Certificate Authorities

Last modified on January 30, 2024

Overview

Certificate authorities allow your organization’s SSH and RDP resources to authenticate with trusted certificates. Using certificate authentication eliminates the need to manage unique key pairs for each of your servers.

Every organization in StrongDM is automatically assigned a StrongDM Certificate Authority (CA) for RDP resources and a StrongDM CA for SSH resources. The Strong CA issues certificates that, when configured on your servers, allow them to authenticate with the trusted certificate. By using a certificate authority managed by StrongDM, every connection is secured with a client certificate that helps to reduce the risk of lost keys being compromised.

This article describes how to use the Certificate Authorities page to manage CAs, as well as how to view details about the resources configured to use them.

Manage Certificate Authorities

You can manage all the certificates available for your organization from the Admin UI in Network > Certificate Authorities.

Network > Certificate Authorities
Network > Certificate Authorities

Selecting a CA from the list opens a new page, which displays that CA’s Settings and Resources tabs.

Settings

The Settings tab displays all certificates issued by the selected CA and allows you to create, copy or download, update, and remove certificates.

Example of StrongDM SSH Certificate Authority Settings
Example of StrongDM SSH Certificate Authority Settings

Resources

The Resources tab displays all resources configured to use the certificates. Clicking the details button beside a resource name opens the resource’s configuration form.

Example of StrongDM RDP Certificate Authority Resources
Example of StrongDM RDP Certificate Authority Resources

Create a Certificate

To create a new certificate, follow these steps.

  1. In the Admin UI, go to Network > Certificate Authorities.
  2. Select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”) to display that CA’s settings, certificate(s), and the resources configured to use the certificate.
  3. From the Settings tab, click Create New Certificate. A new certificate is created with a unique fingerprint identifier and the date and time of creation.
  4. If creating a certificate for RDP, additionally specify when the certificate will expire (1, 2, or 3 years).
  5. On the active certificate (highlighted in blue), click the appropriate button to copy the public key (for SSH) or download the root certificate file (for RDP).
  6. Add the new certificate to your host. See the instructions for SSH and RDP.

Remove a Certificate

Only inactive certificates may be removed. If you wish to remove an active certificate, you must first create a new certificate, and use the Update button to make the new certificate active. Then you may remove the previously active certificate.

To remove a certificate, follow these steps.

  1. In the Admin UI, go to Network > Certificate Authorities.
  2. Select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”).
  3. From that CA’s Settings tab, select the certificate you wish to remove.
  4. Click the remove button and confirm.

Certificate Rotation

Your organization is allowed to have multiple certificates for each CA, but only one SSH certificate and one RDP certificate may be active at any given time. An active certificate is the one configured to authenticate to the resource.

Occasionally, you may need to rotate (that is, update) a certificate for various reasons, such as when the certificate is about to expire. When an active certificate is rotated, however, that certificate becomes inactive, and all sessions using the current certificate are terminated. In order to avoid session downtime, StrongDM allows certificates to be rotated in stages.

Prerequisites for rotation

Before you begin, please ensure that the following requirements are met.

  • Have an SSH (Certificate Based) or RDP (Certificate Based) resource configured. If the resource is not yet configured, please see the setup instructions for SSH or RDP.
  • The certificate-based resource must be accessible by a StrongDM gateway. You can confirm that it’s accessible by going to the resource’s Diagnostics tab and ensuring that its status is “healthy.”

Update a certificate

We recommend staging certificate rotation in the following way.

  1. In the Admin UI, go to Network > Certificate Authorities and select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”). The CA’s settings and list of certificate(s) displays, with the current active certificate highlighted in blue.
  2. On the CA’s Settings tab, click Create New Certificate. A new certificate is created with a unique fingerprint identifier and the date and time of creation.
  3. If creating a certificate for RDP, additionally specify when the certificate will expire (specify 1, 2, or 3 years).
  4. Select the new certificate from the list, and click the appropriate button to copy the public key (for SSH) or download the root certificate file (for RDP).
  5. Follow the setup instructions for SSH or RDP to configure the new certificate in your server.
  6. Return to Certificate Authorities in the Admin UI and select the new certificate from the list.
  7. Click Update and then confirm to enable the new certificate and disable the old certificate.
  8. Verify that authentication works with the new certificate by making a connection (for example, in the CLI use sdm ssh <RESOURCE-NAME> to connect to the resource configured to use the CA). Then view what you did in the logs.
  9. If authentication is successful, you may safely remove the old certificate. On the old certificate, click the red remove button and confirm that you want to remove it.

For more configuration information regarding certificate-based servers, please see the following documentation:

Top