Overview

The default connection from the Authentic8 client for Windows to the Silo platform does not perform validation of the server certificate. In this mode, TLS inspection (TLSI, aka TLS break and inspect) functions because the client will accept any certificate presented as the server certificate. 


Setting the VerifyPeerCertificate setting to any non-zero value in the registry will enable validation of the server certificate. However, in this mode, TLSI will disrupt the client from establishing a connection to the platform. 


When certificate validation is enabled with the Windows Client version 2.9.16 a certificate is added to the Authentic8 cert file in the application installation directory.  With the Windows client 2.9.17 the application uses the Windows Certificate Store and Microsoft Crypto API and the Authentic8 cert file is no longer supported.   If certificate validation is enabled when upgrading to version 2.9.17 additional registry values will be required. 


To enable TLS inspection with server certificate enabled please follow these steps:


Procedure for Windows Client 2.9.16 to enable TLS inspection


Assumptions & Caveats


  • There is a pre-existing, known good TLSI network infrastructure and configuration
  • The Silo admin has the public issuer certificate(s) for the TLSI configuration in PEM format
  • This procedure does not detail the configuration of TLSI network infrastructure


Configuration Steps


  1. TLSI Infrastructure
    1. Modify or create a TLSI rule that includes Authentic8 traffic
    2. Export the public certificate(s) used for inspection in PEM format
  2. Endpoint
    1. Make a backup copy of the original Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
    2. Append the TLSI public issuer certificate(s) to the end of the Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
    3. Set the registry keys specified in the matrix below.

Note: Be careful when handling PEM files, as some Windows editors will append hidden characters (^M), which may render the file useless.


Name

Type
Values
VerifyPeerCertificateREG_DWORDNon-Zero: verify server



You may also copy and paste the registry info here into a registry file to enable this feature, assuming Silo was installed programmatically via desktop management software (i.e. install was made in machine scope to %ProgramFiles(x86)% (= “C:\Program Files (x86)”) and not in  user scope to %LOCALAPPDATA%):


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Authentic8, Inc.\Authentic8]

@=""

"VerifyPeerCertificate"=dword:00000001



Procedure for Windows Client 2.9.17 to enable TLS inspection


Configuration Steps


  1. TLSI Infrastructure
    1. Modify or create a TLSI rule that includes Authentic8 traffic
  2. Endpoint
    1. Set the registry keys specified in the matrix below.



Name

Type
Values
VerifyPeerCertificateREG_DWORDNon-Zero: verify server
ServerName
REG_SZ

SystemStore
REG_SZ

CertificateCount
REG_DWORD

Certificate-#-Store
REG_SZ

Certificate-#-Issuer
REG_SZ

Certificate-#-SN
REG_SZ



Additional Notes  

Please contact Support for our "How to verify Certificate of Certificate Pinning" reference guide or f you have any additional questions and/or require further information.