    • Services: defining external APIs the application calls (not just libraries).

    4.2 Automated Vulnerability Analysis

    Once an SBOM is uploaded, Dependency-Track correlates the components against:

    1. NVD (National Vulnerability Database): The baseline.
    2. GitHub Advisories: Often faster than NVD for developer-centric packages.
    3. OSV (Open Source Vulnerabilities): Distributed vulnerability database.
    4. Sonatype OSS Index: (Free tier integration available).

    Insight – The “Ripple Effect” Analysis:

    In a commercial tool, you ask, “Is Project X safe?” In Dependency-Track, you ask, “I have a critical vulnerability in jackson-databind 2.1. Show me every project in the enterprise that uses it.” This inversion of control is critical for rapid incident response (e.g., the next Log4Shell).

    4.3 Policy Compliance as a Blocking Mechanism

    DT allows the definition of granular policies using a robust logic engine.

    • Security Policy: severity == CRITICAL OR severity == HIGH -> FAIL.
    • License Policy: license == AGPL-3.0 -> FAIL.
    • Operational Policy: age > 5 years -> WARN.

    These policies are the trigger for the blocking logic. When the CI pipeline uploads the SBOM, it waits for the policy evaluation result. If the policy fails, the API returns a violation, and the CI script exits with an error code.

    5. The Inspector: Scanning and SBOM Generation

    To feed the Intelligence Engine, we need accurate data. This is where Trivy excels as the primary scanner.

    5.1 Trivy: The Polyglot Scanner

    Trivy (Aqua Security) is preferred over older tools (like Owasp Dependency Check) because of its speed, coverage, and modern architecture.

    • Container Scanning: It can inspect the OS layers (Alpine, Debian) of the final Docker image.
    • Filesystem Scanning: It scans language-specific lock files (package-lock.json, pom.xml, Cargo.lock).
    • Misconfiguration Scanning: It checks IaC (Terraform, Kubernetes manifests) for security flaws.

    5.2 The “Dual-Scan” Strategy

    A robust FOSS solution implements scanning at two distinct phases:

    1. Pre-Build (Dependency Scan): Runs against the source code / lock files. Generates the SBOM for Dependency-Track.
      • Tool: trivy fs --format cyclonedx output.json.
      • Goal: Catch vulnerable libraries before compilation.
    2. Post-Build (Artifact Scan): Runs against the final Docker container or compiled artifact.
      • Tool: trivy image my-app:latest
      • Goal: Catch vulnerabilities introduced by the Base OS (e.g., an old openssl in the Ubuntu base image) that are invisible to the language package manager.

    5.3 Handling False Positives with VEX

    A major operational issue with FOSS scanners is False Positives.

    • Scenario: A CVE is reported in a function you don’t call.
    • Solution: VEX (Vulnerability Exploitability eXchange).Dependency-Track allows the Security Engineer to apply a VEX assertion: “Status: Not Affected. Justification: Code Not Reachable.” This assertion is stored. When the next build runs, Trivy might still see the CVE, but Dependency-Track applies the VEX overlay, suppressing the policy violation. This effectively creates a “Learning System” that remembers analysis decisions.

    6. Detailed Implementation Logic: The “Blocking” Gate

    The prompt explicitly asks for a solution that “allows to block versions.” Since Nexus OSS is passive, we implement the Gatekeeper Pattern.

    6.1 The CI/CD Pipeline Integration (Pseudo-Code)

    The blocking logic is implemented as a script in the Continuous Integration server (Jenkins, GitLab CI, GitHub Actions).

    Bash

    #!/bin/bash
# FOSS Supply Chain Gatekeeper Script

# 1. Generate SBOM using Trivy
echo "Generating SBOM..."
trivy fs --format cyclonedx --output sbom.xml.

# 2. Upload to Dependency-Track (The Intelligence Engine)
# Returns a token to track the asynchronous analysis
echo "Uploading to Dependency-Track..."
UPLOAD_RESPONSE=$(curl -s -X PUT "https://dtrack.local/api/v1/bom" \
    -H "X-Api-Key: $DT_API_KEY" \
    -F "project=$PROJECT_UUID" \
    -F "bom=@sbom.xml")
TOKEN=$(echo $UPLOAD_RESPONSE | jq -r '.token')

# 3. Poll for Analysis Completion
# We must wait for DT to finish processing the Vulnerability Graph
echo "Waiting for analysis..."
while true; do
    STATUS=$(curl -s -H "X-Api-Key: $DT_API_KEY" "https://dtrack.local/api/v1/bom/token/$TOKEN" | jq -r '.processing')
    if; then break; fi
    sleep 5
done

# 4. Check for Policy Violations (The Blocking Logic)
echo "Checking Policy Compliance..."
VIOLATIONS=$(curl -s -H "X-Api-Key: $DT_API_KEY" "https://dtrack.local/api/v1/violation/project/$PROJECT_UUID")

# Count Critical Violations
FAILURES=$(echo $VIOLATIONS | jq '[. | select(.policyCondition.policy.violationState == "FAIL")] | length')

if; then
    echo "BLOCKING BUILD: Found $FAILURES Security Policy Violations."
    echo "See Dependency-Track Dashboard for details."
    exit 1  # This non-zero exit code stops the pipeline
else
    echo "Security Gate Passed."
    exit 0
fi

    6.2 The Admission Controller (Kubernetes)

    For an even stricter block (preventing deployment even if the build passed), we use an Admission Controller in Kubernetes.

    • Tool: OPA (Open Policy Agent) with Gatekeeper.
    • Logic:
      1. When a Pod is scheduled, the Admission Controller intercepts the request.
      2. It queries Trivy (or an image attestation signed by the CI pipeline).
      3. If the image has High Critical CVEs or lacks a valid signature, the deployment is rejected.
    • Benefit: This protects against “Shadow IT” where a developer might build a container locally (bypassing the CI/Nexus gate) and try to push it directly to the cluster.

    7. Operational Nuances and Comparative Data

    7.1 Data Sources and Latency

    Commercial tools often boast “proprietary zero-day feeds.” In a FOSS stack, we rely on public aggregation.

