Background information on ACME Device Attestation, a major improvement in device identity that is bound to a devices TPM or Secure Enclave
1. What is ACME and why is it useful?
ACME (Automated Certificate Management Environment) is a standardized protocol that enables machines to automatically obtain X.509 certificates from a Certificate Authority (CA) without human intervention. This is useful for automating the process of securing internal workloads, proxies, queues, databases, etc. with mutual TLS (mTLS) for authentication and encryption, and for simulating Let's Encrypt in development and pre-production scenarios where connecting to Let's Encrypt's staging server is difficult.
2. How does a typical ACME certificate request flow work?
A typical ACME flow involves the following steps: First, an ACME client creates an account with the ACME CA server and submits a certificate order. The CA then responds with a set of challenges to ensure the client controls the requested subject names (domain names, IP addresses, or hardware device IDs). The CA verifies the client’s challenge responses, and once completed, the client submits a certificate signing request (CSR). The CA verifies the client’s control of the private key, and then issues the certificate. This process ensures secure and automated certificate issuance.
3. What are the common types of ACME challenges?
Common ACME challenge types include http-01, dns-01, tls-alpn-01, and device-attest-01. http-01 requires the client to host a random number at a specific URL. dns-01 requires the client to provision a DNS TXT record. tls-alpn-01 uses TLS to validate a challenge via application layer protocol negotiation. The device-attest-01 challenge is designed for issuing client certificates bound to a device identifier using a security module.
4. What is ACME Device Attestation and how does it improve device security?
ACME Device Attestation uses hardware security modules (like TPMs, Secure Enclaves, or YubiKeys) to bind certificates to specific devices, using the device-attest-01 challenge type. This prevents rogue devices from obtaining certificates, ensures that private keys are hardware-bound and non-exportable, and removes the need for insecure passwords in the enrollment process. By cryptographically confirming that a device's private key is hardware-bound and issued to a specific device, organizations can enforce stronger security policies and adhere to the principles of Zero Trust.
5. How does ACME Device Attestation differ from older methods like SCEP?
Traditional methods like SCEP rely on shared secrets or passwords for device enrollment, which are vulnerable to attacks if compromised. ACME Device Attestation, on the other hand, uses cryptographic hardware to attest the device's identity. With ACME Device Attestation, a stolen configuration profile is useless as it does not contain any reusable secrets, making it much more secure than SCEP. SCEP also doesn't handle certificate renewal, whereas ACME is designed for complete automation.
6. What role do hardware modules like TPMs play in ACME Device Attestation?
Hardware modules like Trusted Platform Modules (TPMs) provide a secure location to store cryptographic keys and perform secure operations. With ACME Device Attestation, a TPM creates and certifies an Attestation Key (AK) with device-specific identifiers. This AK is used to prove the device's identity, and to verify that a certificate request came from a valid and verified device, making it much harder for an attacker to impersonate a legitimate device.
7. How does Smallstep integrate with existing device management solutions?
Smallstep integrates with major Mobile Device Management (MDM), Identity Provider (IdP), and device posture platforms like Jamf, Intune, and Workspace ONE. These integrations enable a seamless and secure user experience by hardening user identity, extending the reach of device posture systems, and revoking device credentials when a device is removed from inventory or fails posture checks. This integration simplifies the implementation of Zero Trust security by ensuring only company-owned and compliant devices can access sensitive resources.
8. What kind of resources can Smallstep help protect?
Smallstep helps protect a wide range of sensitive enterprise resources, including Wi-Fi and VPN networks, Zero Trust Network Access (ZTNA), public SaaS applications (like Stripe, Slack, and NetSuite), internal web apps and cloud services (like Google Workspace and Microsoft Office365), cloud APIs (like AWS, GCP, and Azure), and Git repositories and cloud storage solutions. By securing these resources with high-assurance device identity, Smallstep helps prevent unauthorized access and data breaches.