Hi everyone, i have a question about SSL Cert rotation. Is there anyone who can advise on an efficient way to perform SSL cert rotation? Supposed you have 1000 agents registered to fleet manager, it would not be easy to do this. I can only think of setting a cron job in the instance and disabling SSL verification for the time being on fleetdm. But it doesnt seem to be the right way to do things. Any help is appreciated! Thank you!
09/02/2021, 10:59 AM
I actually wrote a blogpost about this. This one is about ACME, which could be handy, but for endpoints I'd recommend using SCEP (to not expose any unnecessary ports and such).
Smallstep is creating a very handy SCEP server, which could serve as an intermediary CA to serve new certificates. Implementation guidance for SCEP here. If you need more information about setting up an intermediary CA for this, feel free to reach out