I am running my own private CA as well, powered by Hashicorp Vault, Ansible and Jenkins.
The Vault initialization and configuration is more or less manual (just a bunch of commands, I have them in my notes). From there I am using an ansible role based on the hasi_vault module [1] which is run by a Jenkins job every night, logging into each target system, renewing certs if needed and reloading services.
Has been working very well for about a year now. Of course, there's a little more technical context needed - my CA needs to be present on all systems interacting with it, and my CI needs to be able to log into each target system (SSH keypair + sudo user). This ties into the rest of my infrastructure, which is managed by Terraform and Ansible.
I might write up a small blog post about this if I find the time.
The Vault initialization and configuration is more or less manual (just a bunch of commands, I have them in my notes). From there I am using an ansible role based on the hasi_vault module [1] which is run by a Jenkins job every night, logging into each target system, renewing certs if needed and reloading services.
Has been working very well for about a year now. Of course, there's a little more technical context needed - my CA needs to be present on all systems interacting with it, and my CI needs to be able to log into each target system (SSH keypair + sudo user). This ties into the rest of my infrastructure, which is managed by Terraform and Ansible.
I might write up a small blog post about this if I find the time.
[1] https://docs.ansible.com/ansible/latest/collections/communit...