Cato lets you enforce certificate-based authentication, ensuring that only trusted devices can connect to your network without relying solely on user credentials. Use the signing certificates in access policies to manage network access based on whether the certificate is installed on the device. For example, you can create a certificate Device Check that enforces device posture with the Client Connectivity Policy. The Signing Certificates page shows key certificate details and lets you add new certificates.
For more information about installing certificates, see the articles in Distributing and Installing Device Certificates.
-
The certificate that you upload to the CMA must meet the following requirements:
-
Certificate file is PEM format (base 64-encoded) with the extension .pem, such as: sign_cert.pem
-
X.509 format
-
Use RSA encryption
-
-
The certificate that you install on the device must include:
-
Include both the public and private key
-
Match the certificate chain of the uploaded certificate
-
(Windows devices) Install the certificate in the Local Machine Personal Certificate Store
-
(macOS devices) Make sure that the Cato Client is permitted to access the private key of the certificate
-
Upload signing certificates in the CMA to use them in access policies for your account.
If the uploaded certificate is invalid or expired, devices may be blocked from accessing the network based on your policy settings.
To upload a new signing certificate:
-
From the navigation menu, select Access > Client Access.
-
In the Signing Certificates section, click New.
-
Enter the Name and click Upload Certificate.
-
Select the certificate file and upload it to the CMA.
-
(Optional) Click Show Details to view certificate metadata.
If a public key has expired, the PoP allows the connection only if the authority signed the device certificate before it expired.
-
The red icon on the right side of the certificate indicates an expired certificate
-
The yellow warning icon indicates that a certificate is about to expire within the next 30 days
Cato generates alerts for an expiring public key:
-
30 days before the public key is going to expire
-
On the expiration date for the certificate
For the device certificates, Cato doesn’t allow a Client to connect with an expired certificate. If a user tries to connect with an expired device certificate, the Client notifies the PoP that the certificate has expired, and the connection is blocked.
The PoP verifies that the certificate is valid and then permits the connection for Clients.
The Event page shows these events with the certificate expiration date.
The Events screen (Home > Events) helps you monitor the events for expired certificates. When the Cato Client successfully connects with a device certificate, Cato generates an event with the following information:
-
Client Cert Name – the device certificate name used for the connection
-
Client Cert Expires – the expiration date of the device certificate
For failed connection events, the failure reason is described in the event message. Connection failures can be caused by a bad issuer or an expired certificate.
0 comments
Article is closed for comments.