Title
#fleet
v

Vlad Previn

07/14/2022, 5:51 AM
hello. for fleet agent install generated by fleetdm (orbit fleet osqueryd) - is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don’t need to fiddle with the certs.pem or fleet.pem post install ? also https://issuemode.com/issues/fleetdm/fleet/75244337 I’m also a bit unclear if this need to be done for fleet-desktop as well, and whether one file contains the CA certs and the other the leaf certs or what the story is (for now we’ll just exclude the domain from SSL inspection at proxy) . Perhaps this could be a little easier in the UI so we don’t necessarily need to do an SSL bypass for the fleetdm server domain ?
10:18 AM
if it pins the actual cert it won’t do any good if we include the proxy ca 😞
Kathy Satterlee

Kathy Satterlee

07/14/2022, 2:33 PM
Great question, @Vlad Previn! I'm going to reach out to the team for some guidance on this one and will get back to you shortly.
Lucas Rodriguez

Lucas Rodriguez

07/14/2022, 3:04 PM
Hi Vlad! Couple of questions:1. https://github.com/fleetdm/fleet/issues/5248 (unused CA certificate
certs.pem
when using
--fleet-certificate
). That's just some unused certs that shouldn't be there, right? 2.
is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don't need to fiddle with the certs.pem or fleet.pem post install ? also?
Wouldn't the
--fleet-certificate
option support this? 3.
I'm also a bit unclear if this need to be done for fleet-desktop as well
A recent change to Fleet Desktop will now allow using the certificate provided via
--fleet-certificate
to connect to Fleet.
v

Vlad Previn

07/15/2022, 1:11 AM
thanks for replies 🙂 .
--fleet-certificate
that’s for fleet ctl when generating it right ? hmm >--fleet-certificate Path to server certificate bundle https://fleetdm.com/docs/using-fleet/adding-hosts#configuration-options could you please clarify what it expected in the PEM or CRT file1. file format 2. sounds like it needs the cert chain right - leaf + ca chain? 3. is a scenario where there’s 2 CA chains supported? (some endpoints would be behind ssl breakout proxy some wont so they could either let’s say a digitcert signed leaf and related chain OR the mitm proxy corp ca cert and leaf chain) 4. does it need the leaf certs or just ICA/RCA lists? For leaf cert the proxy in SSL mitm mode will generate a cert on each connection so if it does cert pinning/needs a copy of the leaf cert this isn’t possible
Lucas Rodriguez

Lucas Rodriguez

07/15/2022, 3:50 PM
Hi @Vlad Previn! 1.
that's for fleet ctl when generating it right ?
Correct. when generating the package with
fleetctl package --fleet-certificate=ca_root.pem
, such
ca_root.pem
will be added to the generated package and will be set to osquery (via
--tls_server_certs
) when running it. 2. PEM 3. CA root bundle. In other words, osquery uses such CA root bundle file to verify the (Fleet) server certificate (osquery uses the following method to load the certificate). 4. Only one way to find out 🙂 (I don't know if such scenario would work or not) 5. No, just a CA root bundle file that osquery would use to verify the server certificate. Let me know if my answers makes sense.