New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mTLS improvements #25951

Open

harrisonravazzolo opened this issue Jan 31, 2025 · 0 comments

Labels

:product prospect-interkosmos

Member

harrisonravazzolo commented Jan 31, 2025

Problem Statement
Fleet Device Management needs stronger authentication that is tied to the device object within Fleet.

Requirements
Mutual TLS provisioned during Fleet enrollment, with automated renewal, and identity checking during authentication.

Mechanics of the flow

Orbit generates private key on local device (ideally in TPM, but Linux may have unique limitations for this)
Orbit generates CSR from private key
Orbit sends CSR to Fleet server using SCEP or EST with dynamic passphrase unique to each device
Fleet server takes the CSR, validates the data comes from the correct device with the correct values:

Common name, Organizational Unit (OU), Extended Key Usage: 1.3.6.1.5.5.7.3.2 (Client Authentication)

Generate certificate:
MINIMUM: Fleet server issue certificate from Fleet internal CA. Configurable validity period in months ranging from 1-120.
IDEAL: Fleet server uses (Preferred: ACME; or EST or SCEP) to request certificate from external PKI service. (ie, Sectigo)
Fleet server sends certificate back to the client.
Orbit installs certificate

harrisonravazzolo added :product prospect-interkosmos labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment