mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00

History

Zach Wasserman d5e4a9a66f Signing tool for MDM Push CSRs (#8884 ) This PR provides the tooling that fleetdm.com will use to sign MDM Push CSRs. This was tested against the output of #8812, and the resulting requests were validated to be accepted by Apple. Co-authored-by: Roberto Dip <me@roperzh.com> Co-authored-by: Roberto Dip <dip.jesusr@gmail.com>		2023-01-06 08:25:54 -08:00
..
certs_test.go	Signing tool for MDM Push CSRs (#8884 )	2023-01-06 08:25:54 -08:00
certs.go	Signing tool for MDM Push CSRs (#8884 )	2023-01-06 08:25:54 -08:00
README.md	Signing tool for MDM Push CSRs (#8884 )	2023-01-06 08:25:54 -08:00

README.md

MDM Push CSR generation tool

Build

Build like any other go program:

go build -o mdm-gen-cert .

Usage

The following environment variables must be configured:

VENDOR_CERT_PEM - Fleet's MDM Vendor certificate in PEM format. VENDOR_KEY_PEM - Fleet's MDM Vendor private key in PEM format. VENDOR_KEY_PASSPHRASE - Passphrase for the MDM Vendor private key. CSR_BASE64 - Base64 encoded CSR submitted from the Fleet server or fleetctl on behalf of the user. (Note: this is accepted as an environment variable to mitigate against command injection attacks from untrusted user input.)

The program outputs the email and org from the signing request, and the signed request as JSON. For example:

{"email":"fleetuser@example.com","org":"ExampleOrg","request":"PD94bWw..."}

The email should be validated against the email denylist, and then the request contents should be sent to that email address as an attachment (eg. apple-apns-request.txt).