+1-408-638-9323 info@revocent.com

CertAccord Enterprise 4.12 Adds User Identity Certificate Support

CertAccord Enterprise 4.12 Adds User Identity Certificate Support

CertAccord Enterprise 4.12 is now available from Revocent.  This release adds improved support for user identity X.509 digital certificates in addition to the machine (computer) identity support that has been supported since CertAccord was launched.  User identity certificates can be automatically provisioned and renewed from Microsoft ADCS or GlobalSign on end points running Linux, MacOSX, and even non-domain joined Windows devices.

User identity certificates identify a person rather than a computer and  are used by many applications such as authentication, document signing, and VPN access.

This release also adds support for the new AdminClient Command Line Interface (CLI).  The cmbadm command provides access to most administrative actions including viewing, modifying, and deleting settings and entities. Most of what the Management Console provides can be accomplished using cmbadm.

The CertAccord Agent now can apply specific file-system level access control permissions to certificate files.  Permissions can be assigned on a per certificate basis as well as a product level default available in the Management Console under Settings.

The Management Console now features improved handling of Contacts as well as improved data access functions.

More Information

For more details on this release please refer to the CertAccord Enterprise Release Notes and the Administration Guide.  This release is available for download by registered customers from https://revocent.com/download.

Contact Revocent today to learn more and discuss how CertAccord Enterprise can improve your security profile, reduce costs, and scale your enterprise IT.

About CertAccord Enterprise

CertAccord Enterprise allows Linux, MacOS X, Solaris, and Windows (including non-AD joined) systems to quickly and easily create and install digital certificates that are fully managed. Integration with Active Directory is builtin into CertAccord and does not require changing authentication systems at the OS (Linux) level. You can install CertAccord in hours, not months without major changes to your existing PKI or AD environments.

The enrollment and fully automatic renewal of certificates from Microsoft ADCS on platforms such as Linux and MacOS X significantly reduces costs and reduces risk of service outages from manual certificate creation. Even more so, the automatic renewal of certificates significantly lowers cost and significantly reduces the risk of service outages.

Read More

CertAccord Enterprise 4.11 Provides Key User Requested Features

CertAccord Enterprise 4.11 Adds Key User Requested Features

CertAccord Enterprise 4.11  has been released by Revocent and provides key new features requested by enterprise customers including native RPM and DEB packages for Linux, maintenance periods, and Agent CLI improvements.

Many customers have been requesting the CertAccord Enterprise Agent be install-able as a native Linux RPM and DEB package in addition to our standard run-able installer.  With this release customers can now choose to install the Agent using native Linux rpm and dpkg commands to more easily and seamlessly integration with their existing IT management systems.

Customers have been requesting that they be able to control when certain actions are performed by CertAccord in order to integrate and comply with their internal change control processes and allow them to be compliant with their Service Level Agreements (SLA).  This release allows customers to control when certificate actions are performed from the Settings page of the CertAccord Enterprise Management Console.

The Agent Command Line Interface (CLI) has been improved to allow customers to customize the certificate creation process.  The CLI now supports the ability to specify certificate alias for JKS and PKCS#12 file formats.  Support is also added for creation of result files to allow other applications to more easily automate certificate creation using CertAccord Enterprise.

CertAccord Enterprise allows Linux, MacOS X, Solaris, and Windows (including non-AD joined) systems to quickly and easily create and install digital certificates that are fully managed.  Integration with Active Directory is builtin into CertAccord and does not require changing authentication systems at the OS (Linux) level.  You can install CertAccord in hours, not months without major changes to your existing PKI or AD environments.

The enrollment and fully automatic renewal of certificates from Microsoft ADCS on platforms such as Linux and MacOS X  significantly reduces costs and reduces risk of service outages from manual certificate creation.  Even more so the automatic renewal of certificates significantly lowers cost and reduces the risk of service outages.

For more details on this release please refer to the CertAccord Enterprise Release Notes and the Administration Guide available for download from https://revocent.com/download

Contact Revocent today to learn more and discuss how CertAccord Enterprise can improve your security profile, reduce costs, and scale your enterprise IT.

 

Read More

CertAccord – How To Create Trusted Certificates From Command Line On MacOS X

CertAccord – How To Create Trusted Certificates From Command Line On MacOS X

Creating a trusted X.509 certificate on Apple’s MacOS X (as well as Linux) is fast and simple using CertAccord Enterprise.  Most any IT system administrator can create certificates without having to be a PKI expert.

