diff --git a/changes/bug-12701-windows-mdm-missing-identity-certs b/changes/bug-12701-windows-mdm-missing-identity-certs new file mode 100644 index 0000000000..b9da645073 --- /dev/null +++ b/changes/bug-12701-windows-mdm-missing-identity-certs @@ -0,0 +1 @@ +* Fleet panicked when Windows MDM identity providers were not set and MDM programmatic enrollment was performed. diff --git a/server/mdm/microsoft/wstep.go b/server/mdm/microsoft/wstep.go index 9ac857b593..9171218bbc 100644 --- a/server/mdm/microsoft/wstep.go +++ b/server/mdm/microsoft/wstep.go @@ -88,10 +88,18 @@ func newManager(store CertStore, certPEM []byte, privKeyPEM []byte) (*manager, e } func (m *manager) IdentityFingerprint() string { + if m == nil { + return "" + } + return m.identityFingerprint } func (m *manager) IdentityCert() x509.Certificate { + if m == nil { + return x509.Certificate{} + } + return *m.identityCert } @@ -99,6 +107,10 @@ func (m *manager) IdentityCert() x509.Certificate { // subject is the DeviceID of the about to be MDM enrolled device, it will be used as the CommonName of the certificate // clientCSR is the client certificate signing request func (m *manager) SignClientCSR(ctx context.Context, subject string, clientCSR *x509.CertificateRequest) ([]byte, string, error) { + if m == nil { + return nil, "", errors.New("windows mdm identity keypair was not configured") + } + if m.identityCert == nil || m.identityPrivateKey == nil { return nil, "", errors.New("invalid identity certificate or private key") } diff --git a/server/service/microsoft_mdm.go b/server/service/microsoft_mdm.go index c784b8a65c..54d8b9b998 100644 --- a/server/service/microsoft_mdm.go +++ b/server/service/microsoft_mdm.go @@ -1045,6 +1045,10 @@ func (svc *Service) GetAuthorizedSoapFault(ctx context.Context, eType string, or } func (svc *Service) SignMDMMicrosoftClientCSR(ctx context.Context, subject string, csr *x509.CertificateRequest) ([]byte, string, error) { + if svc.wstepCertManager == nil { + return nil, "", errors.New("windows mdm identity keypair was not configured") + } + cert, fpHex, err := svc.wstepCertManager.SignClientCSR(ctx, subject, csr) if err != nil { return nil, "signing wstep client csr", ctxerr.Wrap(ctx, err)