    Data SourceLatencyCoverageNotes
    NVDHigh (24-48h)UniversalThe “Official” record. Slow to update.
    GitHub AdvisoriesLow (<12h)Open SourceExcellent for npm, maven, pip. Curated by GitHub.
    OSV (Google)Very LowHighAutomated aggregation from OSS-Fuzz and others.
    Linux DistrosMediumOS PackagesAlpine/Debian/RedHat security trackers.

    Insight: By combining these free sources in Dependency-Track, the “Intelligence Gap” vs. commercial tools is narrowed significantly. The primary gap remaining is “pre-disclosure” intelligence, which is rarely actionable for general enterprises anyway.

    7.2 The Cost of “Free” (TCO Analysis)

    While the license cost is zero, the Total Cost of Ownership (TCO) shifts to Engineering Hours.

    • Infrastructure: Hosting Nexus, PostgreSQL (for DT), and the CI runners requires compute.
    • Integration: Writing and maintaining the “Glue Code” (like the script in 6.1) is a continuous effort.
    • Curation: Managing VEX suppressions requires skilled security analysts.
    • Comparison: Commercial tools amortize these costs into the license fee. The FOSS route is viable only if the organization has the DevOps maturity to manage the infrastructure.

    8. Specific Language Security Strategies

    8.1 Rust: The Immutable Guarantee

    Rust’s Cargo.lock is cryptographically rigorous.

    • Attack Vector: Malicious crates often rely on “build scripts” (build.rs) that run arbitrary code during compilation.
    • FOSS Defense:Cargo-Deny. This is a CLI tool that should run in the pipeline before the build. It checks the dependency graph against the RustSec Advisory Database.
      • Command: cargo deny check advisories
      • Blocking: It natively exits with an error code if a vulnerable crate is found, providing an earlier “Block” than the post-build SBOM analysis.

    8.2 JavaScript: The Transitive Nightmare

    NPM is prone to “Phantom Dependencies” (packages not listed in package.json but present in node_modules).

    • FOSS Defense: Use npm ci instead of npm install.
      • npm install: rewrites the lockfile, potentially upgrading packages silently.
      • npm ci: Clean Install. Strictly adheres to the lockfile. If the lockfile and package.json disagree, it fails. This ensures that the SBOM generated matches exactly what was built.

    8.3 Python: The Typosquatting Defense

    • FOSS Defense:Hash Checking.
      • In requirements.txt, every package should be pinned with a hash: package==1.0.0 --hash=sha256:....
      • pip-tools (specifically pip-compile) can auto-generate these hashed requirements. This prevents a compromised PyPI mirror from serving a malicious modified binary, as the hash check will fail on the client side.

    9. Future Trends and Recommendation

    9.1 The Rise of AI in Supply Chain Defense

    Emerging FOSS tools are beginning to use LLMs to analyze code diffs for malicious intent (e.g., “This update adds a network call to an unknown IP”). While still nascent, integrating tools like OpenAI’s Evals or local LLMs into the review process is the next frontier.

    9.2 Recommendation: The “Crawl, Walk, Run” Approach

    1. Crawl: Deploy Nexus OSS. Block direct internet access. Force all builds to use the mirror. (Immediate “Availability” protection).
    2. Walk: Deploy Dependency-Track. Hook up Trivy to generate SBOMs but strictly in “Monitor” mode. Do not break builds. Spend 3 months curating VEX rules and reducing false positives.
    3. Run: Enable the “Blocking Gate” in CI. Enforce hash checking in Python and npm ci in JavaScript.

    10. Conclusion

    The demand for a “Complete Solution” using only true open-source components is not only achievable but architecturally superior in terms of long-term sovereignty. By combining Sonatype Nexus OSS for storage, OWASP Dependency-Track for intelligence, and Trivy for inspection, an organization constructs a defense that is resilient, transparent, and unencumbered by vendor lock-in. The “Blocking” capability, often sold as a premium feature, is effectively reconstructed through rigorous CI/CD integration and policy-as-code enforcement. This architecture transforms the software supply chain from a liability into a managed, fortified asset.

    Citations included via placeholders to represent integrated research snippets.

  • Modernizing High-Assurance PCI CDE Infrastructures: A Comprehensive Strategy for Migrating to Open Source Zero Trust Network Access

    Executive Summary

    The prevailing architecture for securing Cardholder Data Environments (CDE) has long relied on the “defense-in-depth” model, necessitating multiple layers of rigid network segmentation, demilitarized zones (DMZs), and static firewall policies. While effective in theory, the operational reality of these architectures—specifically those utilizing complex “per-person Virtual Private Cloud (VPC)” isolation strategies accessed via nested VPNs—often results in a fragile, opaque, and difficult-to-audit infrastructure. The user’s current environment, characterized by an External Firewall gateway, an Internal Firewall protecting the CDE, and a cumbersome double-hop VPN mechanism, represents a classic “castle-and-moat” topology that is increasingly misaligned with modern threat landscapes and the dynamic requirements of PCI DSS v4.0.

    This report presents a detailed architectural transformation plan to refactor this production environment into a “Dark CDE” using Zero Trust Network Access (ZTNA) principles. The primary objective is to replace the static reliance on network firewalls and the resource-intensive per-user VPC model with identity-centric, ephemeral, and cryptographically verified connections.

    The proposed solution leverages OpenZiti as the core ZTNA overlay, chosen for its unique “outbound-only” architecture that allows the CDE to operate without any open inbound firewall ports, effectively rendering the environment invisible to the internet and the internal network. To replace the per-user VPC isolation, Apache Guacamole is introduced as a clientless, identity-aware session gateway, providing granular access to CDE resources (RDP/SSH) with mandated session recording. Keycloak serves as the centralized Identity Provider (IdP), ensuring strong authentication and Single Sign-On (SSO), while Wazuh acts as the Security Information and Event Management (SIEM) system, ingesting correlated logs from the network overlay, the session gateway, and the identity provider.

    This 15,000-word analysis provides an exhaustive evaluation of open-source alternatives (including Headscale, NetBird, and Firezone), a deep-dive technical architecture, a comprehensive compliance mapping to PCI DSS v4.0, and a step-by-step implementation roadmap designed to eliminate vendor lock-in while maximizing security posture.