This article shows you how to create a trusted X.509 certificate from the MacOS X command line (bash prompt) in just a few minutes.  Once the certificate is created it will be installed locally and managed automatically (including automatic renewals).

Prerequisites

The CertAccord Enterprise Server must be installed and configured to access your enterprise Microsoft Certificate Authority.

STEP 1 – Install CertAccord Enterprise Agent

If you don’t already have the CertAccord Agent installed, you can install it by copying the CertAccord Agent installer to your MacOS X system.   Then run the installer:

This command will install the Agent into the default location of /Applications/CertAccord.

STEP 2 – Register Agent

Change myserver to be the hostname of the CertAccord Enterprise Server.

When you run this command, the Agent will download the CA trust information from the server, generate a private key locally (configured to adhere to the policies given by the server), and then submit the registration request to the server.

STEP 3 – Create Certificate

To create a web server certificate for use with Apache HTTPD or other web server, run the following command:

This command will automatically create a CSR, submit it to the enterprise CA, and install the certificate once issued. This is all done using the PKI policies configured on the CertAccord Enterprise Server and your enterprise CA. No knowledge of these policies or configuration requires are needed by the system administrator when running this command.

Here is example output:

The output shows that a certificate was created, saved to the local Agent database, and a copy of the certificate was exported to /var/cmb/cert/dune.contoso.com-webserver.crt. The Apache HTTPD server was also reloaded so that it re-read its configured certificate files.

Summary

A few key take-aways:

  1. Using the CertAccord Agent required no prior knowledge of the enterprise PKI policies for keys or certificates.
  2. Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
  3. The Agent manages the life-cycle of the certificate.  That means it will automatically renew the certificate without any human intervention.

References

Read More

MacOS X Certificate Auto Enrollment With Microsoft CA

MacOS X Certificate Auto Enrollment With Microsoft CA

There is no free MacOS X “client” which provides Auto Enrollment or integrates with the Microsoft PKI like the one built into Microsoft Windows.   However, there are commercial options which provide very similar abilities, one in particular which is actually easy to install, use, and won’t blowup your budget.

Many commercial and government enterprise organizations leverage MacOS X for laptops, desktops, and servers which often require an X.509 trusted certificate.  Typically the need is for an SSL/TLS Server Authentication certificate commonly known as a web server certificate or a Client Authentication certificate.  These certificates are typically used for user and device authentication and other applications such as connecting to enterprise VPN.

The most common Public Key Infrastructure (PKI) in these same organizations is the Microsoft Enterprise Certificate Authority (CA).   There are no free MacOS X options which provide automated integration with the Microsoft CA.  This historically leaves organizations the choice of using “free” MacOS X tools combined with a complex manual process or purchase one of the very large and complex commercial products on the market.

There is a better solution that doesn’t have all the downsides of the “free” solution and doesn’t require substantial budget like the older monolithic commercial solutions.

Free Doesn’t Mean Low Cost

The “free” MacOS X tools approach typically involves IT admins using the OpenSSL command line to create a private key and certificate signing request (CSR), email the request to the Microsoft PKI Admin, receive back the certificate, and install the certificate and key properly.  Then you also have to have some kind of out-of-band reminder to to repeat this process before the certificate expires.

This might be manageable for a dozen or so systems, but this scales very poorly.

The usual result are certificates with either too long an expiration and/or certificates which expire without being renewed.  Using long, multi-year expiration times is far from ideal because the longer a certificate is valid, the more it is susceptible to weakened cryptography.  Using shorter expiration times shortens the exposure to susceptible cryptography, but comes at the cost of more frequent certificate renewals.

IT admins are human.  They forget things.  One thing they often forget is to renew manually managed certificates.  This leads to service outages and unhappy customers.

Even if your IT admins have the memory of an elephant and the discipline of a Tai Chi Master, the labor costs of creating and managing large numbers of certificates in this manner is huge.

Prepare For Assimilation

There are several behemoth commercial products on the market which can automate the certificate process.  However, these products require “total assimilation” similar to the approach of the fictional The Borg.

You have to integrate each MacOS X system with Active Directory and switch your user identification authentication over as well.  This requires massive changes to existing MacOS X and Microsoft infrastructure.

The result is implementation time-frames of 3 months to more than 3 years and have a price tag that starts at $250K for an “entry level” implementation to $1M or more for large organizations.

That’s not easy and it’s not cheap by any means.

