This article applies to NetFoundry networks version 7 or higher. Refer to Finding Your Network Version for detailed information on determining your Network Version.
There are two enrollment methods. You must select either or both. The main difference is whether or not the endpoint is created at the time of enrollment.
With this option the endpoint is created and enrolled at the same time. The first time a certificate that was issued by this CA is presented will immediately create an enrolled endpoint. There's no need to create an endpoint in advance when using this method.
This option makes it possible to create endpoints in advance. The first time a certificate that was issued by this CA is presented the one-time token for an existing endpoint must also be presented. The existing endpoint is then enrolled.
AUTO ENROLLMENT and OTT ENROLLMENT
Both of these options may be enabled in which case it's optional to enroll with the token.
- If the token is not presented during enrollment then an enrolled endpoint is immediately created the first time a certificate is presented that was issued by this CA.
- If the token is presented during enrollment then the existing endpoint is enrolled.
- You could leave this option disabled while enrollment occurs, and then at a later time enable this option to begin allowing those endpoints to connect.
- If you experience a security incident affecting your CA you may pause connectivity for the associated endpoints.
After importing your CA certificate you must issue a special user certificate to prove you have the ability to issue a user certificate for each endpoint that will use this CA. The verification certificate must have the value of the verification token, an alphanumeric string, as the common name (CN) property of the certificate.
For example, if your imported CA verification string is "K3ScXYHMR", then your verification certificate might have a Subject like this:
❯ openssl x509 -noout -subject < ~/pki/intermediate/certs/K3ScXYHMR.cert
subject=C = US, L = Charlotte, O = Cold River, OU = us-west, CN = K3ScXYHMR
Create Endpoints for this CA
After verifying your CA you may begin pre-creating endpoints for this CA. If you are using the AUTO ENROLLMENT method then the endpoints are automatically created and enrolled when they first present their certificate. When you create an endpoint you must select the appropriate CA for which enrollment is permitted. The attributes that you assign to the created endpoints will be used instead of the attributes that are configured for the CA.