Skip to content

Certificate management (Machine identity)

Available in manifest version 19.0 and later.

Introduction

Enclave certificate management allows you to distribute x509 TLS certificates to agents. These certificates can be used for various PKI purposes, such as hosting/authenticating TLS/mTLS services or to serve as a source for machine identity.

How it works

The Enclave certificate management system is a bring your own root platform. This means that you must provide your own root and intermediate signing certificates. This allows you to utilize already trusted roots within your organization. The enclave agent then uses a SCEP (Simple Certificate Enrollment Protocol) client to request a certificate from a certificate authority (CA) that is established with the client provided certificates and keys. The CA then signs the certificate (based on a verified challenge) and returns it to the agent for use.

An agent will check it's certificate state every 20 minutes. If the certificate is going to expire in the hour, the agent will attempt to renew their machine certificate. You can also manually renew the certificate using the CLI and invoke a renewal from the EMC.

CLI commands

The following CLI commands are available for managing certificates in the enclave agent:

enclave ca status --help
View the status of the device certificate.

Usage:
  ca status [flags]

Flags:
  -h, --help   help for status
Renew the device certificate.

Usage:
  ca renew [flags]

Flags:
      --force   Force the renewal of the device certificate.
  -h, --help    help for renew

Requirements

Since we utilize the SCEP protocol, your CA must use an RSA intermediate CA. The RSA intermediate is needed to decrypt the contents of the SCEP CSR (certificate signing request). Unfortunately this means that ECDSA intermediate CAs are not supported at this time.

Example key generation (using smallstep)

bash
cat <<EOF > rsa_root_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 1
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF

cat <<EOF > rsa_intermediate_ca.tpl
{
  "subject": {{ toJson .Subject }},
  "issuer": {{ toJson .Subject }},
  "keyUsage": ["certSign", "crlSign"],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  }
  {{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
    , "signatureAlgorithm": "SHA256-RSAPSS"
  {{- end }}
}
EOF

step certificate create "Example CA" \
    ./root_ca.crt \
    ./root_ca_key \
    --template rsa_root_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072

step certificate create "Example Intermediate CA" \
    ./intermediate_ca.crt \
    ./intermediate_ca_key \
    --ca ./root_ca.crt \
    --ca-key ./root_ca_key \
    --template rsa_intermediate_ca.tpl \
    --kty RSA \
    --not-after 87660h \
    --size 3072

Future improvements

  • Support for multiple signing CAs
  • Support for an Enclave provided CA
  • Automatically distributing the root certificate to a machine trust store using the Enclave agent