Certificate Authorities

Overview #

A certificate authority (CA) allows your organization’s SSH and RDP resources to authenticate with trusted certificates. Using certificate authentication eliminates the need to manage unique key pairs for each of your servers.

When managing your resources in StrongDM, you can use the Strong CA, StrongDM’s certificate authority that is automatically assigned to every organization. Alternatively, you can use any supported third-party CA option that you prefer (if the Enterprise bundle is enabled for your organization).

This article describes how to use the Certificate Authorities page of the Admin UI to manage CAs, as well as how to view details about the resources configured to use them.

Strong CA #

Every organization in StrongDM is automatically assigned a StrongDM Certificate Authority (CA) for RDP resources and a StrongDM CA for SSH resources. The Strong CA issues certificates that, when configured on your servers, allow them to authenticate with the trusted certificate. By using a CA managed by StrongDM, every connection is secured with a client certificate that helps to reduce the risk of lost keys being compromised.

The Strong CA is the default certificate authority type and is always shown on the Certificate Authorities page of the Admin UI.

CA Integrations #

As an alternative to the Strong CA, organizations that have the Enterprise bundle enabled may use a CA issued by a third party with certificate-based RDP and SSH resources. Please see Third-Party CA for more information.

If no third-party CAs are added, your organization uses the Strong CA.

Manage Certificate Authorities #

You can manage all the CAs available for your organization from the Admin UI in Network > Certificate Authorities.

If the Enterprise bundle is enabled for your organization, you may add a CA issued outside of StrongDM.

Selecting a CA from the list opens a new page, which displays that CA’s Settings and Resources tabs.

CA Settings tab #

The Settings tab displays all certificates issued by the selected CA and allows you to create, copy or download, update, and remove certificates.

CA Resources tab #

The Resources tab displays all resources configured to use the certificates. Clicking the details button beside a resource name opens the resource’s configuration form.

Create a Certificate #

To create a new certificate, follow these steps.

1. In the Admin UI, go to Network > Certificate Authorities.
2. Select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”) to display that CA’s settings, certificate(s), and the resources configured to use the certificate.
3. From the Settings tab, click Create New Certificate. A new certificate is created with a unique fingerprint identifier and the date and time of creation.
4. If creating a certificate for RDP, additionally specify when the certificate will expire (1, 2, or 3 years).
5. On the new certificate, click the appropriate button to copy the public key (for SSH) or download the root certificate file (for RDP).
6. Add the new certificate to your host. See the instructions for SSH and RDP.

Remove a Certificate #

Only inactive certificates may be removed. If you wish to remove an active certificate, you must first create a new certificate, and use the Update button to make the new certificate active. Then you may remove the previously active certificate.

To remove a certificate, follow these steps.

1. In the Admin UI, go to Network > Certificate Authorities.
2. Select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”).
3. From that CA’s Settings tab, select the certificate you wish to remove.
4. Click the remove button and confirm.

Certificate Rotation #

Your organization is allowed to have multiple certificates for each CA, but only one SSH certificate and one RDP certificate may be active at any given time. An active certificate is the one configured to authenticate to the resource.

Occasionally, you may need to rotate (that is, update) a certificate for various reasons, such as when the certificate is about to expire. When an active certificate is rotated, however, that certificate becomes inactive, and all sessions using the current certificate are terminated. In order to avoid session downtime, StrongDM allows certificates to be rotated in stages.

Prerequisites for rotation #

Before you begin, please ensure that the following requirements are met.

• Have an SSH (Certificate Based) or RDP (Certificate Based) resource configured. If the resource is not yet configured, please see the setup instructions for SSH or RDP.
• The certificate-based resource must be accessible by a StrongDM gateway. You can confirm that it’s accessible by going to the resource’s Diagnostics tab and ensuring that its status is “healthy.”

Update a certificate #

We recommend staging certificate rotation in the following way.

1. In the Admin UI, go to Network > Certificate Authorities and select the desired CA from the list (for example, “StrongDM SSH Certificate Authority”). The CA’s settings and list of certificate(s) displays, with the current active certificate highlighted in blue.
2. On the CA’s Settings tab, click Create New Certificate. A new certificate is created with a unique fingerprint identifier and the date and time of creation.
3. If creating a certificate for RDP, additionally specify when the certificate will expire (specify 1, 2, or 3 years).
   At this point, the old certificate is still active, while the new certificate is staged. To make the new certificate active, continue with the next steps to configure it in your server.
4. Select the new certificate from the list, and click the appropriate button to copy the public key (for SSH) or download the root certificate file (for RDP).
5. Follow the setup instructions for SSH or RDP to configure the new certificate in your server.
6. Return to Certificate Authorities in the Admin UI and select the new certificate from the list.
7. Click Update and then confirm to enable the new certificate and disable the old certificate.
8. Verify that authentication works with the new certificate by making a connection (for example, in the CLI use sdm ssh <RESOURCE-NAME> to connect to the resource configured to use the CA). Then view what you did in the logs.
9. If authentication is successful, you may safely remove the old certificate. On the old certificate, click the red remove button and confirm that you want to remove it.

Recommended Reading #

For more configuration information regarding certificate-based servers, please see the following documentation:

• Add an SSH Server With Certificate Auth
• Remote Identity for SSH
• Add an RDP Server With Certificate Auth
• Remote Identity for RDP