latacora-paul
commented
1 month ago One point of clarification is I think if you allowed "bring your own signing certificate" then you wouldn't need to install the certificate as a root CA on devices at all for this purpose (which should make #19538 and #19537 unnecessary).
For example, if you supported BYO I can use something like a letsencrypt cert or an apple cert to sign the profiles and then they're already trusted by devices without needing to add a new trust anchor.
Example demonstrating creating a publicly trusted profile using letsencrypt/certbot:
# get a certificate from letsencrypt using certbot and route53 for dns challenge
certbot certonly --dns-route53 --key-type rsa -d example.com
# the output path where certbot stores the key/cert
certs="/etc/letsencrypt/live/example.com"
# sign a mobileconfig file
openssl smime \
-sign \
-signer ${certs}/cert.pem \
-inkey ${certs}/privkey.pem \
-certfile ${certs}/chain.pem \
-nodetach \
-outform der \
-in enrollment-profile.mobileconfig \
-out enrollment-profile-signed.mobileconfig
noahtalerman
Problem
We’d prefer that Fleet instead expose distinct configuration options (a signing key and certificate) to allow users to bring their own certificate signed by a public authority. Not only would this make the initial manual enrollment profile appear as trusted but it’d also remove the need to add a new root certificate to devices (making much of the remaining feedback irrelevant).
From the customer:
The remainder of feedback is covered by the following issues:
19538
19537