Service-Mesh PKI: SPIRE, step-ca & Vault

Service-Mesh PKI

Vendor-neutral design, build, and operations for high-assurance workload identity

Modern platforms depend on mutual TLS (mTLS) between services—across Kubernetes, VMs, and clouds. Getting this right means more than “issuing certs.” It means the right trust model, the right CA, and the right Hardware Security Module (HSM) so private keys are protected and certificates are short-lived, automated, and auditable.

SafeCipher helps enterprises choose and implement the best-fit service-mesh PKI—without vendor bloat or lock-in.

What we do

  • Design & selection: objective comparison of SPIRE, step-ca, and Vault Enterprise (PKI + Managed Keys) for your estate—plus adjacent patterns (Istio + cert-manager, Venafi Firefly) when useful.
  • Build & integrate: per-cluster intermediates, automated issuance/rotation, Envoy/Istio wiring, certificate policies, and observability.
  • HSM expertise: PKCS#11 on-prem HSMs or cloud HSM/KMS, non-exportable CA keys, M-of-N ceremonies, backups/DR, and FIPS alignment.
  • Operate & improve: runbooks, SLOs, dashboards, and a clear path to post-quantum (hybrid TLS) when your toolchain supports it.

Our primary options (what we implement most)

SPIRE (SPIFFE) + HSM

Best when: you want zero-trust, multi-environment identity across K8s + VMs + multi-cloud.
Why clients pick it: first-class SPIFFE IDs, strong node/workload attestation, agents that auto-rotate short-lived certs (hours), and a clean “no OCSP in-mesh” story.
How we deploy:

  • Per-cluster intermediate CA with key in HSM (PKCS#11/KMS).
  • SPIRE server HA, attestors for your platforms, trust bundles to Envoy/Istio.
  • Identity model baked into URI SANs (SPIFFE) and policy.

step-ca + HSM

Best when: you want a lean, low-TCO issuing CA behind cert-manager/Envoy SDS.
Why clients pick it: simple ACME/CSR/OIDC flows, easy per-cluster scaling, crystal-clear operations.
How we deploy:

  • PKCS#11 non-exportable intermediate keys, pathLen=0, ≤24h leaves.
  • Tight role/issuer policy; cert-manager integration for K8s.

Vault Enterprise 1.10+ (PKI + Managed Keys)

Best when: you already standardize on Vault and want secrets + PKI + policy/audit in one platform.
Why clients pick it: Managed Keys keep the CA key in HSM/KMS (non-exportable), plus namespaces/RBAC, FIPS builds, and rich audit.
How we deploy:

  • One PKI namespace per cluster/trust domain, rate-limited issuance, mTLS with pinned chain, and WORM/immutable audit.

Vendor-neutral promise: We implement what’s right for you—not what any single vendor prefers. If your estate is K8s-heavy, Istio + cert-manager with an external HSM-backed intermediate may be ideal. If governance is paramount, Venafi Firefly as the edge issuer might be the right fit. We’ll prove it with data.

HSMs: where SafeCipher adds real depth

Choosing an HSM isn’t just a brand decision—it’s how you limit the attack surface  and pass audits.

  • PKCS#11 on-prem HSMs (e.g., Luna, Utimaco, nCipher) and cloud HSM/KMS (AWS CloudHSM/KMS, Azure Managed HSM, GCP KMS).
  • Non-exportable key generation for intermediates; M-of-N access, sealed rooms, and repeatable ceremonies.
  • Backups/DR with split-knowledge card sets; verified restore; key fingerprint attestation.
  • FIPS 140-2/3 alignment and documentation for audits.

We’ll recommend the right HSM for each product (SPIRE KeyManager, step-ca PKCS#11, Vault Managed Keys) and integrate it end-to-end.

Our selection framework (how we keep you vendor-neutral)

We score each option against your priorities, then show total cost and risk clearly:

  • Identity model & attestation (SPIFFE depth vs generic X.509).
  • Key residency (true HSM non-exportability vs sealed software keys).
  • Ops model (server/agents vs lightweight CA vs consolidated platform).
  • Multi-tenancy & policy (namespaces/RBAC, issuers, approval flows).
  • Tooling fit (Istio/Envoy, cert-manager, CI/CD, secrets, KMS).
  • Cost (licenses, HSM/KMS, engineering, support).
  • Roadmap (PQC-hybrid TLS, platform upgrades, lifecycle).

You get a decision memo and a runway plan—not a slide dump.

Secure-by-default principles we enforce

  • Per-cluster (or per trust domain) intermediate CA, pathLen=0.
  • Short-lived leaves (usually ≤24h) with automated renewal; no in-mesh OCSP.
  • TLS 1.3 everywhere; mutual TLS with pinned chain; rate-limited issuance.
  • Audit you can trust: WORM/immutable logs, SIEM alerts on policy/issuance spikes.
  • Traffic-analysis (AIDA) hygiene: multiplexing, optional payload bucketing for crown-jewel APIs.
  • PQC track: staged hybrid TLS (X25519 + ML-KEM) pilots as Envoy/OpenSSL support lands.

Industry focus (incl. automotive)

We’ve tailored these patterns for regulated and safety-critical environments:
Automotive (ISO/SAE 21434, UNECE R155/R156, ISO 15118, V2X/SCMS), finance, and public sector. Need to anchor to an offline ADCS/EJBCA root? That’s our home turf.

What you get with SafeCipher

  • Architecture & decision memo (vendor-neutral)
  • Bill of Materials (BoM) incl. HSMs/KMS and licensing options
  • PKI profiles & policies (CP/CPS snippets, cert templates)
  • Ceremony playbooks (M-of-N, evidence packs, recovery tests)
  • Implementation (IaC, CI/CD, Issuer configs, SPIRE/step-ca/Vault)
  • Runbooks & SLOs (rotation, renewal, incident drills)
  • Dashboards (mTLS handshakes, error budgets, issuance trends)

Let’s choose the right option—together

Tell us about your clusters, clouds, governance, and HSM constraints. We’ll bring a clear, defensible recommendation and implement it end-to-end—SPIRE, step-ca, or Vault Enterprise—with the right HSM and the least operational friction.