Generate WSTEP cert/key

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.99k stars 415 forks source link

Generate WSTEP cert/key #19262

Open rfairburn opened 4 months ago

rfairburn commented 4 months ago

UPDATE: My understanding is that we can make it so the user doesn't have to plug anything into the UI/API nor env variables: Fleet generates and stores the WSTEP cert/key for the user.

(noahtalerman 2024-05-28)

Problem

I am happy to see that in https://github.com/fleetdm/fleet/issues/19014 we are adding the ability to manage APNS/SCEP for Apple MDM, but I would like to see the same level of support for Windows/WSTEP.

One of our goals was to simplify the process of supporting mdm via our terraform example. If a customer/prospect wishes to use windows MDM without this, no simplification is possible.

The existing render template would also not be Windows MDM friendly as well.

Potential solutions

Use the same method used in SCEP on https://github.com/fleetdm/fleet/issues/19014 for WSTEP

nonpunctual commented 4 months ago

From @rfairburn (his current workflow)

Copy SCEP automatic code
Rename it WSTEP for any API names
Paste

In the MDM module I use now the same cert is used for SCEP/WSTEP and it is passed it to both env vars for Mac & Win.

noahtalerman commented 4 months ago

My understanding is that we can make it so the user doesn't have to plug anything into the UI/API nor env variables: Fleet generates and stores the WSTEP cert/key for the user.

Updating the title of the issue to reflect this.

@roperzh please correct me if I'm wrong.

cc @rfairburn

roperzh commented 4 months ago

@noahtalerman that's correct 👍 this can be supported with minimal changes, it just wasn't part of the Figma/issue so I assumed there are other UX changes we want to do? (maybe when turning on Windows MDM?)

noahtalerman commented 4 months ago

it just wasn't part of the Figma/issue so I assumed there are other UX changes we want to do? (maybe when turning on Windows MDM?)

I think we forgot about it and unintentionally cut scope.

We were focused on macOS MDM.

roperzh commented 4 months ago

Another thing that I remember we discussed but it wasn't specified is generating SCEP challenges automatically

rfairburn commented 4 months ago

@noahtalerman did you intend this to me assigned to me as opposed to the mdm team?

@roperzh for v4.51.0 this means that the SCEP challenge still needs to be an env var, correct?

roperzh commented 4 months ago

@rfairburn that is correct 👍

noahtalerman commented 4 months ago

Hey @rfairburn you can ignore your assignment!

As part of preparing for feature fest, I assign the requestor to all feature requests.

This way, I can keep track of who the requestor is during the feature fest call.

Sorry for the confusion :)

roperzh commented 4 months ago

@rfairburn heads-up that the scope of the feature for Apple certificates changed and we're going to generate a SCEP challenge if one is not present too https://github.com/fleetdm/fleet/issues/10383#issuecomment-2145681769

It'll work the same way as it does for certificates (if one is set, we'll ingest that value into the db)