The Easy Way

Revocent developed CertAccord Enterprise to solve these problems. CertAccord Enterprise provides a MacOS X (also Linux, Unix, and Windows) Client for auto enrollment with the Microsoft PKI Certificate Authority.

It is designed to be easy to use by MacOS X admins who just want to be able to run a simple command to “create web server certificate” and then have the certificate managed (renewed) through-out its life-cycle.   The certificate creator gives the purpose of the certificate without having to know what the company PKI configuration policies are to create a private key or certificate.  That is all configured by the enterprise PKI experts.

The Microsoft PKI administrators use nearly all the same tools and interfaces to manage Certificate Templates (policies) with the addition of the CertAccord Enterprise Console Management web GUI.  The Console is where MacOS X device registrations are controlled and where certificate Templates (policies) are “connected” to CertAccord for use.

It’s easy to install because it’s designed as a “bolt-on” to your existing Microsoft PKI and MacOS X infrastructure.  You don’t integrate your MacOS X systems with AD so it’s a simple installation.

You don’t have to spend a year implementing it and it won’t cost you most of your annual budget.   It’s just easier.

References

 

Read More

CertAccord Enterprise 4.10 Adds Mac Support

CertAccord Enterprise 4.10 Adds Mac Support

CertAccord Enterprise 4.10  has been released by Revocent and adds support for Apple MacOS X end point devices.  MacOS X devices are now able to integrate with leading PKI platforms such as Microsoft Active Directory Certificate Services (ADCS) and GlobalSign to create and manage X.509 digital certificates easily and automatically.

CertAccord Enterprise allows MacOS X along with all other major platforms including Linux and Windows to quickly and easily create and install digital certificates that are fully managed.  The Windows platform features builtin auto enrollment capabilities with Microsoft ADCS.  CertAccord Enterprise mirrors this on MacOS X, Linux, and UNIX.

The enrollment and fully automatic renewal of certificates on MacOS X from Microsoft ADCS significantly reduces costs from manual certificate creation.  Even more so the automatic renewal of certificates significantly lowers cost and reduces the risk of service outages.

For more details on this release please refer to the CertAccord Enterprise Release Notes and the Administration Guide available for download from https://revocent.com/download

Contact Revocent today to learn more and discuss how CertAccord Enterprise can improve your security profile, reduce costs, and scale your enterprise IT.

 

Read More

CertAccord Enterprise 4.9 Features Major AD Groups Enhancements

CertAccord Enterprise 4.9 has been released by Revocent and features major enhancements to Active Directory (AD) Groups and LDAP settings.

Handling large numbers of Groups has been significantly improved.  The Console can now handle tens of thousands of Groups imported from Active Directory or natively created.

AD Groups can also be used to automatically approve registration requests by assigning a specific Role to a Group.

Importing data from AD can now be configured to use specific LDAP Search Base values for each CertAccord activity.

The Java Runtime Environment (JRE) has been changed from Oracle JRE to OpenJDK.  This change was necessary due to a significant change in Oracle’s JRE license.  Customers can still choose to supply and use their own Oracle JRE in place of the OpenJDK bundled with CertAccord.

For more details on this release please refer to the CertAccord Enterprise Release Notes and the Administration Guide available for download from https://revocent.com/download

Contact Revocent today to learn more and discuss how CertAccord Enterprise can improve your security profile and reduce costs substantially.

Read More

CertAccord Enterprise 4.8 Features Updated Management Console and Certificate Appliers

CertAccord Enterprise 4.8 has been released by Revocent and features a major update to its Management Console GUI and the introduction of Certificate Appliers.  Additionally many new enterprise friendly features have been implemented including Active Directory filtering of User Groups by OU, logging to Windows Event Log on Windows systems, certificate SAN validation settings, and automatic approval of device registrations by role.

The updated Management Console has a leaner and much cleaner layout than previous versions.  Much of the clutter has been removed to optimize the space to display data while still allowing the user to access filters and sorting capabilities.  The dashboard has been updated to provide more relevant data in color coded groups.

The Management Console now supports the ability to view and edit Roles.  Previously this was only available from the command line.

Certificate Appliers are a new feature in this release which provides customers with the ability to perform actions when a certificate is created or renewed.  Certificate Appliers is a command line API.  A customer can write a script which is run each time a certificate is created or renewed.  This provides the ability to perform actions such as update an application with a new certificate.  The CertAccord Enterprise Administration Guide has complete details on how to write a Certificate Applier.

