advice for cert management with external CA and PKI
-
hey friends - looking for some expertise and advice on cert management with an external CA and PKI system.
We use pfSense as our gateways and VPN end points (mostly openvpn for road warriors).
Our setup at our main site has gotten increasingly complex (mostly in good ways). We use OpenXPKI as our internal CA and PKI system.
The challenge comes when it is time to re-cert and re-key the VPN server and users. It is an inherently manual process that involves creating entirely new certs on the PKI.
I know pfSense doesn't support a renewal request in the CA/Cert manager for external certs. And the ACME plugin doesn't support custom ACME server profiles.
So, does anyone have any experience, insight, or tips in managing both user and server certs from an external PKI?
We have AD (via Samba) - publishing user certs to AD isn't out of the question. But I'm not sure that helps. And OpenXPKI supports scep and est, but also not sure that helps.
So short of an annual mad dash to re-cert everything, does anyone have any ideas or tips?
-
Check out https://pkiaas.io. You can use SCEP to automate certificate renewal on your endpoints with MDM. There is also a self-service certificate options that use mTLS to authenticate renewal using the existing certificate.