    1.0 Current State Analysis: The Cost of Legacy Isolation

    The security architecture currently in place relies on physical and virtual network segmentation to achieve isolation. While this approach technically satisfies historical compliance requirements, it introduces significant friction and hidden risks. To prescribe a ZTNA solution effectively, one must first deconstruct the limitations of the existing “double-hop” VPN and firewall model.

    1.1 The “Castle-and-Moat” Topology

    The current environment is bifurcated into two primary zones: the CDE (High Risk) and the “Rest of PCI” (Medium Risk), guarded by Internal and External firewalls.

    • The External Firewall: Acts as the primary gateway, handling internet traffic and filtering access to the intermediate zone. It relies on IP-based Allow Lists (ACLs) to permit VPN connections.
    • The Internal Firewall: Acts as the final sentry for the CDE. It must allow inbound traffic from the intermediate zone (specifically, the per-user VPCs) on specific management ports (SSH port 22, RDP port 3389).

    Architectural Weakness 1: Inbound Port Dependency

    The fundamental flaw in this traditional setup is the requirement for open inbound ports on the Internal Firewall. Regardless of how strictly the Source IP addresses are filtered, the Internal Firewall must listen for connection attempts. This creates a visible attack surface. If an attacker compromises a host in the intermediate zone (the “Rest of PCI” zone), they have network-line-of-sight to the CDE’s open ports. In a Zero Trust model, the goal is to eliminate this line of sight entirely.1

    Architectural Weakness 2: Static Trust and Lateral Movement

    Firewalls operate primarily at Layer 3 (Network) and Layer 4 (Transport). Once a packet clears the firewall based on IP and Port, the network implicitly trusts it. If a legitimate user’s laptop is compromised, or if an attacker gains control of a “per-person VPC,” the firewall cannot distinguish between the authorized user and the adversary using the same valid channel.

    1.2 The “Per-Person VPC” Anomaly

    The user’s environment utilizes a unique and resource-intensive strategy: assigning separate, isolated VPC instances to individual users.

    • Intent: The goal is clear—prevent lateral movement between administrators. If Admin A is compromised, the attacker is trapped in Admin A’s VPC and cannot jump to Admin B’s session.
    • Operational Reality: This creates massive infrastructure bloat. For 50 administrators, the organization must manage, patch, monitor, and audit 50 separate VPCs/instances. This multiplies the surface area for configuration drift—a direct violation of PCI DSS Requirement 2.2, which mandates secure configuration management.3
    • Ephemeral Drift: Because these instances are likely spun up and down, ensuring that every instance sends logs to Wazuh and has the latest security patches becomes a logistical nightmare.

    1.3 The Compliance Gap (PCI DSS v4.0)

    The transition to PCI DSS v4.0 introduces stricter requirements that legacy VPNs struggle to meet without commercial add-ons:

    • Requirement 8.4.2 (MFA for CDE Access): While the VPN likely has MFA, the internal hop to the CDE often relies on SSH keys or passwords. ZTNA enforces MFA for every session request.
    • Requirement 10.2.1 (Audit Logs): Correlating a user’s VPN session ID with their internal SSH activity across a jump host and a VPC is historically difficult. Logs are often fragmented.

    2.0 Comprehensive Market Analysis of Open Source ZTNA Solutions

    The requirement for “real open source” solutions devoid of commercial lock-in significantly narrows the field. Many “open source” ZTNA products operate on an “Open Core” model, where the agent is free, but the necessary enterprise features—Single Sign-On (SSO), Role-Based Access Control (RBAC), and Audit Logging—are locked behind SaaS subscriptions.

    The following analysis compares five primary candidates against the specific needs of a High-Risk CDE: OpenZiti, Headscale (Tailscale), NetBird, Teleport Community, and Firezone.

    2.1 Comparative Analysis Matrix

    FeatureOpenZitiHeadscale (Tailscale)NetBirdTeleport (Community)Firezone
    ArchitectureOverlay / App-EmbeddedWireGuard MeshWireGuard MeshIdentity-Aware ProxyWireGuard VPN
    LicenseApache 2.0 (Full FOSS)BSD-3 (FOSS)BSD-3 (FOSS)Apache 2.0 (Limited)Apache 2.0 (Legacy Only)
    Outbound-Only CDEYes (Native)Partial (Via DERP)Yes (Relays)Yes (Reverse Tunnel)No (Inbound required)
    SSO SupportFull (OIDC/Ext-JWT)Full (OIDC)Full (OIDC)GitHub OnlyOIDC (Legacy)
    RBAC GranularityService/Identity LevelIP/Port ACLsPeer GroupsNone (Enterprise Only)Group-based
    Wazuh CompatibilityJSON LogsJSON LogsEvents/JSONAudit Log (JSON)Syslog
    Self-Hosted MaturityHighMedium (Reverse Eng.)HighLow (Community limits)End of Life (Legacy)

    2.2 Candidate Evaluation

    2.2.1 OpenZiti: The Selected Platform

    OpenZiti is the premier choice for this architecture due to its fundamental design as an overlay network rather than just a VPN.

    • Why it wins for CDE: OpenZiti supports a strict “dark” architecture. The Edge Router inside the CDE initiates an outbound connection to the Controller/Fabric. This allows the organization to block 100% of inbound connections at the Internal Firewall, satisfying the most paranoid interpretation of network segmentation.2
    • Granularity: Unlike WireGuard-based solutions that route IP packets, OpenZiti routes “Services.” A user is granted access to tcp:cde-database:5432, not 192.168.1.50. This prevents Nmap scanning of the subnet; the network literally does not exist to the user.5
    • No Vendor Lock-in: The open-source version is feature-complete, supporting MFA, complex RBAC (Service Policies), and high-availability clustering without a license key.

    2.2.2 Headscale: The Strong Alternative

    Headscale is an open-source implementation of the Tailscale coordination server.

    • Strengths: It allows the use of standard Tailscale clients (which are polished and stable) without paying Tailscale Inc. It supports OIDC for SSO.
    • Weaknesses for CDE: Tailscale relies on Access Control Lists (ACLs) that manage traffic between IPs. While effective, managing ACLs for hundreds of micro-services can become cumbersome (“ACL Hell”) compared to Ziti’s object-oriented policy model.5 Furthermore, Headscale is a reverse-engineered project; it may lag behind official client features or break with client updates.
    • Verdict: A viable backup if OpenZiti’s complexity proves too high, but less “secure-by-design” for CDEs due to its reliance on network-layer routing.

