From a540648c816e736dbd02b7a9b0f9e91a80015c1a Mon Sep 17 00:00:00 2001 From: ranbel <101146722+ranbel@users.noreply.github.com> Date: Fri, 28 Jun 2024 17:19:32 -0400 Subject: [PATCH] [ZT] WARP client certificate check (#14968) * add additional features * apply review feedback * Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md Co-authored-by: Andreas * Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md Co-authored-by: Andreas * Windows local machine trust store commnd * tweak wording * remove Linux * add Linux instructions * add note about legacy support * Update content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md --------- Co-authored-by: Andreas --- .../devices/warp-client-checks/_index.md | 2 +- .../warp-client-checks/client-certificate.md | 79 +++++++++++++------ 2 files changed, 57 insertions(+), 24 deletions(-) diff --git a/content/cloudflare-one/identity/devices/warp-client-checks/_index.md b/content/cloudflare-one/identity/devices/warp-client-checks/_index.md index 4bf5dc411ac317..d7c873fd3fa237 100644 --- a/content/cloudflare-one/identity/devices/warp-client-checks/_index.md +++ b/content/cloudflare-one/identity/devices/warp-client-checks/_index.md @@ -20,7 +20,7 @@ These device posture checks are performed by the [Cloudflare WARP client](/cloud | ---------------------| ----- | ------- | ----- | --- | ---------------- | | [Application check](/cloudflare-one/identity/devices/warp-client-checks/application-check/) | ✅ | ✅ | ✅ | ❌ | ❌ | | [Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) | ✅ | ✅ | ✅ | ❌ | ❌ | -| [Client certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/) | ✅ | ✅ | ✅ | ❌ | ❌ | +| [Client certificate](/cloudflare-one/identity/devices/warp-client-checks/client-certificate/) | ✅ | ✅ | Coming soon | ❌ | ❌ | | [Device serial numbers](/cloudflare-one/identity/devices/warp-client-checks/corp-device/) | ✅ | ✅ | ✅ | ❌ | ❌ | | [Device UUID](/cloudflare-one/identity/devices/warp-client-checks/device-uuid/) | ❌ | ❌ | ❌ | ✅ | ✅ | | [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) | ✅ | ✅ | ✅ | ❌ | ❌ | diff --git a/content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md b/content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md index d70bcfab6790aa..9b3bc2af049e28 100644 --- a/content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md +++ b/content/cloudflare-one/identity/devices/warp-client-checks/client-certificate.md @@ -8,16 +8,33 @@ weight: 3 The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device. +{{
}} + +| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) | +| -- | -- | +| All modes | All plans | + +| System | Availability | Minimum WARP version1 | +| ---------| -------------| ---------------------| +| Windows | ✅ | 2024.6.415.0 | +| macOS | ✅ | 2024.6.416.0 | +| Linux | Coming soon | | +| iOS | ❌ | | +| Android | ❌ | | +| ChromeOS | ❌ | | + +1 Client certificate checks that ran on an earlier WARP version will continue to work. To configure a new certificate check, update WARP to the versions listed above. +{{
}} + ## Prerequisites -- A root CA that issues client certificates for your devices. You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) to generate a sample root CA for testing. -- {{}} +- A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate. +- Cloudflare WARP client is [deployed](/cloudflare-one/connections/connect-devices/warp/deployment/) on the device. - A client certificate is [installed and trusted](#how-warp-checks-for-a-client-certificate) on the device. - | System | Certificate store | - | ------- | -------------------- | - | macOS | System Keychain | - | Windows | `Current User\Personal` store | - | Linux | NSSDB | + +{{}} ## Configure the client certificate check @@ -33,8 +50,16 @@ The Client Certificate device posture attribute checks if the device has a valid 1. **Name**: Enter a unique name for this device posture check. 2. **Operating system**: Select your operating system. - 3. **Certificate ID**: Enter the UUID of the root CA. - 4. **Common name**: Enter the common name of the client certificate (not the root CA). + 3. **OS locations**: Specify the location(s) where the client certificate is installed. +| System | Certificate stores | +| ------- | -------------------- | +| Windows | - Local machine trust store
- User trust store| +| macOS | - System keychain | +| Linux | - NSSDB
- To search a custom location, enter the absolute file path(s) to the certificate and private key (for example `/usr/local/mycompany/certs/client.pem` and `/usr/local/mycompany/certs/client_key.pem`). The certificate and private key must be in `PEM` format. They can either be in two different files or the same file. | + 4. **Certificate ID**: Enter the UUID of the root CA. + 5. **Common name**: (Optional) To check for a specific common name on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate. + 6. **Check for Extended Key Usage**: (Optional) Check whether the client certificate has one or more attributes set. Supported values are **Client authentication** (`1.3.6.1.5.5.7.3.2`) and/or **Email** (`1.3.6.1.5.5.7.3.4`). + 7. **Check for private key**: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate. 6. Select **Save**. @@ -44,24 +69,32 @@ Next, go to **Logs** > **Posture** and verify that the client certificate check Learn how the WARP client determines if a client certificate is installed and trusted on the device. -{{}} -{{}} +{{}} -1. Open Terminal. -2. Run the following command to search for a certificate with a specific common name: +{{}} -```sh -$ /usr/bin/security find-certificate -c "" -p /Library/Keychains/System.keychain -``` +1. Open a PowerShell window. +2. To search the local machine trust store for a certificate with a specific common name, run the following command: + + ```powershell + PS C:\Users\JohnDoe> Get-ChildItem Cert:\LocalMachine\My\ | where{$_.Subject -like "**"} + ``` + +3. To search the user trust store for a certificate with a specific common name, run the following command: + + ```powershell + PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "**"} + ``` {{}} -{{}} -1. Open a PowerShell window. -2. Run the following command to search for a certificate with a specific common name: +{{}} -```powershell -PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "**"} +1. Open Terminal. +2. To search System Keychain for a certificate with a specific common name, run the following command: + +```sh +$ /usr/bin/security find-certificate -c "" -p /Library/Keychains/System.keychain ``` {{}} @@ -69,14 +102,14 @@ PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -lik {{}} 1. Open Terminal. -2. Run the following command to search for a certificate with a specific common name: +2. To search NSSDB for a certificate with a specific common name, run the following command: ```sh $ certutil -L -d sql:/etc/pki/nssdb -r -n - ``` {{}} + {{}} For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.