SHA-2 shortcut: Easy certificate management for Linux

I spend a lot of time working on enterprise Public Key Infrastructure (PKI), especially in light of the coming SHA-1 deprecation deadlines. It’s nearly all I do these days.

One question my customers ask all the time is how to provision certificates on non-Windows devices and computers. Microsoft does an excellent job of automating the process to install certificates on Windows computers (that is, automatic enrollment and renewal) using built-in mechanisms. It makes for low-touch distribution and updating of certificates on Windows computers.

But if you want to enroll for, distribute, or renew digital certificates on non-Windows platforms, it can be hit or miss. Non-Windows devices typically come with built-in digital certificate handling, but usually lack automatic requesting, distribution, installation, and renewal.

Microsoft recommends two products: Intune and Microsoft System Center Configuration Manager (SCCM). Both work well, but many customers who simply want digital certificate handling prefer a more lightweight and focused option. The same goes for non-Microsoft MDM products, such as AirWatch.

Today, Venafi is the leading solution for total digital certificate control in the enterprise. It’s an awesome, comprehensive certificate management solution, but you’ll pay top dollar for it and implementation can easily take many months. There are other, less costly certificate management solutions, but most fail to handle non-Windows devices well.

Introducing CertAccord

That’s why I got excited when longtime friend and consultant, Mark Cooper of PKI Solutions, told me about a new product in open beta called CertAccord Enterprise, created by him and his brother.

CertAccord works with Linux computers; Mac and Unix support are coming soon. You install a lightweight client, which can handle certificate requests automatically or allow admins to request and renew manually. The clients connect to a server containing the certificate authority bridge (CAB).

The CAB acts as the intermediate registration authority and interfaces with the PKI’s issuing certification authority (CA), which right now must be Microsoft Active Directory Certificate Services. The CAB links to a MySQL database, and both run on a Windows server. The CAB and MySQL database can be installed on the same server or located on separate servers. Admins connect to a web-based management console to define one or more certificate policies. The certificate policies define which devices and certificate actions are allowed.

The biggest selling points of this product, besides adding Linux to PKI integration activities, are its quick installation and lightweight client. Clients connect using the REST API to the CAB server. Certificates are delivered as standard Linux certificate PEM files or as Java Key Store files.

The client agent is a daemon or service process that starts automatically at system boot. It’s responsible for checking in with a CAB server for updated certificate policies and configuration information. It’s also responsible for checking and performing automatic renewals of certificates.

A manual request can be generated using a one-line command, such as:

cmbagent cert create purpose=webserver

Whether the request is automated or requested manually, the agent automates the generation of a local private key using policy data obtained from the CAB. Behind the scenes, it generates a text-based certificate request, signs it, and sends it to the CAB, which then sends the request to the issuing CA. After the certificate is approved and/or created, it’s delivered back to the CAB. The client picks up the resulting certificate on its next check-in and installs it to the client’s local file system.

Depending on the involved PKI-consuming application, the certificate may still need to be configured within the application. In my experience, many applications will use any valid certificate matching the appropriate usage requirements, but nearly as many require manual configuration. In many cases, even if manual application configuration is needed, it can be scripted.

CertAccord essentially gives non-Windows computers the automated enrollment and renewal services that Windows computers have long enjoyed. CertAccord is fairly new, but if you need its specific functionality, it’s easy to get up and running to test or deploy.

Remember: The deprecation deadline for SHA-1 (Jan. 1, 2017) is coming soon! CertAccord is a great way to get your non-Windows computers updated to SHA-2 with minimal hassle.