Fortinet black logo

Administration Guide

Certificate validation

Copy Link
Copy Doc ID 1ce38eeb-8119-11eb-9995-00505692583a:377110
Download PDF

Certificate validation

The Persistent Agent can be configured using a Windows custom scan to validate the certificate on a host against the certificate provided by the administrator on Active Directory.

The application server must have access to the web server.

The certificate check custom scan allows the Persistent Agent to verify whether the certificate on the host matches the certificate on the network. The Persistent Agent scans the host and sends the timestamp, client certificate, and signature to the server. The server then completes the following process:

  • Validates the certificate against a trusted CA that is provided by the administrator
  • Verifies the revocation against the CRL (certificate Revocation List) provided through the LDAP or web server.
  • Verifies the timestamp is within five minutes of receipt by the server.
  • Verifies the signature with the certificate's public key.
  • Updates the scan result to change the default failure state to success, and updates the overall result from failure to success, if necessary.

Implementation

  1. Upload and install the certificate from a trusted CA for validation by the server, and select Persistent Agent Cert Check as the target. See SSL certificates.
  2. Create a Windows certificate check custom scan to verify the certificate on the host. See Windows.
  3. Add the certificate check custom scan to a scan that is enabled within your endpoint compliance policy. See Create a scan.

Certificate validation

The Persistent Agent can be configured using a Windows custom scan to validate the certificate on a host against the certificate provided by the administrator on Active Directory.

The application server must have access to the web server.

The certificate check custom scan allows the Persistent Agent to verify whether the certificate on the host matches the certificate on the network. The Persistent Agent scans the host and sends the timestamp, client certificate, and signature to the server. The server then completes the following process:

  • Validates the certificate against a trusted CA that is provided by the administrator
  • Verifies the revocation against the CRL (certificate Revocation List) provided through the LDAP or web server.
  • Verifies the timestamp is within five minutes of receipt by the server.
  • Verifies the signature with the certificate's public key.
  • Updates the scan result to change the default failure state to success, and updates the overall result from failure to success, if necessary.

Implementation

  1. Upload and install the certificate from a trusted CA for validation by the server, and select Persistent Agent Cert Check as the target. See SSL certificates.
  2. Create a Windows certificate check custom scan to verify the certificate on the host. See Windows.
  3. Add the certificate check custom scan to a scan that is enabled within your endpoint compliance policy. See Create a scan.