You are currently viewing OTTR: An Airbnb-style public key serverless framework

OTTR: An Airbnb-style public key serverless framework

Airbnb has just released OTTR, a serverless infrastructure developed in-house, as open source. Its objective is to manage the lifecycle of public keys.

Known for its apartment and house bookings, Airbnb has invested heavily in its IT platform to serve its intermediary business. In a blog, the company has just released OTTR, a serverless infrastructure framework for managing public keys (PKI), as open source (available on GitHub). This tool was developed in-house and aims to manage the life cycle of certificates without the use of an agent.

This management is often a point of tension, even if automation solutions with agent exist to understand the rotation of certificates for Linux and Windows distributions.

The California-based firm explains that the process of brokering certificates for network infrastructure typically involves manual intervention by engineering teams or the use of enrollment protocols such as CMP (Certificate Management Protocol), SCEP (Simple Certificate Enrollment Protocol) or EST (Enrollment over Secure Transport), all of which have security issues. OTTR offers a configurable serverless framework on AWS with low overhead and dependencies on enrollment protocols.

Benefits on multiple levels

Airbnb built OTRR in serverless mode from the ground up. The AWS Step function processes a set of machine data in parallel and runs an ECS container for each host targeted by a certificate rotation. ECS extracts a specific image from the Elastic Container Registry (ECR) based on the job definition retrieved from the Step function.

Then, it establishes a connection with the endpoint to generate a public/private key pair and a SCR (a certificate request) that is transferred to the container file system. This RCS then takes the direction of the certificate authority (e.g. Let’s Encrypt) to start the certificate signing process and authenticate the validity of the domain by changing the appropriate DNS. Once complete, it downloads the certificate to the endpoint.

Kenneth Yang, security engineer at Airbnb, details some of the benefits of OTTR. “Since OTTR was implemented earlier this year, thousands of certificate rotations have been performed without any human intervention.” He adds, “This has alleviated several tasks for teams such as monitoring and triaging tickets for expired certificates, engineering, which was responsible for the manual process of these rotations, and security in connection with application approval.”