Vlad Previn
07/14/2022, 5:51 AMKathy Satterlee
07/14/2022, 2:33 PMLucas Rodriguez
07/14/2022, 3:04 PMcerts.pem
when using --fleet-certificate
). That's just some unused certs that shouldn't be there, right?
2. is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don't need to fiddle with the certs.pem or fleet.pem post install ? also?
Wouldn't the --fleet-certificate
option support this?
3. I'm also a bit unclear if this need to be done for fleet-desktop as well
A recent change to Fleet Desktop will now allow using the certificate provided via --fleet-certificate
to connect to Fleet.Vlad Previn
07/15/2022, 1:11 AM--fleet-certificatethat’s for fleet ctl when generating it right ? hmm >--fleet-certificate Path to server certificate bundle https://fleetdm.com/docs/using-fleet/adding-hosts#configuration-options could you please clarify what it expected in the PEM or CRT file 1. file format 2. sounds like it needs the cert chain right - leaf + ca chain? 3. is a scenario where there’s 2 CA chains supported? (some endpoints would be behind ssl breakout proxy some wont so they could either let’s say a digitcert signed leaf and related chain OR the mitm proxy corp ca cert and leaf chain) 4. does it need the leaf certs or just ICA/RCA lists? For leaf cert the proxy in SSL mitm mode will generate a cert on each connection so if it does cert pinning/needs a copy of the leaf cert this isn’t possible
Lucas Rodriguez
07/15/2022, 3:50 PMthat's for fleet ctl when generating it right ?
Correct. when generating the package with fleetctl package --fleet-certificate=ca_root.pem
, such ca_root.pem
will be added to the generated package and will be set to osquery (via --tls_server_certs
) when running it.
2. PEM
3. CA root bundle. In other words, osquery uses such CA root bundle file to verify the (Fleet) server certificate (osquery uses the following method to load the certificate).
4. Only one way to find out 🙂 (I don't know if such scenario would work or not)
5. No, just a CA root bundle file that osquery would use to verify the server certificate.
Let me know if my answers makes sense.