    2.2.3 NetBird: The User-Friendly Mesh

    NetBird offers a slick UI and kernel-level WireGuard performance.

    • Strengths: Easier to set up than Headscale. Good performance.
    • Weaknesses: While the agent is open source, the management platform’s advanced features (granular events, complex posture checks) are often prioritized for their cloud offering. The self-hosted version is capable but the “per-person VPC” replacement requires more than just connectivity; it requires application-layer isolation which NetBird (Layer 3/4) handles less natively than Ziti (Layer 4/7).8

    2.2.4 Teleport Community: The “Trap”

    Teleport is often cited as the gold standard for ZTNA, but its Community Edition is unsuitable for this specific request.

    • Critical Failure: The open-source version restricts SSO to GitHub only. It does not support generic OIDC (Keycloak) or SAML, which is a requirement for avoiding vendor lock-in.10
    • RBAC Limitation: The Community Edition lacks true Role-Based Access Control. Users effectively have full access or no access, which violates the PCI DSS “Least Privilege” principle.12

    2.2.5 Firezone: The Deprecated

    Firezone recently moved to a SaaS-centric 1.0 architecture. The legacy self-hosted version is no longer actively supported for enterprise use cases. Using it would introduce significant technical debt and security risk.14

    3.0 Strategic Architecture: The “Dark CDE”

    The proposed architecture dismantles the legacy “Jump Host -> VPC -> CDE” chain and replaces it with a Zero Trust Overlay combined with an Identity-Aware Session Proxy.

    3.1 Architectural Principles

    1. Outbound-Only Connectivity: The CDE must not accept any connection initiation from the outside.
    2. Identity Before Connectivity: No packet flows to the CDE until the user is authenticated and authorized.
    3. Ephemeral Access: Access is granted for the duration of the session only.
    4. Consolidated Audit: All access logs are centralized.

    3.2 Component Topology

    The architecture is divided into three logical zones:

    Zone A: The External Trust Zone (DMZ)

    • Role: Replaces the function of the “External Firewall” inbound rules.
    • Components:
      • OpenZiti Controller: The brain of the network. Holds the Certificate Authority (CA), Policies, and Identity database.
      • OpenZiti Public Edge Router: The entry point. Listens on TCP/8443 (multiplexed) for encrypted tunnel connections from Users and from the CDE.
      • Keycloak (IdP): The source of truth for user identity. Handles MFA (TOTP/WebAuthn).
      • External Firewall Configuration: Allows inbound HTTPS (443) and Ziti Control (8440-8442) only to these specific hosts.

    Zone B: The “Dark” CDE (Internal Zone)

    • Role: Hosts the sensitive PCI data.
    • Components:
      • OpenZiti Private Edge Router: A software router installed on a VM inside the CDE. It has no inbound ports. It establishes a persistent outbound TLS connection to the Public Edge Router in Zone A.
      • Apache Guacamole: The session gateway. It sits on the CDE network, accessible only via the Ziti overlay.
      • Target Systems: Databases, App Servers (unchanged).
      • Internal Firewall Configuration: Block All Inbound. Allow Outbound TCP to Zone A IPs (Ziti Router/Controller) only. This achieves the “Air Gap” simulation.1

    Zone C: The User Plane (Internet/Remote)

    • Role: The location of the remote workers.
    • Components:
      • Ziti Desktop Edge (Client): Installed on user laptops.
      • Ziti BrowZer (Clientless): An alternative for users who cannot install software. Loads the Ziti SDK into the browser memory to dial the CDE securely.16

    3.3 The Replacement of “Per-Person VPCs”: Apache Guacamole

    The user’s original setup used individual VPCs to isolate user sessions. This is expensive and complex. Apache Guacamole replaces this by providing logical isolation at the session layer.

    • Mechanism: Guacamole is a protocol proxy. It renders the remote desktop (RDP/VNC) or terminal (SSH) into HTML5 canvas data sent to the user’s browser.
    • Isolation: The user never has a direct TCP connection to the target server. They only talk to Guacamole. If the user’s laptop is compromised, the attacker cannot scan the CDE network because there is no network bridge—only a visual stream.
    • Forensics: Guacamole records the session (video/text). This is superior to VPC logs because it captures intent and visual output, satisfying PCI strict auditing requirements.17

    4.0 Detailed Technical Implementation Plan

    Phase 1: Identity & Trust Foundation

    Objective: Establish the control plane without disrupting current operations.

    1. Deploy Keycloak (Identity Provider):
      • Install Keycloak on a hardened Linux instance in the External Zone.
      • Create a Realm PCI_Prod.
      • Configure MFA (TOTP) as mandatory for all users (PCI DSS Req 8.4.2).
      • Create OIDC Client openziti-controller with confidential access type.
    2. Deploy OpenZiti Controller:
      • Install the Controller in the External Zone.
      • Initialize the PKI infrastructure.
      • Configure the oidc authentication provider to trust the Keycloak endpoint.19
    3. Deploy Public Edge Router:
      • Install on a separate host in the External Zone.
      • Enroll with the Controller.
      • Configure the firewall to allow TCP 8442 (Edge connections) from 0.0.0.0/0.

    Phase 2: The “Darkening” Agent

    Objective: Connect the CDE without opening holes.

    1. Deploy Private Edge Router (CDE):
      • Provision a VM inside the CDE.
      • Install the OpenZiti Router.
      • Critical Configuration: Set link.listeners to “ (empty). Set link.dialers to point to the Public Edge Router in Zone A.
      • Enroll the router using a one-time token (ziti edge enroll).
      • Verification: Check the Controller logs. You should see the CDE router coming online via an incoming link from the Public Router.
    2. Deploy Apache Guacamole:
      • Install guacd and Tomcat on a CDE server.
      • Configure Guacamole to use OpenID Connect (Keycloak) for authentication.20 This ensures users log in to Guacamole with the same credentials as the network overlay.
      • Storage: Mount a secure, encrypted volume at /var/lib/guacamole/recordings for session logs.

    Phase 3: Service Definition & Policy

    Objective: Define who can access what.

    In OpenZiti, network access is defined by logical Policies, not IP addresses.

