Renew NDES SCEP certificates

[noahtalerman]

Goal

User story
As an IT admin,
I want to reinstall SCEP certificates from NDES before the expiration
so that I can be sure my end users can always access my organization’s network.

Key result

Deliver customer promises

Original requests

• Help end users connect to Wi-Fi with certificates from certificate authority (NDES, DigiCert, etc.) #13420

Related stories

• Add certificates to host vitals: Add certificates to host vitals for macOS, iOS, iPadOS #23235

Context

• Product designer: @marko-lisica

Changes

Product

• Other changes:
  • Add new variable ($FLEET_VAR_NDES_SCEP_RENEWAL_ID) that will be replaced with profile_uuid value.
    • User will need to update NDES SCEP configuration profile to include $FLEET_VAR_NDES_SCEP_RENEWAL_ID in the common name (CN)
    • Add validation to make sure CN field in NDES SCEP profile includes $FLEET_VAR_NDES_SCEP_RENEWAL_ID
  • Fleet server should look for a certificate that has profile UUID in the common name and populate it's expiration date to DB
  • Fleet server sends InstallProfile command 180 days before expiration to renew the SCEP certificate.
  • Make sure that if user resend NDES SCEP profile from host details page and certificate get replaced that new expiration date is tracked by Fleet server.
  • Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads.
    • Make sure that at profile upload, $FLEET_VAR_NDES variables may only be used once - we do not support multiple NDES SCEP payloads in one profile.
  • Make sure that customer-numa's use case (renewal period is specified in NDES SCEP certificate template) works.
• UI changes: No changes.
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: No changes.
• Fleet's agent (fleetd) changes: No changes.
• Activity changes: No changes.
• Permissions changes: No changes.
• Changes to paid features or tiers: Fleet Premium only. Covered in pricing table already.
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

Note: Review existing SCEP enrollment certificate renewal flow before starting implementation work on this

• Feature guide changes: RNDES: Update guide #24883
• Database schema migrations: New columns needed, included in RNDES: Get cert details from device #24879 subtask

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: No, because certificate renewals should be spread throughout the certificate lifetimes.
• Risk level: Low

Manual testing steps

1. Make sure that clicking “Resend” on the Host details > OS settings page resend profile and host gets new certificate.

2. Step 2

3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Hey @georgekarrv just a reminder that this one is ready to spec! Please work with @marko-lisica to help get it ready for estimation.

[getvictor]

@marko-lisica A few questions.

1. Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.
2. We should add this to requirements: Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads.
3. I recall there was a separate story to display certificates on the Host Details page. Will the certificates managed by Fleet MDM get a special label?

[marko-lisica]

We should add this to requirements: Make sure that $FLEET_VAR_NDES variables are only used in Apple SCEP payloads.
Done ✅

I recall there was a separate story to display certificates on the Host Details page. Will the certificates managed by Fleet MDM get a special label?

Good question @getvictor! @rachaelshaw Are we going to mark certs managed by Fleet?

[marko-lisica]

Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.

@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.

[getvictor]

Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.

@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.

0 would mean disabled, and 180 would be default. For QA, we would do like 1 or 2.

[marko-lisica]

Since the expiration date cannot be configured, do we want to add an environment variable to disable renewal? Maybe FLEET_SERVER_NDES_SCEP_RENEWAL_DAYS, where 0 would mean disabled. This will also help with QA.

@getvictor I assume there's no reason for someone to use 0, so I think we should have option to disable renewal. We should document this in guide.

0 would mean disabled, and 180 would be default. For QA, we would do like 1 or 2.

@getvictor When I think better we should probably skip that in this iteration. I went fast over the message, so didn't realize this would mean that we add environment variable. Let's have just default renewal period of 180 days for now.

I think users can always remove FLEET_SERVER_NDES_SCEP_RENEWAL_ID from CN and renewal will be disabled?

[getvictor]

• Add validation to make sure CN field in NDES SCEP profile includes $FLEET_VAR_NDES_SCEP_RENEWAL_ID

This implies that renewal is always enabled.

[marko-lisica]

• Add validation to make sure CN field in NDES SCEP profile includes $FLEET_VAR_NDES_SCEP_RENEWAL_ID

This implies that renewal is always enabled.

@getvictor Good point. I think that's ok to have it always enabled. Do you see any use case where customer might want to disable renewal?

[getvictor]

• Add validation to make sure CN field in NDES SCEP profile includes $FLEET_VAR_NDES_SCEP_RENEWAL_ID

This implies that renewal is always enabled.

@getvictor Good point. I think that's ok to have it always enabled. Do you see any use case where customer might want to disable renewal?

Some admins might want to disable it so they don't have to worry about it. Maybe it simplifies the security and tracking of certificates. For example, if device lifetime is 3 years in the org, they can issue a cert for 5/10 years, so they know they will never need to renew it.

[marko-lisica]

@getvictor I think to make this simpler for now, let's skip this. I think we won't close doors for later. We can always add this?

[getvictor]

@getvictor I think to make this simpler for now, let's skip this. I think we won't close doors for later. We can always add this?

ok

[lukeheath]

@georgekarrv Moving this back to "Ready to spec" as there are TODOs, and we still need to spec and estimate the remaining integration work on this.

[noahtalerman]

@georgekarrv reminder that this one is ready to spec. Can you please complete the "TODOs" in "Engineering" section so we can estimate this one?

[lukeheath]

@noahtalerman Heads up that George is out the remainder of this week, so this won't get estimated until next week. Let me know if that's a problem.