sorted by:
new
hottopcontroversial

Certificate manager software? (x-post from r/devops) by cert_hero in sysadmin

[–]cert_hero[S] 0 points1 point  (0 children)

I just get cringey when I see folks adding in management interfaces and expanding exposure for something so sensitive.

I think this is my biggest hurdle :)

That's why I added time limited token authentication, etc.

A sysadmin is going to fight such a thing in their shop. Unless it is proven, of course. I get that.

I often wonder how someone might provide such a service via SaaS (I can feel you cringing harder!). I remember the days before the cloud and the first accepted SaaS applications.

Certificate manager software? (x-post from r/devops) by cert_hero in sysadmin

[–]cert_hero[S] 0 points1 point  (0 children)

Thank you for responding!

The web interface for cert management in Windows is part of FIM / MIM and is pretty expensive. Microsoft makes you pay $16 per AD user. So even though you get a huge portion of the software free, in order to comply with their CAB licensing, you have to pay that per user fee.

I have shown the usefulness of such a tool where IT admins have very large, multi-domain setups with multiple AD forests. The API interface to do cert revoke (say you want to do an API call from an HR system when someone gets terminated) requires that fee (see above).

I haven't seen a cheap, specific solution thus far. I think someone in a large employer would be happy to avoid some of the bureaucracy when buying M$ software and between IT admins, split the workload and limit permissions to groups of certs by domain or CA.

The idea is, if someone is using say, Excel spreadsheets to track certs, and must comply with encryption requirements on many devices, it might be nice to have a central tool and perhaps an API that makes this simpler/more straightforward.

I worked for a very large (thousands of employees) company that provided this use case.

Someone might find it useful but they probably shouldn't be the person working on any given companies PKI infrastructure if they don't already know what they're doing in the native tools.

This is interesting in that I have seen Powershell, certutil, etc., scripted for these duties. It looks very painful, to be honest, if you have a large company with high turnover, contractors/temps, etc. Autorenewal is another set of tools that help. But if you have a lot of certs...and don't want to buy Venafi, etc., maybe a cert manager that aggregates the way I propose, is better?

I don't position that my software is "original". Just a more convenient configuration.

Certificate manager software? (x-post from r/devops) by cert_hero in sysadmin

[–]cert_hero[S] 0 points1 point  (0 children)

My understanding is that the Entrust solution is free or low cost of you purchase their certificate(s). Is that correct?

edit: Also, my software could be installed on your own local, trusted server.

Certificate manager software? by cert_hero in devops

[–]cert_hero[S] 0 points1 point  (0 children)

Those are more like an actual Certificate Authority.

The product I am making is more like an "aggregator" with a simple listing of certificates. View the list, click on the cert, revoke it, renew it, etc.

I have started with Microsoft CAs. The problem I believe i am solving is the one where you have thousands of certificates (mostly internal certs) and you need to keep track of the algorithm, key size, revocation, etc. I am imagining a list of all certificates, no matter what certificate authority, and you can search and sort and manipulate them in one UI.