Interpretation
How do you interpret the customer's words?
The customer has an existing internal root of trust and PKI infrastructure and wants Fleet's ACME-based device attestation feature to integrate with their own ACME server rather than the Fleet-managed one. They want full ownership over the cryptographic chain that underpins device identity — including signing key management, root key management, trust key distribution, signing policies, and signed identity lifetimes.
What's Fleet missing?
Fleet's ACME device attestation implementation does not currently allow customers to point enrolled devices at a custom/self-hosted ACME server. There is no configuration option to specify an alternate ACME directory URL, nor any mechanism to distribute a custom root of trust to devices via Fleet so they can validate certificates issued by the customer's own CA.
What does the customer's ideal workflow look like?
- The customer runs their own ACME-compatible server (e.g., Step CA or similar) backed by their internal root of trust.
- An IT admin configures Fleet with the custom ACME directory URL and any required root certificate(s) for trust distribution.
- Fleet signals enrolled devices to use the customer-specified ACME server during attestation enrollment instead of the Fleet-managed endpoint.
- Devices obtain signed identities issued by the customer's CA, governed by the customer's own signing policies and identity lifetime settings.
- Fleet continues to validate attestation results, now trusting the customer-managed certificate chain.
Interpretation
How do you interpret the customer's words?
The customer has an existing internal root of trust and PKI infrastructure and wants Fleet's ACME-based device attestation feature to integrate with their own ACME server rather than the Fleet-managed one. They want full ownership over the cryptographic chain that underpins device identity — including signing key management, root key management, trust key distribution, signing policies, and signed identity lifetimes.
What's Fleet missing?
Fleet's ACME device attestation implementation does not currently allow customers to point enrolled devices at a custom/self-hosted ACME server. There is no configuration option to specify an alternate ACME directory URL, nor any mechanism to distribute a custom root of trust to devices via Fleet so they can validate certificates issued by the customer's own CA.
What does the customer's ideal workflow look like?