The new Auto Approval Device Registrations by Role setting allows user credentials with the proper role to automatically receive registration approval even when manual approvals are enabled.  This adds yet another option for enterprises to meet audit and controls requirements while still automating the installation of CertAccord Enterprise.

Contact Revocent today to learn more and discuss how CertAccord Enterprise can improve your security profile and reduce costs substantially.

Read More

Configuring Apache HTTPD TLS Using Microsoft ADCS Certificates

Configuring Apache HTTPD TLS Using Microsoft ADCS Certificates

This quick guide will give you step-by-step instructions on how to configure Apache HTTPD on Linux with TLS (SSL) using an x.509 certificate issued from a Microsoft Active Directory Certificate Services (ADCS) PKI environment.  We will cover two methods of achieving this goal both of which have very different levels of complexity and real cost.

A common method used by many, but not necessarily the best is a manual process using OpenSSL which is built-in to most Linux distributions.   The second method we will cover is using CertAccord Enterprise to create and renew certificates automatically using Microsoft ADCS.

Background

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL).  It provides validation of a server’s identity and encryption of all communications between the client (web browser, etc) and server (Apache HTTPD, etc).  TLS requires that a server have an x.509 certificate.  These certificates can be self-signed or issued by a trusted Certificate Authority (CA).  Use of self-signed certificates is insecure and rarely the best option.

In many organizations Microsoft ADCS (sometimes referred to as Windows PKI or Windows Certificate Authority) provides the Public Key Infrastructure (PKI) for certificate issuance.  Apache HTTPD is often used in such environments to provide web services.

Conventions

We will use the name “www.contoso.com” in our examples.  When you follow these steps change this name to your server’s name.

METHOD 1 – OpenSSL

The first method we will cover is using OpenSSL.  OpenSSL is a set of command line tools and libraries that are part of nearly every Linux distribution.  OpenSSL provides the ability to create Certificate Signing Requests (CSR) which must be manually transported to Microsoft ADCS and submitted.  Once ADCS issues the certificate it must be manually transported back to the target linux system.

It is also important to remember that certificates expire and using this method you must manually track when your certificates expire.  Prior to expiration you have to perform the same manual CSR process.

STEP: Install OpenSSL

Most Linux distributions already have OpenSSL installed but if yours does not you should use the appropriate command to install the package.  On Red Hat based systems use yum:

On Debian based systems use apt-get:

STEP: Generate Private Key

It’s best practice to create a new key for each new CSR you sign.  To create a key we first create a working directory:

Create the key and place in a file:

STEP: Generate CSR

This command will create a Certificate Signing Request (CSR) which we will later use to request the actual certificate:

You will be prompted to enter some information as shown below, but Microsoft ADCS only cares about the Common Name.   Note that no challenge password should be provided.

STEP: Create Certificate

Copy the www.contoso.csr file to a Windows domain joined system such as an issuing CA.

Open cmd prompt and submit the CSR:

You must change DOMAINCA\CA1 to be a valid DOMAIN\HOST value for your environment.  You may also need to change “WebServer” to a Microsoft Template name appropriate for your organization.

If all goes right you should see output similar to:

Your certificate should now be in the www.contoso.com.cer file.

Install the certificate and key files:

STEP: Obtain Trust CA Certificates

You will need to obtain a file containing all your enterprise trusted CAs.  Contact your Microsoft ADCS administrator and ask how to obtain this file.  You need all the certificates in a single PEM file.

Install the CA trust file in:

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

Save the file and then restart Apache:

The process is now complete.  All you have to do now is remember to redo this process before your certificate expires.  You could also automate this process using Method – CertAccord Enterprise.

METHOD 2 – CertAccord Automated Certificates

CertAccord Enterprise is a commercial solution which allows enterprises of any size to create certificates on Linux from Microsoft ADCS without manual processes.  Certificates can be created from the Linux command line in a simple command.  Even better certificates are automatically renewed without any manual process.

STEP: Install CertAccord Enterprise

Installation of the CertAccord server can be done in a few hours.  Please refer to CertAccord Enterprise Installation guide for details.

Install the CertAccord Agent on the linux system using the CertAccord Enterprise Installation Guide.  This typically can be one in 1-2 minutes.

STEP: Create Certificate

Open a shell prompt and run;

You will be prompted for your Active Directory username and password.  After that the certificate will be created and the file names of the certificate, key, and CA trust should be output:

STEP: Configure Apache HTTPD

The following steps assume you are on a Red Hat Enterprise Linux 6 or later Linux system.

