how does the --root_pem flag work for package_builder make? if the flag is set to "C:\ProgramData\osquery\certs\server.pem" for example, the new host where the package is installed needs to have the file in the same directory on the host machine?
z
zwass
07/11/2019, 10:35 PM
The PEM will be copied into the package.
👆 1
j
James Tam
07/11/2019, 10:58 PM
is it possible with some flag for the host machine installing the package to require some sort of authorization, like a private key?
z
zwass
07/11/2019, 10:59 PM
You want the package to authorize the machine it is installing on?
s
seph
07/11/2019, 11:12 PM
I’m not sure I understand that question
seph
07/11/2019, 11:12 PM
endpoints do require authorization. That’s the enroll secret. Are you looking for something else?
j
James Tam
07/16/2019, 10:11 PM
@seph I suppose it would be like what @zwass is describing. I'm a newbie with SSL/TLS but from what I heard from the project manager, he wants the package to also authorize based on the certificate the endpoint machine has. Either it was a certificate or a private key
s
seph
07/16/2019, 10:12 PM
AFAIK there is no support for x509 auth in the TLS protocol.
seph
07/16/2019, 10:12 PM
The client verifies the server cert via normal means.
seph
07/16/2019, 10:14 PM
and the server verifies the client first with an enroll secret (generally this is in the package) and then by the node key
seph
07/16/2019, 10:14 PM
i'm not really sure if you're asking for something different, or what.