    1. Create Identities:
      • Map Keycloak users to Ziti Identities.
      • Assign Attribute: #cde-admins.
    2. Create Service:
      • Name: cde-guacamole.
      • Host Config: Forward traffic to guacamole-server-ip:8080.
    3. Create Service Policies:
      • Bind Policy: Allow @private-cde-router to Host cde-guacamole.
      • Dial Policy: Allow #cde-admins to Dial cde-guacamole.

    Phase 4: Integration with Wazuh

    Objective: Full observability.

    The constraint requires full logging. We must capture three distinct layers.

    Layer 1: Identity Logs (Keycloak)

    • Mechanism: Syslog forwarding.
    • Wazuh Config:XML<remote> <connection>syslog</connection> <port>514</port> <allowed-ips>KEYCLOAK_IP</allowed-ips> </remote>
    • Decoder: Use Wazuh’s built-in json decoder for Keycloak’s structured logs. Track LOGIN, LOGIN_ERROR, LOGOUT.

    Layer 2: Network Overlay Logs (OpenZiti)

    • Mechanism: Filebeat or Wazuh Agent reading JSON logs.
    • Source: The Ziti Controller emits structured logs for every Session Create/Delete.
    • Decoder (Custom):XML<decoder name="openziti"> <prematch>^{\"file\":</prematch> <plugin_decoder>JSON_Decoder</plugin_decoder> </decoder>
    • Rules: Alert on event_type: auth.failed and event_type: session.create.

    Layer 3: Session Logs (Guacamole)

    • Mechanism: Guacamole logs connection events to syslog/catalina.out.
    • Decoder (Custom):XML<decoder name="guacamole"> <program_name>guacd</program_name> </decoder> <decoder name="guacamole-connect"> <parent>guacamole</parent> <regex>User "(\w+)" joined connection</regex> <order>user</order> </decoder>
    • Non-Repudiation: Configure Wazuh File Integrity Monitoring (FIM) to watch the recording directory.XML<syscheck> <directories check_all="yes" realtime="yes">/var/lib/guacamole/recordings</directories> </syscheck> This generates an alert whenever a recording file is created, modified, or deleted, creating an immutable timeline of evidence.

    Phase 5: The Cutover (Removing the Moat)

    1. Pilot: Migrate 10% of users to Ziti+Guacamole.
    2. Verify: Confirm access and Wazuh logs.
    3. Full Migration: Move all users.
    4. Lockdown:
      • Update Internal Firewall: Block ALL Inbound traffic from the legacy VPN subnet.
      • Update External Firewall: Remove legacy VPN port allowances.
      • Decommission the per-person VPCs.

    5.0 Compliance Analysis: PCI DSS v4.0 Mapping

    The transition from a VPC-based model to a ZTNA model strengthens compliance significantly.

    PCI DSS v4.0 RequirementLegacy (VPC/VPN) StatusZTNA (OpenZiti/Guacamole) Status
    1.3.1 Inbound TrafficReliance on Firewall ACLs (IP/Port). High risk of misconfiguration.Superior. No inbound ports required on CDE. Traffic is outbound-only.
    2.2.1 Configuration StandardsDifficult. Configuring 50+ ephemeral VPCs leads to drift.Superior. Centralized config of 1 Gateway (Guacamole) and 1 Router.
    7.2.1 Least PrivilegeNetwork-centric. Users have access to entire subnets within the VPC.Superior. Service-centric. Users see only the Guacamole login screen.
    8.2.1 Strong AuthOften weak at the “internal hop” (SSH keys/passwords).Superior. MFA enforced at Ziti connection establishment and Guacamole login.
    10.2.1 Audit LogsFragmented. Logs split between VPN concentrator and multiple VPCs.Superior. Centralized in Wazuh. Session recordings provide visual forensic audit trails.
    11.5.1 Network IntrusionIDS required on every VPC subnet.Simplified. Traffic is encrypted until the Private Edge Router; IDS focuses on the single ingress point.

    6.0 Alternatives & Contingencies

    6.1 Why OpenZiti over Headscale/NetBird?

    While Headscale and NetBird are excellent tools, they function primarily as Mesh VPNs. They connect Device A to Device B. In a PCI CDE context, we do not want to connect a user’s device to a server; we want to connect a user’s identity to a service.

    • Headscale Limitation: To achieve the “Dark CDE” (no inbound ports), Headscale requires DERP servers (relays). While possible, managing custom DERP infrastructure is complex. OpenZiti’s edge routers handle this natively as a core design principle.21
    • NetBird Limitation: NetBird’s ACLs are improving, but primarily focus on “Peer A can talk to Peer B”. Ziti allows application-embedded zero trust (SDKs) which offers a future-proof path to removing the Guacamole gateway entirely and embedding Ziti directly into custom CDE applications.8

    6.2 The “Break-Glass” Scenario

    Any ZTNA solution introduces a centralized dependency (The Controller).

    • Risk: If the Ziti Controller goes offline, no new sessions can be established.
    • Mitigation:
      1. High Availability: Deploy the Ziti Controller in a 3-node HA cluster (RAFT consensus).
      2. Emergency Access: Maintain one dormant VPN connection to the CDE with a “break-glass” account, monitored heavily by Wazuh. The firewall rule for this should be disabled by default and only enabled during a P1 outage.

    7.0 Conclusion

    The proposed architecture successfully refactors the user’s environment by replacing the operational burden of “per-person VPCs” with a streamlined, identity-centric OpenZiti overlay. By utilizing Apache Guacamole as the session gateway, the organization retains the necessary isolation and gains visual session recording without the infrastructure overhead. This “Dark CDE” approach allows for the complete closure of inbound firewall ports, satisfying the most stringent PCI DSS v4.0 requirements while relying entirely on open-source, replaceable software components. The integration with Keycloak and Wazuh creates a unified, auditable security ecosystem that is superior to the fragmented legacy state.

