I'm working on a project for automating PKI certificate life cycle management at a European bank. Currently, the IT department manually handles expiring server certificates and related tasks, which has proven to be quite error-prone. They've set up a private CA on EJBCA for their air-gapped VLANs, which is somewhat unusual since I expected ADCS. The bank's setup includes various VLANs with strict compliance regulations that prevent public internet access. They have a few thousand local Windows servers, making it easy to deploy updates via GPO, but there are also around 900 RHEL servers (300 on RHEL 7 and 700 on RHEL 8 or newer) that aren't domain-joined. Since RHEL 7 isn't officially supported anymore, I've suggested migrating those servers before proceeding. My plan is to use an ACME server solution that can handle requests on the VLAN and translate them into NDES requests for the ADCS. However, installing certbot is challenging due to the lack of internet connectivity, and there are issues with using Docker. A custom installer could be created but may lead to complications. So, I'm asking for your advice: how should I approach certificate automation for these RHEL servers?
4 Answers
I'm curious, how do they maintain updates for anything if they can't connect to the internet? It seems like they would have to use an offline repo to manage installations and updates.
Exactly! They manage everything through satellite servers with custom packages.
You might want to check out step-ca. I set it up as a Subordinate Certificate Authority for my FreeBSD machines, and it has ACME support too. This way, certbot can renew certificates automatically. It might be a nice fit for your RHEL servers!
Can step-ca import the existing ADCS Issuing CA? And will it send revocation notices to the ADCS CRL?
Step-ca sounds promising! How easy is it to set up without internet access?
If your main hurdle with certbot is Python, consider using acme.sh instead. It's a pure shell script client, so you can clone its repo and avoid those dependency issues!
If you're using Red Hat Identity Management (IdM), you might already have a certificate automation tool with certmonger. It allows for seamless management without needing ACME validations, as it uses Kerberos principals. IdM even has an ACME responder for other machines needing certificates, which could simplify things!
That's interesting! Does IdM require installing FreeIPA for NFS share security?
If they already have ACME support with EJBCA, it might be better to stick with it rather than switching to another CA.
Must be quite a hassle managing everything offline. I wonder how they keep things secure!