Introduction

Prior to Silo Windows client version 2.9.13, Certificate Pinning was enabled by default, validating server certificates with a built-in certificate file (a8-all-certs.crt). However, this process interfered with local SSL/TLS inspection, requiring customers to create an Allow List for Authentic8 IP addresses.


With Silo client version 2.9.13, Certificate Pinning is now disabled by default, allowing customers to inspect/decrypt Silo traffic as needed.


Starting with client version 2.9.17, the Silo client leverages Microsoft's CryptoAPI system architecture in order to validate server certificates using trusted CA issued certificate stored Windows Certificate Store. The a8-all-certs.crt file is no longer being used.


Optional: Please contact Support for additional instructions to re-enable Certificate Pinning


Enabling Server Validation for 2.9.13 through 2.9.16

The following Windows Registry value will need to be configured on the local machine in order to enable server certificate validation for Silo for Windows client versions 2.9.13, 2.9.14 or 2.9.16:


Important: If Server Validation is implemented for versions 2.9.13 through 2.9.16, this registry entry should be removed when upgrading to version 2.9.17




Name
Type
Values
Default
(when not set)
VerifyPeerCertificateREG_DWORD
  • 0: disable
  • Non-Zero: verify server
0



You may also copy and paste the registry info here into a registry file to enable this feature:


Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Authentic8, Inc.\Authentic8]

"VerifyPeerCertificate"=dword:00000001

@=""



If the Silo client was installed via Managed Software installation (e.g., machine installation context), then the following Windows Registry value will need to be added:


   [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Authentic8, Inc.\Authentic8]

   "VerifyPeerCertificate"=dword:00000001

 @=""





Please contact Support for any additional questions