Certificate enrollment refers to the process by which a user requests a digital certificate to use as a machine identity on a public-facing system, application, API, container or cluster. The process starts when you submit a certificate request with a certification authority (CA), an entity which issues and manages digital certificate for use within the public key infrastructure (PKI). Users can request a digital certificate from a CA manually or automatically without any interaction on their part.
PKI: Are You Doing It Wrong?
Here’s a brief guide that includes the steps required for certificate enrollment.
Step 1. You request a certificate
A certificate enrollment procedure begins when you file a certificate enrollment request with a CA. The request should contain sufficient information to enable the CA to verify the identity of the user requesting the certificate. These pieces of data generally include your domain name, a business telephone number that is obtainable via public sources, and the details for three contacts:
- An authorization contact, or someone who is authorized to request certificates for your organization
- A technical contact, or someone who receives an approved certificate and who will coordinate its renewals/updates
- A billing contact who can manage purchases of certificates.
The CA may also request additional information based upon the type of certificate requested.
Step 2. You add required characteristics
Besides submitting relevant information for verification purposes, you must submit other details. For instance, the PKCS#10: Certification Request Syntax Specification, one of the most common formats for certificate enrollment submissions, requires users to send over their public key for the CA's signature, the digital signature, and the hashing algorithm used to create the digital signature. You are usually not responsible for creating the public key yourself. As reported by Tech-FAQ, you send your certificate request to a Cryptographic Service Provider (CSP) installed on your computer. The CSP, in turn, creates the public and private key pair for the request, adds the public key to the request information, and passes it on to the CA.
Step 3. CA validates your request
After receiving the enrollment request, the CA decrypts the digital signature using the public key, calculates a hash, and uses that product to verify the hash in the decrypted signature. It also uses all of the verification information provided by the user for validation purposes. For instance, it verifies that the requesting company is in good standing by confirming active registration in corporate registries and reaches out to the contact listed in the requester website's whois record to confirm the company's domain. If validation is successful, the CA digitally signs the public key, adds it to an X.509 certificate, and sends the completed certificate to the user.
Step 4. You install the certificate on your machine
At that point, you should verify the certificate, install it on your server, and make sure you make a note of its location so that relevant software like Apache can find it in the future. You should also consider copying the file received from Certification and storing a certificate's relevant keys in a secure location. Only then should you publicize copies of your certificate so that digital entities like web sites and browsers can authenticate it.
Here are some of the protocols you can use to enroll certificates in different environments:
- ACME (Automated Certificate Management Environment) is a communications protocol for automating issuance and domain validation procedures, allowing the automated deployment of public key infrastructure without user interaction.
- SCEP (Simple Certificate Enrollment Protocol) is an open-source certificate management protocol that is used for automating the task of certificate issuance. This protocol is used in environments that use certificate-based authentication in place of a password to access services such as VPN.
- EST (Enrollment over Secure Transport) is the evolution of SCEP, and is more secure and refined than its predecessor. It used standard TLS (Transport Layer Security) for client-side device authentication.
Step 5. You track the certificate throughout its lifecycle
To maintain that authentication, users who purchase a certificate need to make sure they know all locations where certificates are installed and used by applications after enrollment. If you do not have an automated solution for machine identity management, you will need to manually gather and document that information and use it to manage all certificate purchases and renewals. If you lose track of a certificate that you have installed, it can expire and trigger an application outage. So, you want to take extra special care to keep track of all your organization’s certificates.
That's where Venafi comes in. Our Machine Identity Management platform features an enrollment portal that helps users configure multiple CAs. This allows organizations to more quickly request and renew certificates. But more importantly, the Venafi Trust Protection Platform allows organizations to verify that the certificate is installed correctly and will work as intended. The solution also features the ability to centrally generate key pairs and CSRs for users requesting certificates, and it enables dual controls for installation and enrollment.
(This post has been updated. It was originally published Posted on April 30, 2021.)
TLS Machine Identity Management for Dummies
Related blogs
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.