Distributing Certificates for Device Authentication and Device Checks

This article explains how to distribute the certificates used in Device Authentication and Device Check.

Overview

You can improve network security by using your Corporate Certificate Authority (CA) to identify a corporate device before granting it access to the network. Device certificates can be used in Device Authentication and included in Device Checks.

Device Authentication

Device Authentication ensures the Client only connects to your network if a valid certificate is installed on the device. If a certificate is not installed, the Client does not connect.

Network administrators can install device certificates on their corporate devices and restrict the access for non-corporate devices or devices that don’t use certificates. When a device tries to connect, Cato validates the device certificate and the Client only connects to the network if the device certificate matches the signing certificate.

For more information about corporate devices access , see Controlling Certified Corporate Devices (Device Authentication).

For more about Device Authentication for Cato Clients, see Access Features per Client OS and Version

Notes:

  • Cato doesn’t generate the certificates or manage its lifecycle

  • For the SDP Client, you can only configure either Always On or Blocked operating system

Device Checks

Device Checks can be included in Device Posture Profiles to define the minimum requirements that a device must meet to be able to connect to your network. You can create a check for a device certificate. The Cato Client checks the certificate on the device matches the signing certificates for your account. The Client only connects if the certificates match.

For more information about Device Checks, see Creating Device Posture Profiles and Device Checks.

Certificate Prerequisites

The following certificates are required for using the Device Authentication:

  • Signing Certificate - This can be either a root CA or a self-signed certificate. Use this certificate to sign the device certificate. The Cato Management Application supports uploading PEM file format only.

  • Device Certificate - This certificate must be installed on the device in a P12 file format. This certificate is per device and not per user.

    • For Android Clients, use the PCKS12 file format.

  • Certificate Size - Certificates have a maximum allowed size of 2048 bytes. Certificates larger than this size will be ignored.

Configuring Device Authentication

Cato lets you upload the public keys for the corporate trusted certificates to your account in the Cato Management Application (Access > Client Access > Device Authentication). Upload the PEM file to the Device certificates section.

Note: You must add a Name for the certificate that you upload.

The following screenshot shows a sample of a signing certificate uploaded to the Device certificates section:

01_Certificates.png

In the Device Authentication window, you can block or permit the device connection according to the device operating system. Use the Cato Management Application to manage device access by:

  • Blocking all devices for one or more operating systems

  • Requiring a certificate for specific operating systems

Cato lets you configure the Device Authentication in two levels: for the entire account and for the SDP user.

The following screenshot shows the Device Authentication configuration window for the account in the Cato Management Application. The Device Authentication is configured to block macOS devices and to allow Windows devices with a valid certificate:

01a_Certificates.png

Note: The certificates are public and should not contain sensitive data.

To configure the Device Authentication for a specific SDP user (Access > Users > {user name} > User Configuration > Device Authentication), select the Override account Device Authentication settings option and configure the settings for Blocked operating systems and the Operating systems that require a certificate. The following screenshot shows the Device Authentication configuration window for the SDP user. The Device Authentication is configured to block Android OS devices and to allow iOS devices with certificate:

02_Override.png

Validating the Certificates

The Cato Management Application lets you upload the public key of the corporate's trusted certificate for your account. This public key is the key that signs the device certificate.

The section describes how Cato validates the device certificate before it permits or blocks the connection.

Explaining the Device Connection Flow

When an SDP Client connects to the Cato Cloud, the PoP determines if a certificate is required for authentication, based on the account settings. If it does, the PoP asks the Client to authenticate with a certificate. The PoP also sends a hint to the Client with a list of issuers based on the public keys it has. The Client connects with the device certificate that was signed by the same public key and issuer, the PoP then validates the device certificate with the public key.

If the device certificate doesn’t match the public key, then the PoP blocks the attempt, and the Client can’t establish the connection. If there is a match and the validation succeed, the Client establishes the connection to the Cato Cloud.

The following screenshot shows an example of the Cato Client connecting to the Cato Cloud with a device certificate:

03_validation.png

In the case that there are multiple device certificates that match the issuer, the Client starts with the first one until it succeeds to connect. The PoP checks that the certificate isn’t expired and that the signature of the issuer is the same authority that signed the device certificate. Cato only allows devices to connect when they are trusted by the authority.

