The Artica Meta includes a certificate lifecycle management system that:
- Monitors certificate expiration dates for all registered agents
- Automatically renews certificates before they expire (5-day threshold)
Network agents deployed across infrastructure need to:
- Receive commands from a central management server
- Report status and metrics back to the server
- Execute privileged operations (service management, configuration changes)
- Transfer sensitive data (logs, credentials, system information)
Without proper security, an attacker could:
- Impersonate the management server and send malicious commands
- Impersonate an agent and exfiltrate data
- Intercept communications and steal credentials
- Perform man-in-the-middle attacks
Mutual TLS (mTLS) extends standard TLS by requiring both parties to present certificates
Cryptographic Identity
- Each agent has a unique private key that never leaves the system
- Identity cannot be stolen by intercepting network traffic
- No shared secrets that could leak
No Credential Transmission
- Unlike passwords or API keys, the private key is never sent
- Authentication happens through cryptographic proof of key possession
- Even if TLS is somehow broken, credentials aren't exposed
Bidirectional Authentication
- Server verifies agent identity before accepting data
- Agent verifies server identity before executing commands
- Prevents both impersonation attacks
Built-in Encryption
- All communication is encrypted with forward secrecy
- Session keys are unique per connection
- Past communications remain secure even if keys are later compromised
- Generates a self-signed CA certificate at setup
- Issues client certificates during enrollment
- Server certificate is also signed by the same CA
1. The Meta server requests enrollment with token
Meta ──────[Token: ABC-123-XYZ]──────> Agent
2. Agent validates token, The Meta server sends public key
Meta ──────[Public Key PEM]──────────> Agent
3. Agent signs certificate with its CA
Agent CA signs: CN=meta-hostname, PublicKey=...
4. Agent returns signed certificate + CA cert
Meta <─────[Client Cert + CA Cert]───Agent
5. The Meta server stores certificates for future mTLS
The Principle of Least Persistence
Certificates are designed to expire for several critical security reasons:
1. Limiting Exposure Window
If a private key is compromised but goes undetected:
90-day certificates limit worst-case exposure to 90 days.
- Fresh cryptographic material every 90 days
- Limits value of any single compromised key
- Reduces risk from weak random number generation