Deploy certificates from DigiCert

[noahtalerman]

Goal

User story
As an IT admin,
I want Fleet to install a unique certificate (end user's email as the Common Name) from DigiCert on all my macOS hosts as part of my Wi-Fi/Ethernet profile
so that I can grant end users access to my organization’s network.

Key results

Deliver customer promises and prioritized requests

Original requests

• Help end users connect to Wi-Fi with certificates from certificate authority (NDES, DigiCert, etc.) #13420

Context

• Product designer: @noahtalerman

• Jamf docs for the equivalent integration: https://learn.jamf.com/en-US/bundle/technical-paper-digicert-current/page/Distributing_Certificates_Using_the_Certificate_API_Protocol.html

• Omnissa docs: https://docs.omnissa.com/bundle/CertificateAuthorityIntegrations/page/DigiCertPKIManagementPortalPlatform.html

Changes

Product

• UI changes: Figma wireframes here
• REST API changes: API changes required to support the UI. We won't document these in the REST API docs yet
  • @noahtalerman: UPDATE: Now that we have a DigiCert account ready to go, I think let's document the Fleet API changes as part of this story. I think we need a PR to the API reference docs before we continue working on this story.
• Schedule a mock-demo w/ @nonpunctual, @allenhouchins, @noahtalerman, and @lukeheath
  • Demo includes:
    • Configuring RA certificate and templates in the UI
    • Adding configuration profile via GitOps
    • Deploying a configuration profile w/ Wi-Fi and certificate payload to a host. Certificate is delivered to the host.
  • UPDATE: @noahtalerman: Configuration using Fleet API + adding a configuration profile GitOps demo is on YouTube here: https://www.youtube.com/watch?v=3KlxGFY9cSo
• Changes to paid features or tiers: Fleet Premium only
• CLI (fleetctl) usage changes: No changes
• YAML changes: No changes
• Fleet's agent (fleetd) changes: No changes
• Activity changes: No changes
• Permissions changes: No changes
• Other reference documentation changes: No changes
• Once shipped, requester has been notified

Engineering

• Feature guide changes: DCDC: Guide #24915
• Database schema migrations: Draft
• Load testing: Not expected to scale all at once

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: No
• Risk level: Low
• Risk description: increased time to call out to DC during profile crons

Manual testing steps

Spot-check NDES SCEP proxy to make sure we didn't break it with this feature.

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[lukeheath]

@noahtalerman I updated the description to add a little more detail to the demo items.

[noahtalerman]

Hey @georgekarrv @lukeheath now that drafting is wrapped up for this user story, do you think we're ready to move this to the release board? (off drafting)

Heads up that there's no estimate on it yet.

cc @getvictor @gillespi314

[lukeheath]

@noahtalerman That makes sense, I'm moving to the release board since it's already being worked on.

@georgekarrv @getvictor When you have a moment, please add an overall estimate to the user story based on the total effort of completing the end-to-end flow with DigiCert per the Figma wireframes. Thanks!

[noahtalerman]

Leaving Mike's UI feedback here for when we come back to the next iteration of the DigiCert feature.

[jmwatts]

@noahtalerman after the Product design check-in meeting I wanted to compile some thoughts and bring a little clarity to PKI in general. Created doc here: PKI Implementation Notes - General understanding and QA perspective

[lukeheath]

@georgekarrv @noahtalerman @getvictor I'm removing the priority label on this for now.

[noahtalerman]

@georgekarrv @lukeheath @getvictor @gillespi314 sounds like we need to estimate the remaining work so I moved this story back to the drafting board and assigned myself.

I think we want a PR to the API reference docs before we re-estimate this story.

Victor, do we already have the API changes spec'd somewhere?

[getvictor]

Victor, do we already have the API changes spec'd somewhere?

No, we are just changing the configs, similar to NDES. The server will convert a PKCS12 payload with Fleet variables into a payload with a Digicert certificate.

If a Fleet admin clicks reload icon to reload the policy, we will go to Digicert and fetch a new certificate. Should we also revoke the old certificate?

Also, here is the Digicert API that we will use.

[allenhouchins]

@noahtalerman One additional requirement for prospect-blondelet is ensuring automatic certificate renewal. See this Slack thread: https://fleetdm.slack.com/archives/C07AK6CUDFC/p1738262762662739

Jamf handles this for admins as such:

The automatic certificate renewal process runs every six hours on only the primary node. Jamf Pro automatically redistributes the certificates via a configuration profile 10 days before the certificate expires.

Do you want this tracked as a separate issue or user story?

[noahtalerman]

@allenhouchins thanks!

No need for a new issue/story for now.

I tracked this in the original request so we don't lose it.

• prospect-blondelet: Gong snippet: https://us-65885.app.gong.io/call?id=834076390531746995&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1695%2C%22to%22%3A1847%7D%5D
  • @allenhouchins: One additional requirement for prospect-blondelet is ensuring automatic certificate renewal. See this Slack thread: https://fleetdm.slack.com/archives/C07AK6CUDFC/p1738262762662739

[marko-lisica]

Closing this one as we'll implement this as part of #25822

[fleet-release]

Certificates weave,
DigiCert and Fleet unite,
Secure access blooms.