You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to rotate my Fleet CA certificates without disrupting enrolled devices
so that I can adopt fixes or security improvements to CA certs (such as correcting the malformed country field in #38699) without tearing down and rebuilding my entire MDM setup.
Context
Fleet generates several CA certificates during setup, all stored encrypted in the mdm_config_assets database table with 10-year validity periods. Once created, none of these CA certs can be rotated or replaced without a full MDM teardown.
All four are generated via depot.NewCACert() and share the same pattern: created once on first use, stored in the DB, never regenerated.
This became a concrete problem with #38699, where the empty Country field causes macOS to display < parser error > when viewing the SCEP CA cert. While the code fix (setting Country: "US") only benefits new Fleet deployments, existing deployments are stuck with the malformed CA certs unless they completely tear down and reconfigure MDM, requiring re-obtaining an APNs cert from Apple and re-enrolling all devices.
Note: The ABM/DEP keypair (abm_cert) is not a CA cert and the Windows WSTEP identity cert is externally supplied by the admin. Neither is affected by this story.
The industry standard approach for CA rotation is a staged rollover: generate the new CA, distribute it to device trust stores so both old and new are trusted during transition, start signing new/renewed device certs with the new CA, wait for old device certs to expire, then retire the old CA.
Changes
Product
UI changes: TODO
CLI (fleetctl) usage changes: TODO
YAML changes: No changes
REST API changes: TODO
Fleet's agent (fleetd) changes: TODO
Fleet server configuration changes: No changes
Exposed, public API endpoint changes: No changes
fleetdm.com changes: No changes
GitOps mode UI changes: No changes
GitOps generation changes: No changes
Activity changes: TODO
Permissions changes: No changes
Changes to paid features or tiers: No changes
My device and fleetdm.com/better changes: No changes
Usage statistics: No changes
Other reference documentation changes: TODO
First draft of test plan added
Once shipped, requester has been notified
Once shipped, dogfooding issue has been filed
Engineering
Test plan is finalized
Contributor API changes: TODO
Feature guide changes: TODO
Database schema migrations: TODO
Load testing: No changes
Pre-QA load test: No changes
Load testing/osquery-perf improvements: No changes
This is a premium only feature: No
Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".
QA
Risk assessment
Risk level: High
Risk description: Rotating any of the four CA certs affects the trust chain for enrolled devices or services that depend on them. If an old CA is retired before all certs it issued are renewed, devices could lose MDM connectivity or conditional access could break. The transition period must ensure both old and new CAs are trusted simultaneously.
Test plan
TODO
TODO
TODO
Testing notes
Confirmation
Engineer: Added comment to user story confirming successful completion of test plan.
QA: Added comment to user story confirming successful completion of test plan.
Goal
Context
Fleet generates several CA certificates during setup, all stored encrypted in the
mdm_config_assetsdatabase table with 10-year validity periods. Once created, none of these CA certs can be rotated or replaced without a full MDM teardown.Affected CA certificates:
"Fleet"ca_cert/ca_keyserver/mdm/scep/depot/fleet.go"Fleet Host Identity CA"host_identity_ca_cert/host_identity_ca_keyee/server/service/hostidentity/config.go"Fleet conditional access CA"conditional_access_ca_cert/conditional_access_ca_keyee/server/service/condaccess/config.go"Fleet conditional access IdP"conditional_access_idp_cert/conditional_access_idp_keyee/server/service/condaccess/config.goAll four are generated via
depot.NewCACert()and share the same pattern: created once on first use, stored in the DB, never regenerated.This became a concrete problem with #38699, where the empty Country field causes macOS to display
< parser error >when viewing the SCEP CA cert. While the code fix (settingCountry: "US") only benefits new Fleet deployments, existing deployments are stuck with the malformed CA certs unless they completely tear down and reconfigure MDM, requiring re-obtaining an APNs cert from Apple and re-enrolling all devices.Note: The ABM/DEP keypair (
abm_cert) is not a CA cert and the Windows WSTEP identity cert is externally supplied by the admin. Neither is affected by this story.The industry standard approach for CA rotation is a staged rollover: generate the new CA, distribute it to device trust stores so both old and new are trusted during transition, start signing new/renewed device certs with the new CA, wait for old device certs to expire, then retire the old CA.
Changes
Product
Engineering
QA
Risk assessment
Test plan
Testing notes
Confirmation