    8.0 Appendix: Wazuh Decoder Reference

    Decoder for OpenZiti Controller Logs (JSON)

    XML

    <decoder name="openziti-controller">
  <prematch>^{"file":</prematch>
  <plugin_decoder>JSON_Decoder</plugin_decoder>
</decoder>

    Decoder for Guacamole (Syslog)

    XML

    <decoder name="guacd-syslog">
  <program_name>guacd</program_name>
</decoder>

<decoder name="guacamole-connection-event">
  <parent>guacd-syslog</parent>
  <regex>User "(\w+)" joined connection "(\S+)"</regex>
  <order>user, connection_id</order>
</decoder>

    Wazuh Rule for Session Start

    XML

    <rule id="110001" level="10">
  <decoded_as>guacd-syslog</decoded_as>
  <match>joined connection</match>
  <description>PCI CDE: Remote Session Established by $(user)</description>
  <group>authentication_success,pci_dss_10.2.1,pci_dss_8.1.1,</group>
</rule>

  • Public-key algorithms used in ssh

    Here’s a concise guide to the public-key algorithms (key types) you’ll see with SSH today. They apply to both user authentication keys and host keys, though the guidance for each type is similar.

    What a “key type” means

    • SSH uses public-key cryptography to authenticate either you (the client) or the server (host key).
    • The key type/algorithm is what determines how the key is generated, stored, and how signatures are created/verified (e.g., RSA with SHA-1 vs Ed25519).

    Common SSH public-key types you’ll encounter

    1. Ed25519 (ed25519)
    • Type name you’ll see: ssh-ed25519
    • What it is: Ed25519 public-key signature system based on Curve25519; designed to be fast, small, and secure with strong resistance to many attacks.
    • Pros: Fast, small keys, good security properties, simple; widely recommended for new keys.
    • Cons: Not as widely supported on extremely old systems; generally fine on modern servers/clients.
    • Typical sizes: 256-bit curve; very strong for practical use.
    1. Ed448 (ed448)
    • Type name you’ll see: ssh-ed448 (less common; sometimes represented as ed448)
    • What it is: EdDSA on Curve448; higher security margin than Ed25519.
    • Pros: Higher theoretical security margin.
    • Cons: Less widely supported; performance and compatibility can be more limited on older software.
    • When to use: If you need the strongest modern elliptic-curve option and all endpoints support it.
    1. ECDSA (elliptic-curve DSA)
    • Type names you’ll see:
      • ecdsa-sha2-nistp256
      • ecdsa-sha2-nistp384
      • ecdsa-sha2-nistp521
    • What they are: ECDSA signatures using NIST curves P-256, P-384, or P-521.
    • Pros: Strong security with smaller key sizes than RSA; widely supported.
    • Cons: Some argue Ed25519 is simpler and safer in practice; ECDSA can be trickier to implement securely and has had higher historical configuration complexity.
    • Typical sizes: 256/384/521-bit curves.
    • Note: Many operators gradually migrate away from ECDSA toward Ed25519; still in use in some environments.
    1. RSA (rsa-sha2-256/512, ssh-rsa, ssh-dss)
    • Type names you’ll see:
      • rsa-sha2-256
      • rsa-sha2-512
      • ssh-rsa
      • ssh-dss (DSA)
    • What they are:
      • RSA with SHA-2 (rsa-sha2-256 or rsa-sha2-512): signatures made with RSA, using SHA-256 or SHA-512.
      • ssh-rsa: the historical SSH2 RSA signature method using SHA-1 (now considered weak and being phased out).
      • ssh-dss (DSA): DSA with 1024-bit keys (legacy, weak by today’s standards).
    • Pros/Cons:
      • rsa-sha2-256/512: Good compatibility, much preferred over ssh-rsa; still requires RSA keys.
      • ssh-rsa: Deprecated due to SHA-1; many servers/clients disable this.
      • ssh-dss: Deprecated and typically disabled by default; not recommended.
    • Guidance:
      • For new keys, prefer Ed25519 or RSA with rsa-sha2-256/512 if you need compatibility with older systems.
      • If you must use RSA, aim for >= 3072 bits (4096 if you want extra margin) and prefer rsa-sha2-256/512 over ssh-rsa.
    1. Security key variants (hardware security keys)
    • Type names you’ll see (examples):
      • sk-ssh-ed25519@openssh.com
      • sk-ecdsa-sha2-nistp256@openssh.com
    • What they are: Keys created on a hardware security key (FIDO/U2F) with a protected private key; you must physically touch the device to authenticate.
    • Pros: Strong protection against key theft; phishing resistant when used with a live device.
    • Cons: Requires a security key; some setups have extra friction; not all servers support them yet.
    • Note: These are “sk-” prefixed variants of standard algorithms indicating a security-key-backed key.
    1. SSH certificates (for enterprise/CA-based setups)
    • Type names you might see in authorized_keys or server config:
      • ssh-ed25519-cert-v01@openssh.com
      • ssh-rsa-cert-v01@openssh.com
    • What they are: A certificate format that binds a public key to a set of policy constraints, signed by an SSH CA. The key itself is the standard public-key type (ed25519, rsa, etc.), but the certificate augments it with authorization data.
    • Pros: Centralized signing/rotation, easier revocation, scalable enterprise auth.
    • Cons: More complex to set up; requires an SSH CA on the server side.
    • Notes: You still deploy keys as usual, but servers trust the CA to vouch for them.
    1. SSH certificates with security keys (less common, but possible)
    • You may also encounter cert-type variants that combine certificate usage with security-key-backed keys (e.g., ed25519 with a cert and a sk- prefix). The exact naming varies by OpenSSH version and enterprise policy.

    What to use today (practical guidance)

    • For new personal keys: Ed25519 (ssh-ed25519) is the default and widely recommended.
    • If you must support very old servers/workflows: RSA with rsa-sha2-256 or rsa-sha2-512 is a good compatibility choice; avoid ssh-rsa if possible.
    • If you need maximum security on endpoints you control: consider Ed25519 or Ed448; pair with security key hardware if you want hardware-backed keys.
    • For enterprises with a CA: SSH certificates can simplify management at scale.
    • If you’re using security keys: consider the sk-… variants for hardware-backed authentication.

