3 minutes
Guacamole PKI
Managing TLS/SSL certificates at scale across multi-tenant cloud platforms is an absolute nightmare. In large deployments, you want every project and service to have its own isolated Certificate Authority (CA) namespace, but providing this capability without leaking private Root Keys or running into permission conflicts is incredibly difficult.
While the OpenStack ecosystem has dedicated services for Compute (Nova), Networking (Neutron), and Key Storage (Barbican), it has long lacked a native, production-ready PKI-as-a-Service (PKIaaS) component.
An early attempt called OpenStack Anchor was abandoned, leaving operators to glue together custom, fragile bash scripts to handle certificate issuance.
To bridge this crucial gap, I built Guacamole — a secure, multi-tenant PKI-as-a-Service engine built from the ground up to integrate natively with OpenStack Keystone, Barbican, and the Oslo Policy framework.
graph TD
Client[Client REST Call] -->|Validate Token| Keystone[OpenStack Keystone]
Client -->|POST /v1/certificates| API[Guacamole API Service]
API -->|1. Enforce Policies| Oslo[Oslo Policy Framework]
API -->|2. Dispatch Job| AMQP[RabbitMQ / AMQP Bus]
subgraph Isolated Security Zone
Worker[Guacamole Worker] -->|3. Fetch CA Key| Barbican[OpenStack Barbican]
AMQP -->|4. Pull Job| Worker
Worker -->|5. Run Crypto Actions| Driver[Guacamole Driver / CFSSL]
end
Security-first asynchronous decoupling
In PKI systems, the single greatest security risk is exposing private CA keys. If your public-facing web API gets breached, an attacker can siphon your root certificates and compromise every connection in your infrastructure.
Guacamole eliminates this attack vector entirely through physical, asynchronous decoupling.
The client-facing Guacamole API handles REST requests, interacts with OpenStack Keystone to validate tenant tokens, and checks permissions using the Oslo Policy framework. Crucially, the API service is completely blocked from talking to Barbican, and it does not have credentials to access private keys.
Instead, the API formats the request into a job schema and dispatches it onto an AMQP message bus (RabbitMQ).
The actual cryptography is performed in an isolated security zone by the Guacamole Worker. The worker pulls jobs from RabbitMQ, authenticates itself directly to Barbican to retrieve the required CA private keys, runs the certificate operations, and publishes the signed certificate back. Even if the public API is fully compromised, your CA private keys remain locked away.
Pluggable driver backends
Rather than rewriting low-level ASN.1 parsing and cryptographic signing algorithms in raw Python, Guacamole uses a modular driver interface.
The default driver wraps Cloudflare’s high-performance CFSSL utility, interacting with it over shell processes. Because the worker-to-driver interface is standardized, operators can swap out CFSSL for enterprise certificate engines like HashiCorp Vault, Microsoft ADCS, or physical Hardware Security Modules (HSM) without changing a single line of the core API code.
+--------------------+ Loads +--------------------+
| Guacamole Worker | --------------> | Guacamole Driver |
+--------------------+ +--------------------+
| |
v v
Pulls AMQP jobs & Standard python class
authenticates to Barbican wrapping cfssl binary
Native OpenStack integration
Guacamole is designed to behave and feel like a standard OpenStack core project:
- Keystone Integration: Tenants use their standard OpenStack auth tokens to request and manage certificates.
- Oslo Policy: Operators can define fine-grained RBAC permissions in a standard
policy.jsonfile (e.g., restricting wildcard certificate issuance to admin roles). - Barbican Storage: Private keys are never stored in a Guacamole database; they are secured using Barbican’s hardware-backed secret containers.
It is a robust, production-ready PKIaaS solution that brings clean, automated, and secure certificate management to open cloud platforms.
- Codebase & Contributing: Guacamole PKI on Github
Related Content: