fleetdm
Renew NDES SCEP certificates
Goal
| User story |
|---|
| As an IT admin, |
| I want to reinstall SCEP certificates from NDES before the expiration |
| so that I can be sure my end users can always access my organization’s network. |
Key result
Deliver customer promises
Original requests
- #13420
Related stories
- Add certificates to host vitals: https://github.com/fleetdm/fleet/issues/23235
Context
- Product designer: @marko-lisica
Changes
Product
- [ ] Other changes:
- Add new variable (
$FLEET_VAR_NDES_SCEP_RENEWAL_ID) that will be replaced withfleet-<profile_uuid>value.- User will need to update NDES SCEP configuration profile to include
$FLEET_VAR_NDES_SCEP_RENEWAL_IDin the common name (CN) - Add validation to make sure
CNfield in NDES SCEP profile includes$FLEET_VAR_NDES_SCEP_RENEWAL_ID
- User will need to update NDES SCEP configuration profile to include
- Fleet server should look for a certificate that has
fleet-<profile_uuid>in the common name and store it's expiration date to DB. - Fleet server sends
InstallProfilecommand 14 days before expiration to renew the SCEP certificate. - Make sure that if the user resends NDES SCEP profile from the host details page and the certificate gets replaced, the new expiration date is tracked by Fleet server.
- Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads.
- Make sure that at profile upload, $FLEET_VAR_NDES variables may only be used once - we do not support multiple NDES SCEP payloads in one profile.
- Make sure that
customer-numa's use case (renewal period is specified in NDES SCEP certificate template) works.
- Add new variable (
- [ ] UI changes: No changes.
- [ ] CLI (fleetctl) usage changes: No changes.
- [ ] YAML changes: No changes.
- [ ] REST API changes: No changes.
- [ ] Fleet's agent (fleetd) changes: No changes.
- [ ] Activity changes: No changes.
- [ ] Permissions changes: No changes.
- [ ] Changes to paid features or tiers: Fleet Premium only. Covered in pricing table already.
- [ ] Other reference documentation changes: No changes.
- [ ] Once shipped, requester has been notified
- [ ] Once shipped, dogfooding issue has been filed
Engineering
Note: Review existing SCEP enrollment certificate renewal flow before starting implementation work on this
- [x] Feature guide changes: #24883
- [x] Database schema migrations: New columns needed, included in #24879 subtask
ℹ️ Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
- Requires load testing: No, because certificate renewals should be spread throughout the certificate lifetimes.
- Risk level: Low
Manual testing steps
- Make sure that clicking “Resend” on the Host details > OS settings page resend profile and host gets new certificate.
Testing notes
Confirmation
- [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
- [ ] QA (@____): Added comment to user story confirming successful completion of QA.
Hey @georgekarrv just a reminder that this one is ready to spec! Please work with @marko-lisica to help get it ready for estimation.
@marko-lisica A few questions.
- Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe
FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA. - We should add this to requirements: Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads.
- I recall there was a separate story to display certificates on the Host Details page. Will the certificates managed by Fleet MDM get a special label?
We should add this to requirements: Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads. Done ✅
I recall there was a separate story to display certificates on the Host Details page. Will the certificates managed by Fleet MDM get a special label?
Good question @getvictor! @rachaelshaw Are we going to mark certs managed by Fleet?
Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.
@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.
Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.
@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.
0 would mean disabled, and 180 would be default. For QA, we would do like 1 or 2.
Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.
@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.
0 would mean disabled, and 180 would be default. For QA, we would do like 1 or 2.
@getvictor When I think better we should probably skip that in this iteration. I went fast over the message, so didn't realize this would mean that we add environment variable. Let's have just default renewal period of 180 days for now.
I think users can always remove FLEET_SERVER_NDES_SCEP_RENEWAL_ID from CN and renewal will be disabled?
- Add validation to make sure
CNfield in NDES SCEP profile includes$FLEET_VAR_NDES_SCEP_RENEWAL_ID
This implies that renewal is always enabled.
- Add validation to make sure
CNfield in NDES SCEP profile includes$FLEET_VAR_NDES_SCEP_RENEWAL_IDThis implies that renewal is always enabled.
@getvictor Good point. I think that's ok to have it always enabled. Do you see any use case where customer might want to disable renewal?
- Add validation to make sure
CNfield in NDES SCEP profile includes$FLEET_VAR_NDES_SCEP_RENEWAL_IDThis implies that renewal is always enabled.
@getvictor Good point. I think that's ok to have it always enabled. Do you see any use case where customer might want to disable renewal?
Some admins might want to disable it so they don't have to worry about it. Maybe it simplifies the security and tracking of certificates. For example, if device lifetime is 3 years in the org, they can issue a cert for 5/10 years, so they know they will never need to renew it.
@getvictor I think to make this simpler for now, let's skip this. I think we won't close doors for later. We can always add this?
@getvictor I think to make this simpler for now, let's skip this. I think we won't close doors for later. We can always add this?
ok
@georgekarrv Moving this back to "Ready to spec" as there are TODOs, and we still need to spec and estimate the remaining integration work on this.
@georgekarrv reminder that this one is ready to spec. Can you please complete the "TODOs" in "Engineering" section so we can estimate this one?
@noahtalerman Heads up that George is out the remainder of this week, so this won't get estimated until next week. Let me know if that's a problem.
Had to kick this back out of the sprint to make room for https://github.com/fleetdm/fleet/issues/24475
QA Test Results
examples of expected error messages when validating uploaded profiles -
This one is missing the Learn more link at the end. Bug filed
- Proof of cert renewal after expire, note the serial # change -
- Proof of host receiving profile, cert added to keychain, and cert displayed on host details page. Also note the variables getting populated -
- Completed remainder of test plan and verified the bug fix. Moving to Ready for Release
In this cloud city, Certificates renew in time, Ensuring access, fine.
Renew with no stress, Fleet's certificates refreshed, Access seamless, less mess.