search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.92k stars 409 forks source link

Certificate Lifecycle Management for Linux #21096

Open ddribeiro opened 1 month ago

ddribeiro commented 1 month ago

Problem

As an IT admin, I'd like Fleet to orchestrate the lifecycle management of client certificates on my Linux hosts.

There are several parts to this request that might need to be broken down into smaller stories:

  1. Create a system to generate and issue client certificates
  2. Automatically renew client certificates when they are about to expire
  3. Have the ability to revoke client certificates through Fleet
  4. Prevent a device that has had its certificate revoked from generating a new one if it gets re-imaged (persist device record in Fleet based on UUID or other identifier)

    What have you tried?

customer-cisneros is using scripts and Ubuntu Landscape to achieve this today.

  1. A script is used to generate a private key on device
  2. A script is used to generate a CSR on device
  3. A script is used to pull the CSR from the device and submit it to a PKI service
  4. Certificate is generated on the server and deployed to client device using Landscape

This workflow is able to renew certificates before they expire. It does not handle revocation.

Potential solutions

The solution for the customer would be to build a system in Fleet that replaces their current workflow and meets the requirements in the above sections. I don't have any solutions on how to best achieve this.

What is the expected workflow as a result of your proposal?

The expected workflow is that a Fleet admin would be able to use Fleet to manage client certificates on their Linux hosts instead of needed to build a custom workflow to handle this.
JoStableford commented 1 month ago

Related to a Slack conversation

noahtalerman commented 1 month ago

Thanks for tracking this @ddribeiro.

I think the plan is to use fleetdm.com (as a server that checks for expired certs) and script execution features in Fleet for now.

At some point in the future, when we have additional engineering capacity, we'll add this to Fleet.

cc @zwass @zayhanlon

noahtalerman commented 1 month ago

I think the plan is to use fleetdm.com (as a server that checks for expired certs) and script execution features in Fleet for now.

Confirmed w/ @zayhanlon. Removing from feature fest for now.

cc @ddribeiro