Hi all! I'm trying to configure mTLS (FleetDM), but I can't find anything about it in the documentation and the client generated by the packer doesn't support keys for client authentication. Is it possible?

Hi Oleg! What do you mean by packer? Maybe you mean Orbit? If so, Orbit currently does not support setting client certificates for osquery to use yet (shouldn't be hard to add such support in the near future). Fleet doesn't support mTLS by itself, but users have basically implemented mTLS by running Fleet behind a TLS terminator that does support it (e.g. nginx).

Yes, that's exactly the scenario I was considering. And as it turned out, while it is poorly implemented. Since now many people work remotely, certificate delivery requires SCEP, it is also impossible to use MDM certificates because they are in the certificate store, and the client does not support working with the certificate store.

Hi @Oleg Koreev! Ah I see.

because they are in the certificate store

What do you mean by "the certificate store" here?

Relevant: adding support for mTLS flags to the packer (

fleetctl package

) - https://github.com/fleetdm/fleet/issues/7970