A good API makes the difference between a software application and a software platform. Without an API, a software product is a special-purpose tool for a pre-defined set of specific operations. With a good API, though, it can become a powerful, modular platform with capabilities that go well beyond what its developers originally imagined. Tasks that otherwise require thousands of clicks and keystrokes can be reduced to a single keystroke to launch a script. And business processes that require multiple software applications can be seamlessly integrated so that the end users don't even have to know what software is being used. This is all true of CMS, and with the launch of CMS 5.0 and the CMS PowerShell SDK, the API-based capabilities of CMS are more powerful than ever and easier to use!
Digital Certificate Provisioning
Consider the following scenario: A dozen employees are joining your development team from another site. They already have workstations, but they don't have the client certificates needed to access your source code repository.
- Have your sysadmin walk around to each workstation, enroll for a certificate, and install it.
- Direct all of the employees to visit the CMS enrollment portal and request a certificate, approve the requests, and direct the employees to install them in the correct place.
- Run a 15-line PowerShell script that finds the users' computers, obtains a certificate for each one, and automatically pushes the certificate to the appropriate machine store via the CMS Windows Agent.
In the first two cases, coordination is required between more than a dozen individuals. Not only that, these options do nothing to help with the next dozen employees to come on board. However, with an API-based solution, you can develop an automated, repeatable process in a short, simple PowerShell script. A script that doesn't care whether it's issuing a dozen certificates for new employees or ten thousand certificates for the whole organization. Such a script is shown at the end of this post as "Script 1." Furthermore, if you can launch the script from another part of your onboarding and provisioning process, you now have a zero-touch solution for issuing certificates every time you need them.
Digital Certificate Management
CMS can help with the converse scenario too. Suppose a group of employees is leaving a division. The employees each had personal certificates, as well as certificates on their workstations and other devices, to access a variety of applications specific to the group. You want to immediately revoke all certificates that these employees have access to.
- Have your sysadmins scan their machines for installed certificates, scan the CAs for certificates issued to them, revoke those, and hope that you found them all.
- Use the CMS Management Portal to go through the employees and workstations, search for certificates issued to them or present on their devices and revoke them manually.
- Run a 15-line PowerShell script that searches your certificate inventory for all certificates issued to these users or present on their workstation, and automatically revokes them all.
Once again, just a few lines of scripting allows time-sensitive operations to be performed quickly, consistently, and thoroughly, with little regard for how many users and machines are affected, or for when and how often it is executed. An example script for this is provided at the end as well, labeled "Script 2."
This API is in no way limited to workforce changes either. Scenarios where virtual machines are spun up dynamically for software testing or other cases where a sandbox environment is needed can leverage the PowerShell SDK at startup to provision any certificates needed for the applications. Web servers with expiring certificates can, with zero-touch by staff, automatically generate a public/private keypair and use it to request a new certificate with the same content to ensure continued server operation. A migration of certificates from aging cryptographic algorithms (or worse, a compromised CA) to newer and more secure algorithms (such as from SHA-1 to SHA-2) can be easily orchestrated to occur at a large scale.
Secure Application Development with APIs
Another feature of CMS for which the Web API and PowerShell SDK significantly extends other capabilities is certificate metadata. While a great deal of information can be put into a certificate, there is no way to change this data once the certificate is issued and cryptographically signed. Certificates tagged with metadata can address scenarios where associated data may change over the lifetime of a certificate. This includes information describing the individual or group that owns the certificate, the applications that depend on it, the date on which it should be renewed, future migration plans, or any other content that's either subject to change or not known at issuance time. This metadata tagging system can also be used to dynamically enable and disable access to other applications by location, time of day, or other criteria. A sample python script is provided at the end as "Script 3," that programmatically checks if a certificate (provided in base64 PEM encoding) is enabled. In fact, with our tools like the CMS VerdeTTo Access Valve, you can add these enhanced authentication mechanisms at the server platform level without modification to your backend code. So in the second scenario above, the certificates for the departing employees could be temporarily disabled instead of outright revoked by updating a metadata value. This would mean that, if disabling a certificate turns out to impact other users or systems, that certificate could be temporarily re-enabled on a case-by-case basis until a replacement certificate can be issued. Not only that, but with the "Renew" Web API method or the corresponding PowerShell cmdlet, these certificates can quickly be renewed and automatically installed in all locations where they are still needed. In all of these cases and many others, the CMS Web API provides the easiest way to implement repeatable, reliable processes while saving time and minimizing risk.
Script 1: PowerShell for automatic certificate enrollment and installation to target users' machines.
Script 2: PowerShell for automatic certificate revocation for target users and their machines.
Script 3: Python using the CMS Web API to determine, based on a metadata value, if a cert is enabled.
For more on how to operationalize certificate management with efficiency, download the PKI Automation for the Future white paper: