pcx_content_type | title | weight |
---|---|---|
how-to |
Client certificate |
3 |
The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
- A root CA that issues client certificates for your devices. You can use the Cloudflare PKI toolkit to generate a sample root CA for testing.
- {{}}
- A client certificate is installed and trusted on the device.
System Certificate store macOS System Keychain Windows Current User\Personal
storeLinux NSSDB
-
{{}}
-
In Zero Trust, go to Settings > WARP Client.
-
Scroll down to WARP client checks and select Add new.
-
Select Client certificate.
-
You will be prompted for the following information:
- Name: Enter a unique name for this device posture check.
- Operating system: Select your operating system.
- Certificate ID: Enter the UUID of the root CA.
- Common name: Enter the common name of the client certificate (not the root CA).
-
Select Save.
Next, go to Logs > Posture and verify that the client certificate check is returning the expected results.
Learn how the WARP client determines if a client certificate is installed and trusted on the device.
{{}} {{}}
- Open Terminal.
- Run the following command to search for a certificate with a specific common name:
$ /usr/bin/security find-certificate -c "<COMMON_NAME>" -p /Library/Keychains/System.keychain
{{}} {{}}
- Open a PowerShell window.
- Run the following command to search for a certificate with a specific common name:
PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}
{{}}
{{}}
- Open Terminal.
- Run the following command to search for a certificate with a specific common name:
$ certutil -L -d sql:/etc/pki/nssdb -r -n <COMMON_NAME>
{{}} {{}}
For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.