From 3e123f880135105b4aa65877ed3252ef83ce79dd Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 28 Jan 2025 15:09:37 -0800 Subject: [PATCH 1/8] Additional requirements for Jamf/agent and VPN flows --- tutorials/connect-jamf-pro-to-smallstep.mdx | 19 ++++++++++++++++++- tutorials/vpn-setup-guide.mdx | 2 ++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/tutorials/connect-jamf-pro-to-smallstep.mdx b/tutorials/connect-jamf-pro-to-smallstep.mdx index 2ff25752..07d92849 100644 --- a/tutorials/connect-jamf-pro-to-smallstep.mdx +++ b/tutorials/connect-jamf-pro-to-smallstep.mdx @@ -8,7 +8,7 @@ Smallstep can integrate with Jamf Pro to synchronize your device inventory, and This document also contains [uninstall instructions](#uninstall-smallstep-agent-with-jamf-pro). -# Prerequisites +# Requirements & Limitations You will need: @@ -16,6 +16,23 @@ You will need: - A [Jamf Pro](https://www.jamf.com/products/jamf-pro/) tenant - A [package distribution point](https://learn.jamf.com/en-US/bundle/jamf-pro-install-guide-linux-current/page/About_Distribution_Points.html) configured in Jamf Pro +Client requirements: + +- The agent will need to reach the following domains: + ``` + smallstep.com + api.smallstep.com + gateway.smallstep.com + control.infra.smallstep.com + *.[team-name].ca.smallstep.com + auth.smallstep.com + ``` + +Limitations: + +- For VPN configurations, only IPSec VPNs are currently supported. +- “Always-on VPN” or device-wide VPNs are not yet supported in Smallstep-managed configurations. + # Step-by-step instructions ### Create an API Client in Jamf Pro diff --git a/tutorials/vpn-setup-guide.mdx b/tutorials/vpn-setup-guide.mdx index d8ea68a5..d6cbbe27 100644 --- a/tutorials/vpn-setup-guide.mdx +++ b/tutorials/vpn-setup-guide.mdx @@ -8,6 +8,8 @@ description: This tutorial describes how to configure Smallstep with VPN servers This tutorial describes how to configure your VPN server for certificate-based authentication with Smallstep. The Smallstep app can then configure and issue certificates to your clients. +Smallstep's agent software is currently only able to manage IPSec VPN connections. + # Overview of Setup Steps While the details will differ between VPNs, the process of configuring a VPN server From 71db5752ea09a1184f77e6b786041f05c08d1fb2 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 16:30:15 -0800 Subject: [PATCH 2/8] Add description of 'policy' key to step-ca Configuration doc --- step-ca/configuration.mdx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/step-ca/configuration.mdx b/step-ca/configuration.mdx index 4899390c..e96e376a 100644 --- a/step-ca/configuration.mdx +++ b/step-ca/configuration.mdx @@ -101,8 +101,9 @@ the `--password-file` flag accepts "policy": { "x509": { "allow": { - "dns": ["*.local"] - } + "dns": ["server1.local", "server2.local"] + }, + "allowWildcardNames": false }, "ssh": { "user": { @@ -252,6 +253,8 @@ the `--password-file` flag accepts - **template**: default ASN1DN values for new certificates. See [Templates](./templates.mdx). + - **policy**: authority-wide policy for certificate identifiers. See [Policies](./policies.mdx). + - **disableIssuedAtCheck**: ☠️ disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing. - **claims**: default validation for requested attributes in the certificate request. Can be overridden by similar claims objects defined by individual provisioners. From 2a73bdbe5d9964db82bc9dbb6e9424737f99aecb Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 16:58:29 -0800 Subject: [PATCH 3/8] Clarify allowWildcardNames --- step-ca/policies.mdx | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/step-ca/policies.mdx b/step-ca/policies.mdx index 1ca7ef96..ea5cf1d1 100644 --- a/step-ca/policies.mdx +++ b/step-ca/policies.mdx @@ -83,7 +83,20 @@ A rule for `*.éxàmplê.com` will internally be represented using its internati This rule will match `www.