https://github.com/osquery/osquery logo
#fleet
Title
# fleet
o

Oleg Koreev

07/15/2022, 1:51 PM
Hi all! I'm trying to configure mTLS (FleetDM), but I can't find anything about it in the documentation and the client generated by the packer doesn't support keys for client authentication. Is it possible?
If i understand correctly, I need use native client?
l

Lucas Rodriguez

07/15/2022, 4:07 PM
Hi Oleg! What do you mean by packer? Maybe you mean Orbit? If so, Orbit currently does not support setting client certificates for osquery to use yet (shouldn't be hard to add such support in the near future). Fleet doesn't support mTLS by itself, but users have basically implemented mTLS by running Fleet behind a TLS terminator that does support it (e.g. nginx).
👀 1
o

Oleg Koreev

07/18/2022, 7:09 AM
Yes, that's exactly the scenario I was considering. And as it turned out, while it is poorly implemented. Since now many people work remotely, certificate delivery requires SCEP, it is also impossible to use MDM certificates because they are in the certificate store, and the client does not support working with the certificate store.
l

Lucas Rodriguez

07/18/2022, 12:30 PM
Hi @Oleg Koreev! Ah I see.
because they are in the certificate store
What do you mean by "the certificate store" here?
👀 1
a

Ando

03/17/2023, 7:15 AM
Relevant: adding support for mTLS flags to the packer (
fleetctl package
) - https://github.com/fleetdm/fleet/issues/7970
Released. But... not for community edition 🥹 https://github.com/fleetdm/fleet/pull/11319
7 Views