Certificate Filtering
Jellyfish enables organisations to restrict what certificates are issued from a template or tenancy. This is beneficial as it prevents users from requesting malicious certificates and ensures certificates comply with defined requirements.
This can be enabled using one of the 3 technologies provided by Jellyfish: CSR rules, domain whitelisting and pre-certificate linting. You can also use custom reporting to check on what has been issued in the past, in the event you want to apply a new rule for instance.
Domain Violations
Domain Violations is the simplest and easiest to use of Jellyfish’s filtering techniques. Operators may specify a tenancy wide list of accepted domains that users can issue certificates for, but not hard limit those being the only ones supported. Domain violations then shows what has been issued outside of this.
This option is easy to use, and applies to the common name and DNS. Domain Violations can be very useful in a basic set up that’s issuing mostly SSL certificates, or in test environments, where you want to capture the creation of google.com for instance but still allow it for testing purposes.
Figure 1 – Domain Violations in the Dashboard
Figure 2 – Domain Violations from the Dashboard
CSR Rules
CSR rules are used to define a set of requirements that a Certificate Signing Request (CSR) must meet to be issued by a template. Restrictions control what values can be present in a CSR. Rules can be made by providing a set of hardcoded values or regular expressions.
CSR rules provide the most flexibility and has the added benefit that it can be applied to specific templates.
Figure 4 – CSR Rules- Subject restricted to cogitogroup.net
Pre-Certificate Linting
Cogito integrates with the zLint pre-certificate linting tool. This can be used to ensure that certificates conform to specifications laid out in linting profiles such as those provided by the CA browser forum and others.
Pre-certificate linting is an effective solution for ensuring compliance with predefined profiles. However, it does not offer the capability to enforce specific values within certificate data. To address this, pre-certificate linting can be combined with CSR Rules and Domain Whitelisting for enhanced control and customisation.
Figure 4 – Linting RFC options but others are also available
Error Reporting on Certificate Issuance
Across all three certificate filtering options—pre-certificate linting, CSR Rules, and Domain Whitelisting—the Jellyfish portal delivers clear and accessible error messages whenever certificate issuance fails due to invalid parameters. This functionality empowers operators to quickly identify and rectify issues with certificate requests, streamlining the correction process.