    How to check what your system supports or uses

    • On your client (OpenSSH):
      • List the key types your client can use: ssh -Q key
      • See what you currently use in your key files: ls -l ~/.ssh/*.pub
      • Generate a new key (examples):
        • ssh-keygen -t ed25519 -C “you@domain”
        • ssh-keygen -t rsa -b 3072 -C “you@domain” (or -b 4096)
        • SSH with a security key: ssh-keygen -t ed25519-sk -C “you@domain” (or the appropriate sk- variant for your version)
    • On the server:
      • Check host key algorithms in use: grep -i HostKeyAlgorithms /etc/ssh/sshd_config
      • Check what PubkeyAcceptedKeyTypes is set to (older OpenSSH): grep -i PubkeyAcceptedKeyTypes /etc/ssh/sshd_config
      • If you’re using SSH certificates, look for certificate options in authorized_keys and sshd_config (e.g., TrustedUserCAKeys, TrustedUserCAKeysFile).

    Notes and caveats

    • DSA (ssh-dss) is deprecated and usually disabled by default; avoid.
    • ssh-rsa (SHA-1) is deprecated; prefer rsa-sha2-256/512 or Ed25519.
    • Ed25519 is not universally supported on extremely old systems; verify compatibility if you manage legacy infrastructure.
    • If you rely on older SSH clients/servers (e.g., a Windows SSH client or hardware appliances), you may need to maintain RSA (with rsa-sha2-256/512) or even ssh-rsa until they’re upgraded.
    • SSH certificates and security-key (sk-*) variants are powerful but add complexity; ensure server-side policy and tooling are ready to support them.
  • Self-generated certificates

    Self-generated certificates

    What they are, how mTLS works, how to build them with easy-rsa, and how to store them safely with git-crypt.

    Certificates, CA certificates, and private keys

    • Digital certificate (X.509): A signed data structure that binds an identity (subject) to a public key. It includes fields like subject, issuer, serial number, validity period, and extensions (for example, key usage, extended key usage, Subject Alternative Name). Certificates are public and can be shared.
    • CA certificate: A certificate belonging to a Certificate Authority. A CA uses its private key to sign end-entity certificates (server or client). A root CA is self-signed. Often, you use an offline root CA to sign an intermediate CA, and that intermediate signs end-entity certificates. Clients and servers trust a CA by installing its certificate (trust anchor) and validating chains: end-entity → intermediate(s) → root.
    • Private key: The secret counterpart to a public key. It is used to prove possession (signing) and decrypt data for which the public key was used to encrypt in certain schemes. Private keys must be kept confidential, access-controlled, and ideally encrypted at rest with a passphrase or stored in hardware (TPM/HSM). If a private key is compromised, all certificates tied to it must be considered compromised and should be revoked.

    Notes:

    • “Self-signed certificate” means a certificate signed by its own key (typical for root CAs, and sometimes used ad hoc for a server). “Self-generated” is commonly used to mean you run your own CA and issue your own certs, rather than buying from a public CA.
    • Revocation is handled using CRLs (Certificate Revocation Lists) or OCSP. easy-rsa focuses on CRLs.

    Server vs client certificates and how mTLS works

    • Server certificate:
      • Purpose: Server proves its identity to clients (for example, a web server to a browser).
      • Extensions: Extended Key Usage (EKU) must include serverAuth.
      • Names: Must contain Subject Alternative Name (SAN) entries covering the hostnames or IPs the client connects to. Clients verify that the requested hostname matches a SAN and that the certificate chains to a trusted CA.
    • Client certificate:
      • Purpose: Client proves its identity to the server (for example, a service or user accessing an API).
      • Extensions: EKU should include clientAuth.
      • Names: Often the Common Name (CN) or a SAN identifies the user, device, or service. The server maps this identity to an account or role for authorization.
    • mTLS (mutual TLS):
      1. Client initiates the TLS handshake.
      2. Server sends its certificate chain. Client validates the chain to a trusted CA and checks the hostname/IP against SANs.
      3. Server requests a client certificate. Client sends its certificate chain and proves possession of the private key.
      4. Server validates the client’s certificate against its trusted CA(s) and applies authorization rules.
      5. Both sides derive session keys; the connection is encrypted and mutually authenticated.

    Operational considerations:

    • Distribute only CA certificates (public) to trust stores on clients/servers.
    • Protect private keys; rotate and revoke as needed.
    • Keep CRLs up to date on servers that verify client certs.

    Generating and maintaining certificates with easy-rsa

    easy-rsa is a thin wrapper around OpenSSL that maintains a PKI directory and simplifies key/cert lifecycle. Commands below are for easy-rsa v3.

    Install:

    • Debian/Ubuntu: sudo apt-get install easy-rsa
    • RHEL/CentOS/Fedora: sudo dnf install easy-rsa
    • macOS (Homebrew): brew install easy-rsa

    Initialize a new PKI and configure defaults:
    mkdir corp-pki && cd corp-pki easyrsa init-pki

    Create a file named vars in this directory to set defaults. Example vars:

    set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_DIGEST "sha256"
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "CA"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Example Corp"
set_var EASYRSA_REQ_OU "IT"
set_var EASYRSA_REQ_CN "Example-Root-CA"
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 825
set_var EASYRSA_CRL_DAYS 30

    Build a root CA (ideally on an offline machine):
    $ easyrsa build-ca
    (Use build-ca nopass only for labs; in production, protect the CA key with a passphrase and keep the CA host offline.)

    Optional: two-tier CA (recommended for production):

    • On an offline host, create an offline root CA; keep it offline and backed up.
    • On an online or semi-online host, create an intermediate CA by generating a CSR there and signing it with the offline root. In easy-rsa that means setting up two PKIs:
      1. Root PKI: build-ca (self-signed root).
      2. Intermediate PKI:
        easyrsa init-pki; easyrsa build-ca
        … but here you actually want an intermediate: generate-req for “intermediate” and sign it with the root using sign-req ca on the root environment.
        Then use the intermediate to sign servers/clients.
        If you’re new to this, start with a single CA and evolve to a root + intermediate later.

    Generate a server key and CSR:
    $ easyrsa gen-req web01 nopass
    This creates:

    • pki/private/web01.key (private key)
    • pki/reqs/web01.req (CSR)

    Sign the server certificate:
    Basic:
    $ easyrsa sign-req server web01

    Adding SANs:

    • easy-rsa 3.1 and newer supports a CLI flag:
      $ easyrsa --subject-alt-name="DNS:web01.example.com,IP:203.0.113.10" sign-req server web01
    • For older versions, edit pki/x509-types/server to include a subjectAltName line, or upgrade. A common pattern is to create a custom x509 type that adds:
      subjectAltName = @alt_names
      [ alt_names ]
      DNS.1 = web01.example.com
      IP.1 = 203.0.113.10

    Results are placed in pki/issued/web01.crt. Verify:
    opensslverifyCAfilepki/ca.crtpki/issued/web01.crt openssl x509 -in pki/issued/web01.crt -noout -text

    Generate a client certificate:
    easyrsagenreqalicenopass easyrsa sign-req client alice

    Distribute artifacts:

    • Servers: web01.key (private), web01.crt (server cert), CA chain (ca.crt and any intermediates).
    • Clients (for mTLS): alice.key (private), alice.crt (client cert), CA chain used by the server if the client also needs to verify the server.

    Revocation and CRL:

    • Revoke a certificate:
      $ easyrsa revoke alice
    • Regenerate the CRL:
      $ easyrsa gen-crl
    • Install pki/crl.pem wherever revocation is enforced (for example, on servers that validate client certs). Refresh it periodically; controlled by EASYRSA_CRL_DAYS.

    Renewal and rotation:

    • Easiest and safest: issue a new key and cert before expiry, deploy it, then revoke the old cert.
    • Keep pki/index.txt, pki/serial, and the entire pki directory backed up; they are the authoritative database of your PKI.

    Diffie-Hellman parameters:

    • Only needed by some servers or VPNs still using finite-field DHE:
      $ easyrsa gen-dh
    • Modern TLS with ECDHE does not require dhparam files.

    Good practices:

    • Use strong algorithms: EC (secp384r1) or RSA 3072/4096.
    • Use SANs for server certificates; clients validate hostnames against SANs, not CNs.
    • Limit cert lifetimes and automate rotation.
    • Protect private keys with passphrases when possible and with strict filesystem permissions (chmod 600).

    Keeping private keys safe with Git and git-crypt

    Goal: version and collaborate on your PKI (CA database, issued certs, CRLs), while ensuring private keys are encrypted at rest in the Git repository and on remotes.

    How git-crypt works:

    • You mark specific paths as “encrypted” via .gitattributes.
    • git-crypt encrypts those files in the repository objects and on remotes. When authorized users unlock locally, files are transparently decrypted in the working tree.
    • Access can be granted with GPG public keys (recommended) or with a shared symmetric key.

    Set up a repository and protect sensitive paths:

    $ cd corp−pki
$ git init
$ git-crypt init

    Create .gitattributes with rules such as:

    pki/private/** filter=git-crypt diff=git-crypt
pki/reqs/** filter=git-crypt diff=git-crypt
*.key filter=git-crypt diff=git-crypt

    Then:

    git add .gitattributes
git commit -m "Protect private material with git-crypt"

    Authorize collaborators (GPG-based):
    $ git-crypt add-gpg-user YOUR_GPG_KEY_ID
    Repeat for each user who should be able to decrypt. They must have your repository and their corresponding private key to unlock.

    Working with the repo:

    • After initializing and adding users, add your PKI directory content. Private keys and CSRs under the protected paths will be encrypted in Git history and on the remote.
    • Push to a remote as usual; the remote stores ciphertext for protected files.

    Cloning and unlocking:

    gitclone<repo>
cd <repo>
$ git-crypt unlock

    For GPG-based access, your local GPG agent will prompt; for symmetric, provide the shared key.

    Pre-commit guard (optional but smart):

    • Add a pre-commit hook that aborts if any file containing a private key would be committed outside protected paths. Example logic:
      • If a staged file contains “—–BEGIN PRIVATE KEY—–” (or RSA/EC PRIVATE KEY), check with “git check-attr filter <file>” that git-crypt will encrypt it; otherwise fail the commit with guidance.
    • Also .gitignore unencrypted exports or temporary files.

    CI/CD:

    • On CI, install git-crypt, import a CI-specific GPG private key (or provide the symmetric key via the CI secret store), and run git-crypt unlock before build/deploy steps.
    • Never print secrets to logs; restrict artifact access.

    Caveats and best practices:

    • If you accidentally committed a secret before adding git-crypt rules, it is already in history. You must rewrite history (for example, with git filter-repo) and rotate the secret.
    • Keep the root CA private key offline and out of Git entirely when possible. If you must keep it in Git, ensure it is strongly protected: encrypted by git-crypt, passphrase-protected, and access tightly controlled.
    • Public artifacts (CA certificate, issued certificates, CRLs) can remain unencrypted, but assess privacy needs; certs can contain identifying info.
    • Enforce least privilege in Git hosting: only grant git-crypt decryption rights to people or systems that truly need the private materials.
    • Combine with full-disk encryption and strict filesystem permissions (chmod 600 on keys). Consider hardware-backed GPG keys for git-crypt.

    Quick end-to-end example

    • Create a CA and a server/client cert:mkdir corp-pki && cd corp-pki easyrsa init-pki
      easyrsa build−ca
      easyrsa gen-req web01 nopass
      easyrsa −−subject−alt−name="DNS:web01.example.com" sign−reqserverweb01
      easyrsa gen-req alice nopass
      easyrsa sign−req client alice
      easyrsa gen-crl
    • Put under Git with encryption of sensitive files:
      git init
      git-crypt init
      printf "pki/private/∗∗ filter=git−crypt diff=git−crypt" "\npki/reqs/∗∗ filter=git−crypt diff=git−crypt" "\n∗.key filter=git−crypt diff=git−crypt" > .gitattributes
      git add .
      git commit −m "PKI bootstrap with protected private material"
      git remote add origin <your-remote>
      git push −u origin main
      git-crypt add-gpg-user <YOUR_GPG_KEY_ID>
      git commit -m "Grant decryption to maintainer"
      git push
    • Test mTLS with curl:
      On server: install web01.key and web01.crt; configure to require client certs and trust ca.crt.
      On client:
      curl --cacert pki/ca.crt --cert pki/issued/alice.crt --key pki/private/alice.key https://web01.example.com/

    With these patterns you can own the full lifecycle: generate, distribute, rotate, and revoke certificates; enforce mTLS; and keep the sensitive pieces encrypted even when stored in Git and on remote servers.