Edit /etc/httpd/conf.d/ssl.conf and change the following:

Save the file and then restart Apache:

The process is now complete.  Sit back and relax without worrying about renewing your certificate.

Summary

Both methods described will get Apache HTTPD configured with TLS.  The OpenSSL method is “free” from licensing cost but is heavy on people time/cost and has no automated renewal process.  It often will lead to service outages because of expired certificates.

The CertAccord Enterprise solution solves the problem and has a very low long term cost because of the time savings both in certificate creation, but also preventing service outages.

Read More

Reviewed: Easy certificate management for Linux (InfoWorld)

Reviewed: Easy certificate management for Linux (InfoWorld)

A very positive review of CertAccord Enterprise by Roger A Grimes from InfoWorld can be found here.

Read More

Linux Certificate Auto Enrollment With Microsoft CA

Linux Certificate Auto Enrollment With Microsoft CA

There is no free Linux “client” which provides Auto Enrollment or integrates with the Microsoft PKI like the one built into Microsoft Windows.   However, there are commercial options which provide very similar abilities, one in particular which is actually easy to install, use, and won’t blowup your budget.

Many commercial and government enterprise organizations leverage Linux for critical services which often require an X.509 trusted certificate.  Typically the need is for an SSL/TLS Server Authentication certificate commonly known as a web server certificate on Red Hat Enterprise Linux (RHEL), Ubuntu Server, or other Linux distribution.

The most common Public Key Infrastructure (PKI) in these same organizations is the Microsoft Enterprise Certificate Authority (CA).   There are no free Linux options which provide automated integration with the Microsoft CA.  This historically leaves organizations the choice of using “free” Linux tools combined with a complex manual process or purchase one of the very large and complex commercial products on the market.

There is a better solution that doesn’t have all the downsides of the “free” solution and doesn’t require substantial budget like the older monolithic commercial solutions.

Free Doesn’t Mean Low Cost

The “free” Linux tools approach typically involves Linux IT admins using the OpenSSL command line to create a private key and certificate signing request (CSR), email the request to the Microsoft PKI Admin, receive back the certificate, and install the certificate and key properly.  Then you also have to have some kind of out-of-band reminder to to repeat this process before the certificate expires.

This might be manageable for a dozen or so systems, but this scales very poorly.

The usual result are certificates with either too long an expiration and/or certificates which expire without being renewed.  Using long, multi-year expiration times is far from ideal because the longer a certificate is valid, the more it is susceptible to weakened cryptography.  Using shorter expiration times shortens the exposure to susceptible cryptography, but comes at the cost of more frequent certificate renewals.

IT admins are human.  They forget things.  One thing they often forget is to renew manually managed certificates.  This leads to service outages and unhappy customers.

Even if your IT admins have the memory of an elephant and the discipline of a Tai Chi Master, the labor costs of creating and managing large numbers of certificates in this manner is huge.

Prepare For Assimilation

There are several behemoth commercial products on the market which can automate the certificate process.  However, these products require “total assimilation” similar to the approach of the fictional The Borg.

You have to integrate each Linux system with Active Directory and switch your user identification authentication over as well.  This requires massive changes to existing Linux and Microsoft infrastructure.

The result is implementation time-frames of 3 months to more than 3 years and have a price tag that starts at $250K for an “entry level” implementation to $1M or more for large organizations.

That’s not easy and it’s not cheap by any means.

The Easy Way

Revocent developed CertAccord Enterprise to solve these problems. CertAccord Enterprise provides a Linux Client for auto enrollment with the Microsoft PKI Certificate Authority.

It is designed to be easy to use by Linux admins who just want to be able to run a simple command to “create web server certificate” and then have the certificate managed (renewed) through-out its life-cycle.   The certificate creator gives the purpose of the certificate without having to know what the company PKI configuration policies are to create a private key or certificate.  That is all configured by the enterprise PKI experts.

The Microsoft PKI administrators use nearly all the same tools and interfaces to manage Certificate Templates (policies) with the addition of the CertAccord Enterprise Console Management web GUI.  The Console is where Linux device registrations are controlled and where certificate Templates (policies) are “connected” to CertAccord for use.

It’s easy to install because it’s designed as a “bolt-on” to your existing Microsoft PKI and Linux infrastructure.  You don’t integrate your Linux systems with AD so it’s a simple installation.

You don’t have to spend a year implementing it and it won’t cost you most of your annual budget.   It’s just easier.

References

 

 

Read More