Handling Expired Certificates

Cato lets you upload the public keys of the corporate's trusted certificates to your account in the Cato Management Application. If a public key has expired, the PoP allows the connection only if the authority signed the device certificate before it has expired.

  • The red icon on the right side of the certificate indicates on an expired certificate.

  • The yellow warning icon indicates on a certificate that is about to expire within the next 30 days.

Cato generates alerts for an expiring public key:

  • 30 days before the public key is going to expire

  • On the expiration date for the certificate

For the device certificates, Cato doesn’t allow a Client to connect with an expired certificate. If a user tries to connect with an expired device certificate, the Client notifies the PoP that the certificate has expired, and the connection is blocked.

The PoP verifies that the certificate is valid and then permits the connection for Clients.

The Event Discovery window shows these events with the certificate expiration date.

Analyzing Certificate Events

The Events screen (Monitoring > Events) helps you monitor the events for expired certificates. When the Cato Client successfully connects with a device certificate, Cato generates an event with the following information:

  • Client Cert Name – the device certificate name used for the connection

  • Client Cert Expires – the expiration date of the device certificate

For failed connection events, the failure reason is described in the event message. Connection failures can be caused by a bad issuer or an expired certificate.

Filtering Events with Predefined Filters

The Events screen provides two new event filter presets to help you monitor Device Authentication:

  1. Client certificate about to expire

  2. Client authentication issue

1. The Client certificate about to expire filter

You can select this preset to show all the successful connection events that are related to a device certificate that is about to expire within the next 30 days.

Note: Cato doesn’t generate a separate event for certificates that are about to expire.

The following screenshot shows a sample of the Event Discovery window when the Client certificate about to expire is applied:

04_expired.png

2. The SDP authentication issue filter

This preset is not specifically for connecting with device certificate-based authentication, it shows all the failed connection events.

The following screenshot shows a sample of the Event screen when the SDP authentication issue filter is applied:

05_ED.png

Distributing Device Certificates

You can deploy your corporate self-signed certificates using any mobile devices management (MDM) or system configurator. The following sections describe the required certificate deployment configuration settings. Use the configuration for the operating system that is used by your organization devices.

Windows Cato Client

This section describes how to install the device certificate on Windows devices.

Prerequisites

  • The device certificate is supported for Windows Client version Client version 4.7 and later

  • You must have administrator permissions for the Windows computer
  • The certificate file must be in a PFX (p12) format, including its private key

  • The certificate ‘issuer’ must match the signing certificate that is uploaded in the Cato Management Application

  • You must install the certificate into the certificate manager of the device

  • You must know the password protecting the key (required to install the certificate)

Installing the Device Certificate

There are several ways to install a certificate on a Windows device. The following example shows how to install a certificate using the certutil command line utility.

To import a certificate with certutil:

  1. Open the command prompt as administrator (elevated) and use the certutil.exe:

    certutil -csp "Microsoft Software Key Storage Provider" -importpfx My <path-to-p12-file> NoExport

  2. After you run this command, you are prompted for the password of the p12 file.

  3. Enter the certificate file password. Alternatively, you can pass the password on the command line with the -p option.

    The following command is an example of the certutil with the password parameter:

    certutil -csp KSP -p &lt;secret&gt; -importpfx My <path-to-p12-file> NoExport

Notes:

  • The NoExport option prohibits export of the private key

  • KSP is an alias for Microsoft Software Key Storage Provider

  • The -csp option is used to specify where the private key is stored. Although, it is optional, we recommend that you explicitly specify the provider as the default

Verifying the Certificate Installation

You can confirm that the certificate is successfully installed on the device with certutil:

certutil -store My

This command lists the machine certificate information. If the certificate was successfully installed then it appears in this list.

Now, you can connect to the Cato Cloud with a device certificate.

When the Client successfully connects to the Cato Cloud, it saves the device certificate that was last used in the registry for future connections. This helps to reduce the connection time.

macOS and iOS Cato Clients

This section describes how to install the device certificate on macOS or iOS devices.

Prerequisites

  • The device certificate is supported for macOs and iOS Clients version 4.4 and later

  • The device certificate is distributed before the Client is installed on a device

  • You must have administrator permissions for the Mac device

    Note: users with root permissions on the device are able to export the certificate and the private key, we highly recommend that IT admins will restrict it

  • The certificate file must be in a PFX (p12) format

  • You must know the password protecting the key (required to install the certificate)

  • The certificate ‘issuer’ must match the signing certificate that is uploaded in the Cato Management Application

Distributing Certificates for macOS and iOS Devices

This section describes how to distribute a self-signed certificate with an MDM or Apple Configurator. Manual distribution of certificates is not recommended.

