how does the --root_pem flag work for package_builder make? if the flag is set to "C:\ProgramData\osquery\certs\server.pem" for example, the new host where the package is installed needs to have the file in the same directory on the host machine?
07/11/2019, 10:35 PM
The PEM will be copied into the package.
07/11/2019, 10:58 PM
is it possible with some flag for the host machine installing the package to require some sort of authorization, like a private key?
07/11/2019, 10:59 PM
You want the package to authorize the machine it is installing on?
07/11/2019, 11:12 PM
I’m not sure I understand that question
endpoints do require authorization. That’s the enroll secret. Are you looking for something else?
07/16/2019, 10:11 PM
@seph I suppose it would be like what @zwass is describing. I'm a newbie with SSL/TLS but from what I heard from the project manager, he wants the package to also authorize based on the certificate the endpoint machine has. Either it was a certificate or a private key
07/16/2019, 10:12 PM
AFAIK there is no support for x509 auth in the TLS protocol.
The client verifies the server cert via normal means.
and the server verifies the client first with an enroll secret (generally this is in the package) and then by the node key
i'm not really sure if you're asking for something different, or what.