CertAccord© Enterprise provides automated X509 Certificate Lifecycle Management between PKI platforms like Microsoft ADCS and endpoints running Linux, MacOS, and Windows. The typical CertAccord setup uses DNS to identify endpoints with the CertAccord Enterprise Agent. The DNS information is used to establish the trusted hostname of an endpoint in order to create its product certificate and identity. In some environments the DNS information is not accurate because its not up-to-date or because the endpoint IP address is dynamic. This can occur when systems are located on remote networks and use some form of dynamic IP assignment such as DHCP, NAT, or VPN.
CertAccord Enterprise can be configured to support such environments by changing the endpoint identification method from DNS to REQUEST. When REQUEST mode is used the CertAccord server accepts the hostname and certificate subject sent by CertAccord Enterprise Agent on the endpoint. This method ignores the IP address of the endpoint completely.
The downside to REQUEST mode is that you are accepting whatever hostname and subject the agent sends. The endpoint will still prompt the user to authenticate themselves and validate that they have permission to register. You are essentially trusting the authenticated user to only send a hostname and subject that is considered acceptable. With DNS mode you enforce the endpoint identity in DNS.
How To
Here is the procedure for how to setup REQUEST mode
STEP 1: Configure REQUEST mode in CertAccord Management Console
Login to CertAccord Management Console and navigate to Settings > General > Registration and change “Device Registration Identity Source” to be “REQUEST”.
STEP 2: [OPTIONAL] Configure Agent Identity
By default CertAccord Enterprise Agent will use the system hostname as the hostname and subject that is sent to the CAB during registration. If you wish to change/override this, you can create /etc/cmb/agent.config with these lines:
host.name=ohwow.contoso.com
subject.commonName=ohwow.contoso.com
subject.name.0=dns:superwow.contoso.com
Once these values are set, you can register using “cmb register server=cabserver“.
Summary
Using REQUEST mode enabled you to avoid inaccurate IP/DNS information for endpoints while still enabling you to leverage CertAccord Enterprise to create and maintain X509 Certificates from Microsoft ADCS.