Search Results for

    Show / Hide Table of Contents

    RPS Certificate Management Technical Design

    Last updated on May 05, 2021.

    Last Reviewed and Approved on PENDING REVIEW

    Table of Contents

    • Introduction
    • Certificate Management Overview
    • Rolling Certificate Process
    • Certificate data in RPS

    Introduction

    This document describes the Certificate Management feature and its technical design. The technical design was established based on requirements gathered from the customer, constraints of existing systems, and an analysis of benefits and tradeoffs of various design decisions.

    Certificate Management Overview

    RPS Certificate Management describes the approach to storing and managing certificates in the RPS configuration management database (CMDB). The data stored in the CMDB can then be used to deploy the certificates to Targets also stored in the CMDB. Certificates are represented and managed in the RPS CMDB as resource items that describe the properties and attributes of the certificate. For a list of detailed certificates properties, please see Certificate data in RPS. For more information about specific certificate usage in RPS, please see Certificate Usage

    Rolling Certificate Process

    RPS Certificate Management provides the ability to roll certificates. The term "roll" a certificate, refers to replacing one certificate with another certificate of the same type. A few potential reasons for rolling certificates include, a security breach, certificate expirations, or moving from self-signed to Certificate Authority signed.

    The process of rolling RPS certificates is orchestrated by invoking a task map that consists of the following runbooks:

    Runbook Name Description
    Refresh-RpsSelfSignedCerts The request disposition message returned by the Certificate Authority after a certificate request submission.
    Update-MasterKeyProtection Imports the master key certificate and encrypts the master key with the new certificate.
    Set-EncryptionSettings Imports and configures the certificate used for PowerShell Desired State Configuration (DSC) encryption and decryption.
    Set-WinRmSettings Installs and configures the certificates used for Windows Remote Management (WinRm).
    Publish-DscConfiguration Using data in the CMDB, compiles and publishes DSC configurations to targets. DSC will install and configure certificates across the various application and RPS components.

    Certificate data in RPS

    Certificates are represented in the RPS database as Resource Items of type Certificate. As of RPS 4.0, additional properties are supported on Certificate resource items to support the rolling process. The following tables describes each property used for RPS certificates.

    Property Name Description
    DispositionMessage The request disposition message returned by the Certificate Authority after a certificate request submission.
    ExprirationDate Certificate expiry date.
    FriendlyName Certificate Friendly Name.
    GenericRole Generic role used to provision the certificate based on an RPS certificate template.
    IssuedBy Issuer of the certificate.
    Password Password used to export the certificate's private key.
    PrivateBase64Content Base 64 encoded private key.
    PublicBase64Content Base 64 encoded public key.
    PublicKeyPath Location of the Public Key certificate on the file system.
    RequestDisposition The request disposition flag returned by the Certificate Authority after a request submission.
    RequestId The ID of the certificate request returned by the Certificate Authority.
    RequestStatus The status of the certificate request. Complete/Pending/Incomplete.
    Role The certificate role name that defines its RPS use case.
    RoleValidForRegen Specifies whether the certificate can be rolled.
    SigningType Type of certificate. RpsSigned/CASigned
    SubjectAlternativeName Certificate Subject Alternative Name (SAN).
    SubjectName Certificate Subject Name.
    TemplateName The name of the template to use when requesting a certificate from a Certificate Authority.
    Thumbprint Thumbprint of the certificate.
    In This Article
    Back to top Generated by DocFX