nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Cato Cloud
- Discussions
- Best Practices
API
- Discussions
- Best Practices
Idea Hub
Community Help
- Discussions
Cato Partners
Cato SWIFTs
Discussions
Categories
Groups
Help

Windows CA with Cato for Device Posture Check

Shaahid

I’m looking for guidance on configuring a Windows CA to issue and validate RSA certificates for device posture verification in Cato. Has anyone implemented this integration?What’s the best approach for certificate management? Should we use self-signed certificates or purchase individual device certificates from DigiCert or another vendor?

If anyone has implemented this, please share the pros and cons.

Find more posts tagged with

question

concern

analytics

Comments

michaelsaw

Hi Shaahid,

Corporate/Organization certificates are typically used to secure connections to websites and other online services by preventing man-in-the-middle attacks and ensuring that the digital certificates presented by entities are legitimate.
Note that certificates have an validity period and needs to be renewed accordingly.

On the side note, is there certain mechanisms currently used by the organization to identify/recognise corporate/organizational devices, at the moment?

A link to share: https://en.wikipedia.org/wiki/Certificate_authority

Cheers and have a nice weekend ahead!

Nath

We have Active Directory Certificate Services installed as part of our Active Directory architecture. The certificate server has lots of templates you can use. We used the "Workstation Authentication Certificate" template. This deploys to all our devices.

Side Note - this same certifcate can be successfully used for any Wired/WiFi 802.1x auth - not just Cato VPN device check.

In Windows we go to the "Manage Computer Certificates" MMC and see various certs:

1)Personal - the actual cert deployed to our unique device by the cert server. The common name is your device name.

2)Under Root CA/Intermediate CA we see the certificates there. An important part of two way cert verification especially if you use Cisco ISE to do your wired/wireless 802.1x

If you are new to this and playing around, just ensure when you have a new template, you go to the Security Tab and ensure you change the targets to whatever you are testing with. I have made the mistake before of creating a template based on the pre-defined template and I started playing around with the settings without realising it was set to deploy to all devices! As such our devices have about 3 certs due to my mistake. Once you have it setup correctly you can change the deployment targets back to default in the Security Tab.

In the CMA we have uploaded the chain which means uploading both the Root and Intermediate (Issuing-CA) certificates. So you will have a cert entry in the CMA for each one.