The default connection behavior for the Silo Windows client does not perform server certificate validation. In this mode, TLS inspection (TLSI, aka TLS break and inspect) is able to function because the Windows client will accept any certificate presented as the server certificate
Setting the VerifyPeerCertificate setting to a non-zero value in the Windows Registry will enable validation of the server certificate. In this mode, TLSI may prevent the client from establishing a connection with the Authentic8 platform
When certificate validation is enabled with Silo Windows client version 2.9.16 (and older), additional entry is added to the local Authentic8 cert file (a8-all-certs.crt) within the application installation directory. With Silo Windows client version 2.9.17 (and newer), the application leverages the local machine's Windows Certificate Store in conjunction with Microsoft's CryptoAPI system architecture; thus making the local Authentic8 cert file obsolete
Additional Windows Registry values will be required to enable server certificate validation with Silo Windows client version version 2.9.17 (and newer)
Please refer to the steps below to enable TLS inspection with server certificate enabled:
Silo Windows Client 2.9.16 (and older)
Expectations
- There is a pre-existing and known good TLSI network infrastructure and configuration
- The Silo Admin has the public issuer certificate(s) for the TLSI configuration in PEM format
- This procedure does not detail the configuration of TLSI network infrastructure
Configuration:
- TLSI Infrastructure
- Modify or create a TLSI rule that includes Authentic8 traffic
- Export the public certificate(s) used for inspection in PEM format
- Endpoint
- Make a backup copy of the original Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
- Append the TLSI public issuer certificate(s) to the end of the Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
- Apply the Windows Registry key specified in the matrix below.
Important: Be careful when handling PEM files, as some Windows text editors will append hidden characters (^M), which may render the file useless.
Name | Type | Values |
VerifyPeerCertificate | REG_DWORD | Non-Zero: verify server |
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Authentic8, Inc.\Authentic8]
@=""
"VerifyPeerCertificate"=dword:00000001
Silo Windows Client 2.9.17 (and newer)
Configuration:
- TLSI Infrastructure
- Modify or create a TLSI rule that includes Authentic8 traffic
- Endpoint
- Set the registry keys specified in the matrix below.
Name | Type | Values |
VerifyPeerCertificate | REG_DWORD | Non-Zero: verify server |
ServerName | REG_SZ | |
SystemStore | REG_SZ | |
CertificateCount | REG_DWORD | |
Certificate-#-Store | REG_SZ | |
Certificate-#-Issuer | REG_SZ | |
Certificate-#-SN | REG_SZ |
Please contact Support for any additional questions