The default connection from the Authentic8 client for Windows to the Silo platform does not perform validation of the server certificate. In this mode, TLS inspection (TLSI, aka TLS break and inspect) functions because the client will accept any certificate presented as the server certificate.
Setting the VerifyPeerCertificate setting to any non-zero value in the registry will enable validation of the server certificate. However, in this mode, TLSI will disrupt the client from establishing a connection to the platform.
To enable TLS inspection with server certificate enabled please follow these steps:
Assumptions & Caveats
- There is a pre-existing, known good TLSI network infrastructure and configuration
- The Silo admin has the public issuer certificate(s) for the TLSI configuration in PEM format
- This procedure does not detail the configuration of TLSI network infrastructure
- TLSI Infrastructure
- Modify or create a TLSI rule that includes Authentic8 traffic
- Export the public certificate(s) used for inspection in PEM format
- Make a backup copy of the original Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
- Append the TLSI public issuer certificate(s) to the end of the Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
- Set the registry keys specified in the matrix below.
Note: Be careful when handling PEM files, as some Windows editors will append hidden characters (^M), which may render the file useless.
|VerifyPeerCertificate||REG_DWORD||Non-Zero: verify server|
You may also copy and paste the registry info here into a registry file to enable this feature, assuming Silo was installed programmatically via desktop management software (i.e. install was made in machine scope to %ProgramFiles(x86)% (= “C:\Program Files (x86)”) and not in user scope to %LOCALAPPDATA%):
Windows Registry Editor Version 5.00
Please contact Support if you have any additional questions and/or require further information.