Vlad Previn07/14/2022, 5:51 AM
Kathy Satterlee07/14/2022, 2:33 PM
Lucas Rodriguez07/14/2022, 3:04 PM
). That's just some unused certs that shouldn't be there, right? 2.
is there a way to add a CA certificate to the trust chain (corp proxy in transparent mode cert CA ) in such a way that we don't need to fiddle with the certs.pem or fleet.pem post install ? also?
option support this? 3.
A recent change to Fleet Desktop will now allow using the certificate provided via
I'm also a bit unclear if this need to be done for fleet-desktop as well
to connect to Fleet.
Vlad Previn07/15/2022, 1:11 AM
--fleet-certificatethat’s for fleet ctl when generating it right ? hmm >--fleet-certificate Path to server certificate bundle https://fleetdm.com/docs/using-fleet/adding-hosts#configuration-options could you please clarify what it expected in the PEM or CRT file 1. file format 2. sounds like it needs the cert chain right - leaf + ca chain? 3. is a scenario where there’s 2 CA chains supported? (some endpoints would be behind ssl breakout proxy some wont so they could either let’s say a digitcert signed leaf and related chain OR the mitm proxy corp ca cert and leaf chain) 4. does it need the leaf certs or just ICA/RCA lists? For leaf cert the proxy in SSL mitm mode will generate a cert on each connection so if it does cert pinning/needs a copy of the leaf cert this isn’t possible
Lucas Rodriguez07/15/2022, 3:50 PM
Correct. when generating the package with
that's for fleet ctl when generating it right ?
fleetctl package --fleet-certificate=ca_root.pem
will be added to the generated package and will be set to osquery (via
) when running it. 2. PEM 3. CA root bundle. In other words, osquery uses such CA root bundle file to verify the (Fleet) server certificate (osquery uses the following method to load the certificate). 4. Only one way to find out 🙂 (I don't know if such scenario would work or not) 5. No, just a CA root bundle file that osquery would use to verify the server certificate. Let me know if my answers makes sense.