éxàmplê.com` as well as its internationalized representation `www.xn–xmpl-0na6cm.com` (and other subdomains). By default it is not possible to request a certificate with a literal wildcard character in the domain, like `*.example.com`. -It is possible to configure the policy to allow this. +It is possible to configure a policy to allow this: + +``` +"policy": { + "x509": { + "allow": { + "dns": ["*.example.com"] + } + "allowWildcardNames": true + } +} + +``` + #### Examples @@ -287,7 +300,6 @@ An example is shown below: "dns": ["forbidden.local"], "ip": ["192.168.0.1"] }, - "allowWildcardNames": false, }, "ssh": { "user": { From 565d003c640e0a5ed101fb1d31e4140065dcb702 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 16:59:19 -0800 Subject: [PATCH 4/8] Clarify allowWildcardNames --- step-ca/configuration.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/step-ca/configuration.mdx b/step-ca/configuration.mdx index e96e376a..5e105b9f 100644 --- a/step-ca/configuration.mdx +++ b/step-ca/configuration.mdx @@ -101,9 +101,9 @@ the `--password-file` flag accepts "policy": { "x509": { "allow": { - "dns": ["server1.local", "server2.local"] + "dns": ["server1.local", "server2.local", "*.local"] }, - "allowWildcardNames": false + "allowWildcardNames": true }, "ssh": { "user": { From 2220bf00226492aa089080a901ec6215b108cfa7 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 16:59:43 -0800 Subject: [PATCH 5/8] Clarify allowWildcardNames --- step-ca/configuration.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/step-ca/configuration.mdx b/step-ca/configuration.mdx index 5e105b9f..e96e376a 100644 --- a/step-ca/configuration.mdx +++ b/step-ca/configuration.mdx @@ -101,9 +101,9 @@ the `--password-file` flag accepts "policy": { "x509": { "allow": { - "dns": ["server1.local", "server2.local", "*.local"] + "dns": ["server1.local", "server2.local"] }, - "allowWildcardNames": true + "allowWildcardNames": false }, "ssh": { "user": { From 454258f37d8ed70ae14d6c12bc12dfcf3c0c940e Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 17:00:45 -0800 Subject: [PATCH 6/8] Clarify allowWildcardNames --- step-ca/configuration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/step-ca/configuration.mdx b/step-ca/configuration.mdx index e96e376a..f1037420 100644 --- a/step-ca/configuration.mdx +++ b/step-ca/configuration.mdx @@ -101,7 +101,7 @@ the `--password-file` flag accepts "policy": { "x509": { "allow": { - "dns": ["server1.local", "server2.local"] + "dns": ["*.local"] }, "allowWildcardNames": false }, From 64d94ed40cc2117e57d0380cf2debb9d642a9f3b Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Thu, 30 Jan 2025 17:01:24 -0800 Subject: [PATCH 7/8] Clarify allowWildcardNames --- step-ca/policies.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/step-ca/policies.mdx b/step-ca/policies.mdx index ea5cf1d1..78b84069 100644 --- a/step-ca/policies.mdx +++ b/step-ca/policies.mdx @@ -83,7 +83,7 @@ A rule for `*.éxàmplê.com` will internally be represented using its internati This rule will match `www.éxàmplê.com` as well as its internationalized representation `www.xn–xmpl-0na6cm.com` (and other subdomains). By default it is not possible to request a certificate with a literal wildcard character in the domain, like `*.example.com`. -It is possible to configure a policy to allow this: +It is possible to configure the policy to allow this: ``` "policy": { From e663e8fe9eed0f9a9b352f76744673fee3cdeedd Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Fri, 31 Jan 2025 13:45:01 -0800 Subject: [PATCH 8/8] Update connect-jamf-pro-to-smallstep.mdx Co-authored-by: Herman Slatman --- tutorials/connect-jamf-pro-to-smallstep.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/tutorials/connect-jamf-pro-to-smallstep.mdx b/tutorials/connect-jamf-pro-to-smallstep.mdx index 07d92849..579433f1 100644 --- a/tutorials/connect-jamf-pro-to-smallstep.mdx +++ b/tutorials/connect-jamf-pro-to-smallstep.mdx @@ -26,6 +26,7 @@ Client requirements: control.infra.smallstep.com *.[team-name].ca.smallstep.com auth.smallstep.com + att.smallstep.com ``` Limitations: