We have Active Directory Certificate Services installed as part of our Active Directory architecture. The certificate server has lots of templates you can use. We used the "Workstation Authentication Certificate" template. This deploys to all our devices.
Side Note - this same certifcate can be successfully used for any Wired/WiFi 802.1x auth - not just Cato VPN device check.
In Windows we go to the "Manage Computer Certificates" MMC and see various certs:
1)Personal - the actual cert deployed to our unique device by the cert server. The common name is your device name.
2)Under Root CA/Intermediate CA we see the certificates there. An important part of two way cert verification especially if you use Cisco ISE to do your wired/wireless 802.1x
If you are new to this and playing around, just ensure when you have a new template, you go to the Security Tab and ensure you change the targets to whatever you are testing with. I have made the mistake before of creating a template based on the pre-defined template and I started playing around with the settings without realising it was set to deploy to all devices! As such our devices have about 3 certs due to my mistake. Once you have it setup correctly you can change the deployment targets back to default in the Security Tab.
In the CMA we have uploaded the chain which means uploading both the Root and Intermediate (Issuing-CA) certificates. So you will have a cert entry in the CMA for each one.
Joining the Conversation
