Client Certificate Authentication

Endpoint Central server uses client certificate authentication to authenticate agent installed computers that try to establish a connection with the server. Each agent will have a unique certificate and a corresponding private key signed by the server's trusted root certificate authority. Upon the successful validation of the certificate and the key, the server will connect to the agent. If the validation fails, the connection will be dropped. This is done to ensure security and keep away unauthorized clients from connecting to the server.

Working of Client Certificate Authentication

  1. In a conventional SSL transaction, the agent connecting to the server via secure connection will check the server's certificate before initiating the SSL transaction. In the same way, if you want the server to authenticate the agent computers, you need to configure the client certificate authentication. The server will request the agent for the client certificate during the SSL handshake. It will verify the certificate provided by the agent by checking the issuer signature in its trust store, and the validity of the certificate.
  2. The client will send the certificate to the central server and during the verification of the client certificate, the ownership of the private key will be verified by the server. If the certificate and the private key are valid, the Endpoint Central server will establish a connection with the agent. But if the certificate is invalid or if the agent fails to prove the ownership of the private key, the server will drop the agent's request during the SSL handshake.

    Note:Client certificates are different from server certificates. A server certificate is provided by the server at the start of a session, which is used by the agent to authenticate the server's credibility. A client certificate, on the other hand, is provided by the agent during the SSL handshake and is used by the server to authenticate the agent.

  3. When the agent is installed, it generates a pair of keys - a public key and private key. The public key will be signed by the server's trusted certificate authority. The signed certificate from the server will be used by the agent during SSL handshake to prove its identity. All the communication that takes place between the agent and the server is strictly encrypted.

Working of client certificate authentication

Enable Client Certificate Authentication

Client certificate authentication should be manually enabled by navigating to Admin tab > Security and Privacy > Security Settings. This option is available only on Endpoint Central build 100647 or higher.

Note:

  • Ensure all the managed computers are upgraded to agent version 100647 or higher, before enabling this option.

When you enable this authentication, you will receive the number of agents that are not upgraded to the above mentioned agent version. If you fail to upgrade, those agent-installed computers will no longer be managed under Endpoint Central.

Client certificate authentication

Advantages of Client certificate authentication

A client certificate restricts access to the agent authorized with certificates. Assuming that your certificates are managed and distributed securely, it is difficult for an unauthorized client to connect to the server since you need more than just a username and password.

Limitation of client certificate authentication

There are some limitations while using client certificate authentication, such as:

  • Client certificate authentication via HTTPS TLS handshake is not possible if an SSL-intercepting proxy server is configured between the agent and the server because the proxy breaks the HTTPS connection and connects on behalf of the agent. Therefore, if client certificate authentication is enabled, an SSL-intercepting proxy server cannot be configured for the distribution server and vice versa.

  • When client certificate is used for authentication between agent and central server communication, and the central server is behind a firewall which has a certificate inspection policy enabled or a load balancer, the agent server communication will fail.