RPS Certificate Management Technical Design
Last updated on May 05, 2021.
Last Reviewed and Approved on PENDING REVIEW
Table of Contents
Introduction
This document describes the Certificate Management feature and its technical design. The technical design was established based on requirements gathered from the customer, constraints of existing systems, and an analysis of benefits and tradeoffs of various design decisions.
Certificate Management Overview
RPS Certificate Management describes the approach to storing and managing certificates in the RPS configuration management database (CMDB). The data stored in the CMDB can then be used to deploy the certificates to Targets also stored in the CMDB. Certificates are represented and managed in the RPS CMDB as resource items that describe the properties and attributes of the certificate. For a list of detailed certificates properties, please see Certificate data in RPS. For more information about specific certificate usage in RPS, please see Certificate Usage
Rolling Certificate Process
RPS Certificate Management provides the ability to roll certificates. The term "roll" a certificate, refers to replacing one certificate with another certificate of the same type. A few potential reasons for rolling certificates include, a security breach, certificate expirations, or moving from self-signed to Certificate Authority signed.
The process of rolling RPS certificates is orchestrated by invoking a task map that consists of the following runbooks:
| Runbook Name | Description |
|---|---|
| Refresh-RpsSelfSignedCerts | The request disposition message returned by the Certificate Authority after a certificate request submission. |
| Update-MasterKeyProtection | Imports the master key certificate and encrypts the master key with the new certificate. |
| Set-EncryptionSettings | Imports and configures the certificate used for PowerShell Desired State Configuration (DSC) encryption and decryption. |
| Set-WinRmSettings | Installs and configures the certificates used for Windows Remote Management (WinRm). |
| Publish-DscConfiguration | Using data in the CMDB, compiles and publishes DSC configurations to targets. DSC will install and configure certificates across the various application and RPS components. |
Certificate data in RPS
Certificates are represented in the RPS database as Resource Items of type Certificate. As of RPS 4.0, additional properties are supported on Certificate resource items to support the rolling process. The following tables describes each property used for RPS certificates.
| Property Name | Description |
|---|---|
| DispositionMessage | The request disposition message returned by the Certificate Authority after a certificate request submission. |
| ExprirationDate | Certificate expiry date. |
| FriendlyName | Certificate Friendly Name. |
| GenericRole | Generic role used to provision the certificate based on an RPS certificate template. |
| IssuedBy | Issuer of the certificate. |
| Password | Password used to export the certificate's private key. |
| PrivateBase64Content | Base 64 encoded private key. |
| PublicBase64Content | Base 64 encoded public key. |
| PublicKeyPath | Location of the Public Key certificate on the file system. |
| RequestDisposition | The request disposition flag returned by the Certificate Authority after a request submission. |
| RequestId | The ID of the certificate request returned by the Certificate Authority. |
| RequestStatus | The status of the certificate request. Complete/Pending/Incomplete. |
| Role | The certificate role name that defines its RPS use case. |
| RoleValidForRegen | Specifies whether the certificate can be rolled. |
| SigningType | Type of certificate. RpsSigned/CASigned |
| SubjectAlternativeName | Certificate Subject Alternative Name (SAN). |
| SubjectName | Certificate Subject Name. |
| TemplateName | The name of the template to use when requesting a certificate from a Certificate Authority. |
| Thumbprint | Thumbprint of the certificate. |