Note

Note: From macOS Client v5.4 enabling the VPN payload and installing the VPN profile are not required. iOS versions still require this step. 

To distribute a certificate for macOS and iOS devices:

  1. Enable the certificate payload.

  2. Enable the VPN payload (macOS v5.3 and below).

  3. Install the VPN profile (macOS v5.3 and below).

Enabling the Certificate Payload

There are several ways to enable the certificate payload. The following example shows how to enable a certificate using the Jamf.

To enable the certificate payload:

  1. From the navigation menu, select Configuration Profiles.

  2. Click New.

    The New Configuration Profile screen is displayed.

  3. Select the Certificate tab and click Configure.

  4. Upload the certificate and enter the Certificate Name and Password.

  5. Ensure Allow all apps access is selected.

  6. Select the Scope tab and define the computers or users.

 Enabling the VPN payload (macOS v5.3 and below)

  1. Go to the VPN payload and enable it.

  2. Configure the VPN connection using the following settings: 

    • Connection Type: Custom SSL

    • Identifier:

      • For macOS:  com.catonetworks.mac.CatoClient

      • For iOS:  CatoNetworks.CatoVPN 

    • Server: vpn.catonetworks.net

    • Account: add your account name. For example: CatoNetworksAccount.

    • ProviderBundle Identifier:

      • For macOS:  com.catonetworks.mac.CatoClient.CatoClientSysExtension

      • For iOS:  CatoNetworks.CatoVPN.CatoVPNNEExtenstion 

    • Provider Designated Requirement: empty

    • User Authentications: Certificate

    • Provider Type: Packet Tunnel

    • Credentials: Choose the certificate from the ‘Certificates’ payload

    • Proxy Setup: None

3. Save the profile to a file.

Installing the VPN Profile (macOS v5.3 and below)

Installing the profile creates a new network configuration (Network Preferences) and installs the certificate (Keychain Access) on your device.

To install the VPN profile file: 

  • On Mac – double click on the profile file

  • On iOS device – remotely send the VPN profile to your devices

After you installed the profile, add a new user to the Client.

 

To add a user to the Client:

  1. Open the Cato Client.

  2. Click the Add User button.

  3. Add the same username and account as you entered in the Account field for the profile.

  4. Click Continue.

The following screenshot shows an example of adding a new user (john) to the Client for the account (CatoNetworksAccount):

06_client.png

Now, the device is ready to connect to the Cato Cloud with a device certificate.

Installing and Configuring Cato Client for Linux OS

This section describes how to install certificates for Device Authentication on Linux devices.

Note

Note: Device Authentication is supported on Linux Clients version 2.2.0 and higher.

Prerequisites

  • You must have administrator permissions for the Linux computer

  • The certificate file must be in a PFX (p12) format, including its private key

  • The certificate issuer must match the signing certificate that is uploaded in the Device Authentication screen in the Cato Management Application

Overview of Installing and Configuring the Certificate

  1. Create the device certificate.

  2. Install the certificate with the following command:

    cato-sdp import-cert <certificate path>/<certificate>.p12

    Creating a Device Certificate

    This section is an example of commands to create an OpenSSL certificate that the Client accesses for Device Authentication. You can use other tools to create the certificate.

    You must have your own signing certificate before you create the device certificate.

    openssl genrsa -out <name>.key 2048
    
    openssl req -new -key <name>.key -out <name>.csr
    
    sudo openssl x509 -req -in <name>.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out <name>.crt -days 500 -sha256
    
    openssl pkcs12 -export -out <name>.p12 -inkey <name>.key -in <name>.crt

    In the example above, there is NO password added to the openssl pcks12 command.

    Enabling the Device Certificate on the Client

    This is required on Linux Client versions below v5.1

    Copy the certificate and the file with the private key to the Linux device. When you run the Client, add the -cert argument. For more about arguments for the Linux Client, see Cato Client Arguments - Linux OS.

    To enable the device certificate on the Linux Client:

    1. Copy the device certificate and the private key file (<name>.p12) to a director that the Client has permissions to access.

    2. When you run the Client, add this argument: -cert <path to the p12 file>

Was this article helpful?

0 comments

Add your comment