πŸ’πŸ»β€β™‚οΈ IntroductionΒΆ

🎯 Purpose¢

CertBob is a certificate manager that sits in front of a smallstep CA and makes issuing client certificates painless for end users.

  • Self-service issuance
    Authenticated users request their own certificates via a web interface, without involving an operator.
  • Chat-driven workflows
    Users already signed into the company’s chat tool can issue certificates via a simple slash command.
  • CA abstraction
    CertBob hides the CA’s provisioner password and signing details behind a friendly front door.

✨ Features¢

CertBob provides the following features:

  • Docker
    Deployable as a single on-premise Docker container β€” see πŸš€ Deployment.
  • OIDC & local auth
    Interactive users can authenticate via an existing OIDC IdP (SSO) or against a local user list.
  • Chat tool integration
    Issues certificates via a slash command in your chat tool of choice (e.g. Mattermost, Slack, Teams), leveraging the user’s existing session.
  • Email delivery
    Optionally ships the issued PKCS #12 bundle to the user via SMTP instead of an in-browser download.
  • PKCS #12
    Certificates are bundled as πŸ” PKCS #12 files that can be imported directly into many OS & browsers.
  • Cooldowns
    Per-user cooldowns prevent accidental certificate churn and abuse.

See also

CertBob fits nicely with our CA service – your PKI, without the overhead.

πŸ€·πŸ»β€β™‚οΈ RationaleΒΆ

As mentioned in the mTLS chapter of the Handbook of confirm IT, we’re making extensive use of mTLS.

This is all fine and awesome, but certificate handling can be a PITA. Thus we had to come up with a maintainable solution to issue client certificates.

Because all of our authorised users already had access to a company chat tool, we thought it would be a nice idea to issue certificates directly from there.

This is how CertBob was born. Since then we’ve continuously improved and extended CertBob β€” including support for additional chat tools such as Slack and Microsoft Teams.