-
Notifications
You must be signed in to change notification settings - Fork 1
home
Chris Zinda edited this page Mar 7, 2026
·
3 revisions
Automated certificate lifecycle management for Zero Trust Architecture — from detection to revocation in under 60 seconds.
A full-stack lab environment running three independent PKI hierarchies — RSA-4096, ECC P-384, and NIST FIPS 204 ML-DSA-87 (post-quantum) — on Dogtag PKI with FreeIPA. Security events flow through Kafka into Event-Driven Ansible, which automatically revokes compromised certificates without human intervention.
- Triple PKI — RSA, ECC, and post-quantum (ML-DSA-87) hierarchies running simultaneously
- Sub-60s response — Security event to certificate revocation with zero manual steps
- EST + ACME + CMC enrollment — RFC 7030, RFC 8555, and RFC 5272 automated certificate issuance
- IoT device simulation — Bulk device enrollment with EST-first strategy and REST API fallback
- 31 security event types — EDR, SIEM, PKI, IoT, identity, and network threat scenarios
- Tiered validation — 10-tier health check system with auto-remediation
- Policy engine — CA/Browser Forum Baseline Requirements validation
- Compliance scanning — Mozilla Root Store, RFC 5280, NIST SP 800-57 checks
- Chaos engineering — Resilience testing for CA, DS, and network failures
- Kryoptic HSM — PKCS#11 hardware security module simulation with Rust-based Kryoptic
- Federated PKI — Cross-organization trust via Bridge CA and bilateral cross-certification
- KMIP key management — Centralized key lifecycle management across all PKI hierarchies
- Incident response — Full 7-phase IR workflow with automated quarantine, revocation, and re-issuance
- Certificate pinning — SPKI pin validation with Kafka-integrated violation detection
# Install prerequisites (RHEL or Ubuntu)
./setup-prerequisites.sh
# Start with all three PKI hierarchies
./start-lab.sh --all
# Run an end-to-end test
lab test --pki-type rsa --scenario "Certificate Private Key Compromise"- Certificate Issuance
- Certificate Revocation
- EST Protocol (RFC 7030)
- ACME Protocol (RFC 8555)
- CMC Protocol (RFC 5272)
- OCSP & CRL
- Cross-Certification
- Key Recovery (KRA)
- Security Scenarios
- Policy Engine
- Compliance Scanner
- Certificate Transparency
- Certificate Pinning Validator
- Incident Response
- CLI Reference
- Ansible Semaphore
- GitOps Certificate Management
- Chaos Engineering
- Load Testing
- Performance Testing
- FreeIPA Integration
- EDA SSH Bridge
- Post-Quantum PKI
- Federated PKI Trust
- AWX Job Templates
- RHPDS Deployment
- Troubleshooting
| Service | URL | Description |
|---|---|---|
| Grafana | http://localhost:3000 | Metrics dashboards |
| Prometheus | http://localhost:9090 | Metrics collection |
| Chain Visualizer | http://localhost:8090 | Interactive trust chain UI |
| Pin Validator | http://localhost:8091 | Certificate pinning validation |
| KMIP Server | http://localhost:8092 | Key lifecycle management |
| CRL CDP Server | http://localhost:8088 | CRL distribution |
| Policy Engine | http://localhost:8089 | Certificate policy validation |
| CT Log | http://localhost:8086 | Certificate Transparency |
| Mock EDR | http://localhost:8082 | Endpoint detection |
| Mock SIEM | http://localhost:8083 | Security information |
| IoT Client | http://localhost:8085 | Device simulator |
| Jupyter | http://localhost:8888 | Notebooks & guides |
| Loki | http://localhost:3100 | Log aggregation |
| Semaphore | http://localhost:3010 | Ansible task management UI |
| KMIP (native) | localhost:5696 | KMIP protocol endpoint |