fleetdm
Bring your own configuration profile signing certificate
Problem
We’d prefer that Fleet instead expose distinct configuration options (a signing key and certificate) to allow users to bring their own certificate signed by a public authority. Not only would this make the initial manual enrollment profile appear as trusted but it’d also remove the need to add a new root certificate to devices (making much of the remaining feedback irrelevant).
From the customer:
The remainder of feedback is covered by the following issues:
- #19538
- #19537
One point of clarification is I think if you allowed "bring your own signing certificate" then you wouldn't need to install the certificate as a root CA on devices at all for this purpose (which should make #19538 and #19537 unnecessary).
For example, if you supported BYO I can use something like a letsencrypt cert or an apple cert to sign the profiles and then they're already trusted by devices without needing to add a new trust anchor.
Example demonstrating creating a publicly trusted profile using letsencrypt/certbot:
# get a certificate from letsencrypt using certbot and route53 for dns challenge
certbot certonly --dns-route53 --key-type rsa -d example.com
# the output path where certbot stores the key/cert
certs="/etc/letsencrypt/live/example.com"
# sign a mobileconfig file
openssl smime \
-sign \
-signer ${certs}/cert.pem \
-inkey ${certs}/privkey.pem \
-certfile ${certs}/chain.pem \
-nodetach \
-outform der \
-in enrollment-profile.mobileconfig \
-out enrollment-profile-signed.mobileconfig
@noahtalerman sorry I missed this
do you think this will be important?
For a BYOD user, if a user is prompted to install an untrusted config profile, it is likely that will be a barrier to adoption. End users are trained to not install things that have red text.