Fortinet black logo

Administration Guide

Persistent Agent certificate validation

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:377110
Download PDF

Persistent Agent certificate validation

The Persistent Agent can be configured using a Windows custom scan to validate the certificate on a host against the certificate provided by the administrator on Active Directory.

Note

Persistent Agent 3.5 or higher must be installed.

Note

The application server must have access to the web server.

The Cert-Check Custom Scan allows the Persistent Agent to verify whether the certificate on the host matches the certificate on the network. The Persistent Agent scans the host and sends the timestamp, client certificate, and signature to the server. The server then completes the following process:

  • Validates the certificate against a trusted Certificate Authority that is provided by the administrator
  • Verifies the revocation against the CRL (Certificate Revocation List) provided through the LDAP or web server.
  • Verifies the timestamp is within five minutes of receipt by the server.
  • Verifies the signature with the certificate's public key.
  • Updates the scan result to change the default failure state to success, and updates the overall result from failure to success, if necessary.

Implementation

  1. Upload and install the certificate from a trusted Certificate Authority (CA) for validation by the server, and select Persistent Agent Cert Check as the target. See SSL certificates.
  2. Create a Windows Cert-Check Custom Scan to verify the certificate on the host. See Windows.
  3. Add the Cert-Check Custom Scan to a scan that is enabled within your Endpoint Compliance Policy. See Custom scan options - scan level.

Persistent Agent certificate validation

The Persistent Agent can be configured using a Windows custom scan to validate the certificate on a host against the certificate provided by the administrator on Active Directory.

Note

Persistent Agent 3.5 or higher must be installed.

Note

The application server must have access to the web server.

The Cert-Check Custom Scan allows the Persistent Agent to verify whether the certificate on the host matches the certificate on the network. The Persistent Agent scans the host and sends the timestamp, client certificate, and signature to the server. The server then completes the following process:

  • Validates the certificate against a trusted Certificate Authority that is provided by the administrator
  • Verifies the revocation against the CRL (Certificate Revocation List) provided through the LDAP or web server.
  • Verifies the timestamp is within five minutes of receipt by the server.
  • Verifies the signature with the certificate's public key.
  • Updates the scan result to change the default failure state to success, and updates the overall result from failure to success, if necessary.

Implementation

  1. Upload and install the certificate from a trusted Certificate Authority (CA) for validation by the server, and select Persistent Agent Cert Check as the target. See SSL certificates.
  2. Create a Windows Cert-Check Custom Scan to verify the certificate on the host. See Windows.
  3. Add the Cert-Check Custom Scan to a scan that is enabled within your Endpoint Compliance Policy. See Custom scan options - scan level.