RFC 17762 • 0 comments

Remote Agent Updates and Google Trust Store

Abstract

Two big things in this release, a remote-updating CertKit agent Google Trust Store CA issuer support.

Remote agent updates

Before 1.9, updating the CertKit Agent meant logging into every server and re-running the installation snippet. It would pull the latest version and update in place, which worked fine. But if you have 40 servers, that’s 40 RDP sessions. With how fast we’ve been shipping, that was turning into a real burden for our larger customers.

Agent 1.9 adds push updates. When a newer version is available, you’ll see an upgrade notification in the CertKit dashboard. Hit the button, and we push the latest version to the agent without you needing to touch the server.

CertKit agent update notification showing an available upgrade from v1.9.0 to v1.9.1 with an Update Agent button

I know what you’re thinking: “why didn’t you just add auto-update?” We thought about it. We might do it later. But we don’t love the idea of giving vendors the ability to change our systems outside of our control. We like to own that decision, and we figured you would too. So for now, updates are reported and available with one click, but you decide when they happen.

This pairs well with agent locking. Lock your agent configuration so we can’t modify what it does, and use push updates to control when it gets new code.

Google Trust Store

CertKit now supports Google Trust Store as a certificate issuer, in addition to Let’s Encrypt.

Both are excellent. Both are free. Both produce certificates that every browser and operating system trusts. The practical difference is that Google Trust Store requires a Google Cloud account, while Let’s Encrypt just works. You have to have a backup plan, especially in technology.

Getting here forced us through a bunch of design decisions about how CertKit handles multiple ACME issuers within a single account. We built out settings for specifying your ACME account details and external account bindings, which means the plumbing is now in place for adding other issuers too. For those of you who really want to pay for certificates, that door is open.

What’s next

Google Trust Store checked off the latest big thing on the roadmap. The two things we’re looking at next are Private CA support and improving the appliance push agent workflow. What do you want us to work on?

CertKit automates certificate lifecycle management. See how the agent fits into the full picture.

Comments