fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.1k stars 427 forks source link

Investigate using smallstep for SCEP CA #8269

Open michalnicp opened 2 years ago

michalnicp commented 2 years ago

Goal

The current Apple MDM solution uses https://github.com/micromdm/scep for issuing SCEP CA certificates during MDM enrollment. However, it does not seem to be ready for production use. We also had to fork it to add storage in MySQL. From the author https://macadmins.slack.com/archives/C023Z6A2DL0/p1664901582278619

I’ve been contemplating recommending folks check-out step-ca if they want a “real” SCEP environment — it just uses micromdm/scep’s library (though that feature is newer). micromdm/scep’s depot is super simplistic and lacks some important features (like revocation, for example).

We should investigate using smallstep. It is Apache licensed and written in Go, meaning we could probably find a way to make it part of the fleet server.

How?

dherder commented 3 months ago

Integrating with the smallstep CA would be valuable for use cases other than the MDM enrollment. Related to #20213