mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 17:08:53 +00:00
836cc044d2
Fixes #30473 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. - [x] Added/updated automated tests - [ ] Manual QA for all new/changed functionality <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added support for TPM-backed host identity certificates enabling hardware-backed HTTP signature authentication for hosts. * Introduced HTTP signature verification middleware for API requests, applied conditionally for premium licenses. * Hosts presenting identity certificates must authenticate with matching HTTP message signatures during enrollment and authentication. * Added SCEP-based certificate issuance for secure host identity management. * Updated enrollment endpoints to use standardized request/response contract types. * **Bug Fixes** * Enhanced authentication logic to verify consistency between host identity certificates and host records, preventing duplicate or mismatched identities. * **Chores** * Updated dependencies and test infrastructure to support HTTP signature verification and host identity certificate workflows. * Added comprehensive integration and datastore tests for host identity certificate issuance, storage, and authentication. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 line
465 B
Text
1 line
465 B
Text
Fleet server now supports issuing host identity certificates through SCEP (Simple Certificate Enrollment Protocol) that fleetd can use with TPM 2.0 hardware to cryptographically sign all HTTP requests. This hardware-backed authentication provides enterprise-grade security similar to mTLS by ensuring private keys never leave the TPM's secure boundary, establishing cryptographic proof that requests originate from the same physical device that initially enrolled.
|