This article explains the different certificates used by Cato Networks and their purposes.
Cato uses two different types of digital certificates to secure device authentication and inspect encrypted traffic. Each certificate serves a distinct purpose and is distributed independently:
- Cato TLS Inspection Certificate – Deployed to browsers and endpoints to allow Cato to decrypt and inspect HTTPS traffic for DLP, Anti-Malware, and application control
- Cato Client Device Certificate – Installed on your organization’s devices to authenticate the device and enforce Zero Trust access policies
These certificates are not interchangeable. The TLS Inspection certificate enables secure inspection of traffic flows, while the Client Device certificate validates and identifies the endpoint itself. Together, they support Zero Trust access and provide deep visibility into encrypted traffic across the network.
The TLS Inspection certificate allows Cato to act as a trusted intermediary for encrypted HTTPS traffic. The Cato default Root CA is installed automatically when you download and install the Cato Client, or you can upload your own root CA certificate to the Cato Management Application (CMA). The certificate must be installed on user devices to avoid browser warnings when TLS sessions are inspected and re-signed by Cato.
ABC Company enforces strict security policies for web traffic, including TLS inspection for DLP and Anti-Malware scanning. To avoid browser errors on user devices, the admin uploads a custom root CA certificate to the CMA and distributes it to all corporate devices using MDM. When users browse HTTPS websites, the TLS sessions are decrypted, inspected, and re-encrypted by Cato without triggering certificate warnings.
The Client Device certificate is used for certificate-based authentication and must be installed on each endpoint. In the Cato Management Application (CMA), you upload a Signing Certificate that Cato uses to verify device certificates across your organization. Device certificates must be generated by a trusted authority and deployed to endpoints using tools such as MDM or automation scripts. Once installed, they allow Cato to authenticate the device, apply posture checks, enforce Client Connectivity policies, and restrict access to trusted endpoints only.
ABC Company wants to ensure that only corporate-issued laptops can connect to the network using the Cato Client. When a user installs the Client, it automatically generates a device certificate tied to that endpoint and account. The admin enables device certificate validation in the Client Connectivity Policy. If a user copies the Client to a personal device, the certificate is missing, and the device is blocked from connecting—even if the user has valid credentials.
0 comments
Article is closed for comments.