The default connection behavior for the Silo Windows client does not perform server certificate validation. In this mode, TLS inspection (TLSI, aka TLS break and inspect) is able to function because the Windows client will accept any certificate presented as the server certificate


Setting the VerifyPeerCertificate setting to a non-zero value in the Windows Registry will enable validation of the server certificate. In this mode, TLSI may prevent the client from establishing a connection with the Authentic8 platform


When certificate validation is enabled with Silo Windows client version 2.9.16 (and older), additional entry is added to the local Authentic8 cert file (a8-all-certs.crt) within the application installation directory. With Silo Windows client version 2.9.17 (and newer), the application leverages the local machine's Windows Certificate Store in conjunction with Microsoft's CryptoAPI system architecture; thus making the local Authentic8 cert file obsolete

Additional Windows Registry values will be required to enable server certificate validation with Silo Windows client version version 2.9.17 (and newer)


Please refer to the steps below to enable TLS inspection with server certificate enabled:



Silo Windows Client 2.9.16 (and older)


Expectations

  • There is a pre-existing and known good TLSI network infrastructure and configuration
  • The Silo Admin has the public issuer certificate(s) for the TLSI configuration in PEM format
  • This procedure does not detail the configuration of TLSI network infrastructure


Configuration:

  1. TLSI Infrastructure
    1. Modify or create a TLSI rule that includes Authentic8 traffic
    2. Export the public certificate(s) used for inspection in PEM format
  2. Endpoint
    1. Make a backup copy of the original Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
    2. Append the TLSI public issuer certificate(s) to the end of the Authentic8 client’s trusted certificate store file (a8-all-certs.crt)
    3. Apply the Windows Registry key specified in the matrix below.


Important: Be careful when handling PEM files, as some Windows text editors will append hidden characters (^M), which may render the file useless.


Name

Type
Values
VerifyPeerCertificateREG_DWORDNon-Zero: verify server



Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Authentic8, Inc.\Authentic8]

@=""

"VerifyPeerCertificate"=dword:00000001



Silo Windows Client 2.9.17 (and newer)


Configuration:

  1. TLSI Infrastructure
    1. Modify or create a TLSI rule that includes Authentic8 traffic
  2. Endpoint
    1. Set the registry keys specified in the matrix below.



Name

Type
Values
VerifyPeerCertificateREG_DWORDNon-Zero: verify server
ServerName
REG_SZ

SystemStore
REG_SZ

CertificateCount
REG_DWORD

Certificate-#-Store
REG_SZ

Certificate-#-Issuer
REG_SZ

Certificate-#-SN
REG_SZ




Please contact Support for any additional questions