Introduction


Prior to Silo for Windows client version 2.9.13, access to Silo was restricted through Certificate Pinning (enabled by default). This meant that the client would validate the server certificate using a pre-installed certificate file (a8-all-certs.crt)  that was shipped with the Silo software. The side-effect of this is that SSL inspection/decryption was not possible, and customers needed to create a Network Exception (Allow List) for the IP addresses within our infrastructure.


Starting with Silo for Windows client version 2.9.13, the default behavior of the Silo client is to connect without Certificate Pinning. This allowed customers to decrypt traffic between the Silo client and Authentic8 servers.


With Silo for Windows client version 2.9.17, the default behavior is for Server Certificate to be validated against the built-in Windows Certificate Store using Microsoft’s CryptoAPI System Architecture. The certificate file (a8-all-certs.crt) is no longer applicable with this release.


If your organization would like to also implement Certificate Pinning, please reach out to Authentic8 Support for the appropriate Windows Registry configuration. 



Enabling Server Validation for 2.9.13 through 2.9.16


To enable validation of the server certificate for Windows client 2.9.13, 2.9.14 or 2.9.16  please add the following registry configuration on the local client computer.


Note:  If Server Validation is implemented for 2.9.13 through 2.9.16, this registry entry should be removed when upgrading to 2.9.17.


Here are the details:


Name
Type
Values
Default
(when not set)
VerifyPeerCertificateREG_DWORD
  • 0: disable
  • Non-Zero: verify server
0


You may also copy and paste the registry info here into a registry file to enable this feature:


Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Authentic8, Inc.\Authentic8]

"VerifyPeerCertificate"=dword:00000001

@=""


If Silo was installed programmatically via desktop management software (i.e. install was made in machine scope to in program files (x86) and not at the user scope level), then this registry key will need to be written to the following path:

  

   


   [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Authentic8, Inc.\Authentic8]

   "VerifyPeerCertificate"=dword:00000001

 @=""


Additional Notes  

Please contact Support if you have any additional questions and/or require further information.