hello. for fleet agent install generated by fleetdm (orbit fleet osqueryd) - is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don’t need to fiddle with the certs.pem or fleet.pem post install ? also https://issuemode.com/issues/fleetdm/fleet/75244337 I’m also a bit unclear if this need to be done for fleet-desktop as well, and whether one file contains the CA certs and the other the leaf certs or what the story is (for now we’ll just exclude the domain from SSL inspection at proxy) . Perhaps this could be a little easier in the UI so we don’t necessarily need to do an SSL bypass for the fleetdm server domain ?

Great question, @Vlad Previn! I'm going to reach out to the team for some guidance on this one and will get back to you shortly.

Hi Vlad! Couple of questions: 1. https://github.com/fleetdm/fleet/issues/5248 (unused CA certificate

certs.pem

when using

--fleet-certificate

). That's just some unused certs that shouldn't be there, right? 2.

is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don't need to fiddle with the certs.pem or fleet.pem post install ? also?

Wouldn't the

--fleet-certificate

option support this? 3.

I'm also a bit unclear if this need to be done for fleet-desktop as well

A recent change to Fleet Desktop will now allow using the certificate provided via

--fleet-certificate

to connect to Fleet.

thanks for replies 🙂 .

--fleet-certificate

that’s for fleet ctl when generating it right ? hmm >--fleet-certificate Path to server certificate bundle https://fleetdm.com/docs/using-fleet/adding-hosts#configuration-options could you please clarify what it expected in the PEM or CRT file 1. file format 2. sounds like it needs the cert chain right - leaf + ca chain? 3. is a scenario where there’s 2 CA chains supported? (some endpoints would be behind ssl breakout proxy some wont so they could either let’s say a digitcert signed leaf and related chain OR the mitm proxy corp ca cert and leaf chain) 4. does it need the leaf certs or just ICA/RCA lists? For leaf cert the proxy in SSL mitm mode will generate a cert on each connection so if it does cert pinning/needs a copy of the leaf cert this isn’t possible

Hi @Vlad Previn! 1.

that's for fleet ctl when generating it right ?

Correct. when generating the package with

fleetctl package --fleet-certificate=ca_root.pem

, such

ca_root.pem

will be added to the generated package and will be set to osquery (via

--tls_server_certs

) when running it. 2. PEM 3. CA root bundle. In other words, osquery uses such CA root bundle file to verify the (Fleet) server certificate (osquery uses the following method to load the certificate). 4. Only one way to find out 🙂 (I don't know if such scenario would work or not) 5. No, just a CA root bundle file that osquery would use to verify the server certificate. Let me know if my answers makes sense.